Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

60 Days of Data Days! Live and on-demand sessions, challenges, study groups and more! And it's all FREE!. Join now. Learn more

Reply
YashMoroliya
Regular Visitor

Microsoft Fabric GraphQL API returns 403 Forbidden - ServicePrincipalIsNotAllowedByTenantAdminSwitch

Hi Everyone, 

We have verified the integration from our side.

Access token is generated successfully using the provided Client ID, Client Secret, and Tenant ID.
The token audience is https://api.fabric.microsoft.com.
The GraphQL request is sent with a valid Bearer token.

However, the API returns 403 Forbidden with the response header:

X-PowerBI-Error-Info: ServicePrincipalIsNotAllowedByTenantAdminSwitch
Thanks

1 ACCEPTED SOLUTION
Ugk161610
Super User
Super User

Hi,

Thanks for the details — good news is this isn't an issue with your setup. The fact that token generation worked fine with your Client ID/Secret/Tenant ID means your app registration is correct.

 

The ServicePrincipalIsNotAllowedByTenantAdminSwitch error just means your tenant admin hasn't flipped the switch yet that lets service principals call the Fabric APIs at all. It's a tenant-wide setting, not something on your end.

 

Here's what needs to happen:

Someone with tenant admin rights needs to go to the Power BI Admin Portal → Tenant settings → Developer settings, and turn on "Service principals can use Fabric APIs" (some tenants still show it as the older "Power BI APIs" wording). They can either enable it for the whole org, or restrict it to a specific security group — in which case your service principal needs to be added to that group.

 

A couple of things to keep in mind once that's turned on:

  • It can take up to 15 mins (sometimes a bit longer) to actually kick in, so don't panic if it doesn't work instantly.
  • Even after that setting is on, your service principal still needs to be added as a member/contributor on the actual workspace you're trying to hit — the tenant switch just opens the door, workspace permissions control what's actually inside.
  • If you're calling the Fabric GraphQL API specifically (not the older Power BI REST API), double check there isn't a separate Fabric-specific toggle for it, since some tenants split these out.

     

    Hope this helps! A couple of quick asks if it does:

    • Drop a Kudos if this pointed you in the right direction
    • If it solves things, please mark it as the accepted solution — helps others hitting the same error find it faster
    • Also, come hang out on the Fabric Discord if you're not already there

      ugk161610,
      Proud Fabric Super User 🙂

View solution in original post

5 REPLIES 5
v-sathmakuri
Community Support
Community Support

Hi @YashMoroliya ,

 

Thanks for reaching out to fabric community. 

 

Thank you @Murtaza_Ghafoor , @Ugk161610 , @tayloramy  and @Parchitect for the prompt response.

 

Could you please confirm whether the provided solution helped in resolving the issue. If you have any further questions please feel free to reach out to us.

 

Thanks!!

Murtaza_Ghafoor
Super User
Super User

@YashMoroliya 

Root Cause:

The Fabric/Power BI Tenant Admin has not enabled service principals for Fabric APIs, or most probably your service principal is not included in the allowed security group.
First of all you need to check these settings, first one from fabric admin settings, second one check the permission from service principal security settings.
Why this is happening

When a service principal calls the Fabric GraphQL endpoint, Fabric checks the tenant settings before checking permissions. If the tenant switch is disabled, it immediately returns this error:

If this helps, ✓ Mark as Kudos | Help Others

Proud to be a Super User

Ugk161610
Super User
Super User

Hi,

Thanks for the details — good news is this isn't an issue with your setup. The fact that token generation worked fine with your Client ID/Secret/Tenant ID means your app registration is correct.

 

The ServicePrincipalIsNotAllowedByTenantAdminSwitch error just means your tenant admin hasn't flipped the switch yet that lets service principals call the Fabric APIs at all. It's a tenant-wide setting, not something on your end.

 

Here's what needs to happen:

Someone with tenant admin rights needs to go to the Power BI Admin Portal → Tenant settings → Developer settings, and turn on "Service principals can use Fabric APIs" (some tenants still show it as the older "Power BI APIs" wording). They can either enable it for the whole org, or restrict it to a specific security group — in which case your service principal needs to be added to that group.

 

A couple of things to keep in mind once that's turned on:

  • It can take up to 15 mins (sometimes a bit longer) to actually kick in, so don't panic if it doesn't work instantly.
  • Even after that setting is on, your service principal still needs to be added as a member/contributor on the actual workspace you're trying to hit — the tenant switch just opens the door, workspace permissions control what's actually inside.
  • If you're calling the Fabric GraphQL API specifically (not the older Power BI REST API), double check there isn't a separate Fabric-specific toggle for it, since some tenants split these out.

     

    Hope this helps! A couple of quick asks if it does:

    • Drop a Kudos if this pointed you in the right direction
    • If it solves things, please mark it as the accepted solution — helps others hitting the same error find it faster
    • Also, come hang out on the Fabric Discord if you're not already there

      ugk161610,
      Proud Fabric Super User 🙂

tayloramy
Super User
Super User

Hi @YashMoroliya

 

This is a configuration that your Fabric Admin needs to change. In the admin portal, the tenant setting for "service principals can use admin APIs" needs to be turned on. 





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Join the Fabric Discord!

Proud to be a Super User!





Parchitect
Solution Sage
Solution Sage

Hi @YashMoroliya,
The response header names the exact cause: the tenant switch that allows service principals to call Fabric APIs is either off or doesn't cover your app. Your token being valid is expected — Entra issues it regardless of Fabric settings; the 403 comes from Fabric's own authorization layer checking that switch.

 
The fix needs a Fabric administrator: Admin portal → Tenant settings → Developer settings → enable Service principals can use Fabric APIs → Apply. If your admin says it's already enabled, ask whether it's scoped to specific security groups rather than the whole organization — in that case the app registration must be a member of one of those groups. Give it a few minutes to propagate after changes.
 
Once you're past the switch, the service principal needs two more things, or you'll trade this 403 for another one: Execute permission on the GraphQL item (Manage permissions on the API item → Add user → your app → Run Queries and Mutations) plus read access to the underlying Lakehouse. The simpler route for dev/test is adding the app registration as a workspace Contributor, which covers both the API and the data source in one step.
One thing not to do: don't go adding API permissions or scopes on the app registration in Entra — service principals don't use delegated permissions for this scenario, and all authorization is managed inside Fabric. Your scope (audience https://api.fabric.microsoft.com) is already correct, so no change needed on the token side.
 
 
AI disclosure: Microsoft Copilot was used to help with wording/structure. The technical answer was manually reviewed and validated against the Microsoft Learn reference above(The full walkthrough link)

Helpful resources

Announcements
FabCon and SQLCon Barcelona 2026

FabCon & SQLCon – Barcelona 2026

Join us in Barcelona for FabCon and SQLCon, the Fabric, Power BI, SQL, and AI community event. Save €200 with code FABCMTY200.

60 days of Data Days Carousel

Data Days 2026

Join Data Days 2026: 60 days of free live/on-demand sessions, challenges, study groups, and certification opportunities.