Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
Anshid_K
Regular Visitor

Connecting Fabric Data Agent via Service Principal or Managed Identities

‎07-22-2025 09:39 AM

I am trying to build a webapp hosted in azure, with the Fabric Data Agent as a part of it. Locally I used interactive browser authentication to retrieve the user token, but some sources online mentioned that such connection will not work while it's on web. Are there any other way to establish a user connection to fabric data agent from my app? Can we use service principal or Managed Identities for authentication?

Labels:
Message 1 of 9
839 Views
1 ACCEPTED SOLUTION
v-hashadapu
Community Support
Community Support
In response to Anshid_K

‎07-24-2025 05:03 AM

Hi @Anshid_K , Thank you for reaching out to the Microsoft Community Forum.

 

You're correct, this setup does conflict with user-level access control. And no, there is currently no supported way to generate or use user-specific tokens with the Fabric Data Agent. The agent only supports preconfigured connections using static credentials and does not support delegated authentication or identity passthrough from users.

 

If you need user-level access, it has to be enforced after the data reaches Fabric, for example, through row-level security (RLS) in Power BI or logic within Fabric workloads. The agent itself cannot enforce per-user access at the source.

 

How to access on-premises data sources in Data Factory - Microsoft Fabric | Microsoft Learn

Fabric data agent creation (preview) - Learn how to create a Fabric data agent | Microsoft Learn

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

View solution in original post

Message 6 of 9
743 Views
0
8 REPLIES 8
v-hashadapu
Community Support
Community Support

‎08-04-2025 04:07 AM

Hi @Anshid_K , Hope you're doing okay! May we know if it worked for you, or are you still experiencing difficulties? Let us know — your feedback can really help others in the same situation.

Message 9 of 9
422 Views
0
v-hashadapu
Community Support
Community Support

‎07-31-2025 05:32 AM

Hi @Anshid_K , Hope you're doing fine. Can you confirm if the problem is solved or still persists? Sharing your details will help others in the community.

Message 8 of 9
550 Views
0
v-hashadapu
Community Support
Community Support

‎07-28-2025 12:23 AM

HI @Anshid_K , hope you are doing great. May we know if your issue is solved or if you are still experiencing difficulties. Please share the details as it will help the community, especially others with similar issues.

Message 7 of 9
629 Views
v-hashadapu
Community Support
Community Support

‎07-22-2025 09:55 PM

Hi @Anshid_K , Thank you for reaching out to the Microsoft Community Forum.

 

Relying on interactive browser authentication won’t work, it’s meant for local development, not production environments. In a deployed scenario, you’ll need to switch to a non-interactive authentication method.

 

If your web app runs on an Azure service like App Service or Azure Functions, using Managed Identity is the simplest and most secure approach. It avoids storing any credentials and integrates cleanly with Azure’s identity system. If Managed Identity isn’t available in your setup, you can use a Service Principal, just be sure to register the app in Azure AD, assign it the right API permissions and either configure a client secret or certificate for authentication.

 

Once your app has an identity, it needs to request an access token scoped to Microsoft Fabric. You can use the Azure Identity client library for Python | Microsoft Learn to do this. That token can then be used to call Fabric APIs or trigger workloads like dataflows, pipelines or notebooks.

 

For Fabric to accept calls from your app, make sure the service principal or managed identity has the right permissions in the Fabric workspace. Also, in the Fabric admin portal, you need to explicitly enable service principal access to APIs. Keep in mind that the Fabric Data Agent manages access to on-premises data sources and that access is controlled through credentials stored in the gateway connection, not from your web app directly.

 

Please refer:

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

Enable service principal authentication for admin APIs - Microsoft Fabric | Microsoft Learn

Embed Power BI content in an embedded analytics application with service principal and an applicatio...

Message 2 of 9
809 Views
0
Anshid_K
Regular Visitor
In response to v-hashadapu

‎07-23-2025 03:39 AM

Hi @v-hashadapu ,

Thank you for quick reply. But in another discussion: Solved: Does Fabric Data agent support Managed Identity or... - Microsoft Fabric Community, it is mentioned that the service principal connection feature is still not realeased. Can you clarify on this matter as well.

Message 3 of 9
793 Views
0
v-hashadapu
Community Support
Community Support
In response to Anshid_K

‎07-23-2025 09:54 PM

Hi @Anshid_K , Thank you for reaching out to the Microsoft Community Forum.

 

Sorry for the confusion in my earlier answer. While service principals and managed identities can be used to authenticate your app to call Fabric REST APIs, for example, to trigger a pipeline or notebook, they cannot be used to establish a user connection through the Fabric Data Agent. The agent still relies entirely on credentials configured within the gateway connection itself and app identities can’t be delegated through it.

 

So please design your web app to authenticate using a service principal or managed identity, but instead of trying to directly access the on premises data, have it trigger a Fabric pipeline or notebook that uses a preconfigured gateway connection. That pipeline or notebook will then access the on-premises data through the agent using the stored credentials securely and within the current supported architecture. This avoids interactive login and keeps your solution production-ready.

Message 4 of 9
757 Views
0
Anshid_K
Regular Visitor
In response to v-hashadapu

‎07-24-2025 12:07 AM

Thanks @v-hashadapu  for addressing the issue. This was a solution we had in mind. But this conflicts the idea of user level access management since we are using a pre configured connection with a fixed privileges. Is there any way to generate user specific tokens to interact with fabric data agent?

Message 5 of 9
748 Views
0
v-hashadapu
Community Support
Community Support
In response to Anshid_K

‎07-24-2025 05:03 AM

Hi @Anshid_K , Thank you for reaching out to the Microsoft Community Forum.

 

You're correct, this setup does conflict with user-level access control. And no, there is currently no supported way to generate or use user-specific tokens with the Fabric Data Agent. The agent only supports preconfigured connections using static credentials and does not support delegated authentication or identity passthrough from users.

 

If you need user-level access, it has to be enforced after the data reaches Fabric, for example, through row-level security (RLS) in Power BI or logic within Fabric workloads. The agent itself cannot enforce per-user access at the source.

 

How to access on-premises data sources in Data Factory - Microsoft Fabric | Microsoft Learn

Fabric data agent creation (preview) - Learn how to create a Fabric data agent | Microsoft Learn

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

Message 6 of 9
744 Views
0

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All