Get certified for free when you join Fabric Data Days 2026 and dive into Fabric, Power BI, SQL, AI, and other essential data skills.
Join now60 Days of Data Days! Live and on-demand sessions, challenges, study groups and more! And it's all FREE!. Join now. Learn more
Hi Everyone,
We have verified the integration from our side.
Access token is generated successfully using the provided Client ID, Client Secret, and Tenant ID.
The token audience is https://api.fabric.microsoft.com.
The GraphQL request is sent with a valid Bearer token.
However, the API returns 403 Forbidden with the response header:
X-PowerBI-Error-Info: ServicePrincipalIsNotAllowedByTenantAdminSwitch
Thanks
Solved! Go to Solution.
Hi,
Thanks for the details — good news is this isn't an issue with your setup. The fact that token generation worked fine with your Client ID/Secret/Tenant ID means your app registration is correct.
The ServicePrincipalIsNotAllowedByTenantAdminSwitch error just means your tenant admin hasn't flipped the switch yet that lets service principals call the Fabric APIs at all. It's a tenant-wide setting, not something on your end.
Here's what needs to happen:
Someone with tenant admin rights needs to go to the Power BI Admin Portal → Tenant settings → Developer settings, and turn on "Service principals can use Fabric APIs" (some tenants still show it as the older "Power BI APIs" wording). They can either enable it for the whole org, or restrict it to a specific security group — in which case your service principal needs to be added to that group.
A couple of things to keep in mind once that's turned on:
Hope this helps! A couple of quick asks if it does:
ugk161610,
Proud Fabric Super User 🙂
Hi @YashMoroliya ,
Thanks for reaching out to fabric community.
Thank you @Murtaza_Ghafoor , @Ugk161610 , @tayloramy and @Parchitect for the prompt response.
Could you please confirm whether the provided solution helped in resolving the issue. If you have any further questions please feel free to reach out to us.
Thanks!!
Root Cause:
The Fabric/Power BI Tenant Admin has not enabled service principals for Fabric APIs, or most probably your service principal is not included in the allowed security group.
First of all you need to check these settings, first one from fabric admin settings, second one check the permission from service principal security settings.
Why this is happening
When a service principal calls the Fabric GraphQL endpoint, Fabric checks the tenant settings before checking permissions. If the tenant switch is disabled, it immediately returns this error:
If this helps, ✓ Mark as Kudos | Help Others
Proud to be a Super User
Hi,
Thanks for the details — good news is this isn't an issue with your setup. The fact that token generation worked fine with your Client ID/Secret/Tenant ID means your app registration is correct.
The ServicePrincipalIsNotAllowedByTenantAdminSwitch error just means your tenant admin hasn't flipped the switch yet that lets service principals call the Fabric APIs at all. It's a tenant-wide setting, not something on your end.
Here's what needs to happen:
Someone with tenant admin rights needs to go to the Power BI Admin Portal → Tenant settings → Developer settings, and turn on "Service principals can use Fabric APIs" (some tenants still show it as the older "Power BI APIs" wording). They can either enable it for the whole org, or restrict it to a specific security group — in which case your service principal needs to be added to that group.
A couple of things to keep in mind once that's turned on:
Hope this helps! A couple of quick asks if it does:
ugk161610,
Proud Fabric Super User 🙂
Hi @YashMoroliya,
This is a configuration that your Fabric Admin needs to change. In the admin portal, the tenant setting for "service principals can use admin APIs" needs to be turned on.
Proud to be a Super User! | |
Hi @YashMoroliya,
The response header names the exact cause: the tenant switch that allows service principals to call Fabric APIs is either off or doesn't cover your app. Your token being valid is expected — Entra issues it regardless of Fabric settings; the 403 comes from Fabric's own authorization layer checking that switch.
| User | Count |
|---|---|
| 9 | |
| 5 | |
| 5 | |
| 4 | |
| 4 |
| User | Count |
|---|---|
| 35 | |
| 24 | |
| 21 | |
| 14 | |
| 13 |