Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
vivien57
Helper V
Helper V

Admin API - All access for tenant ? (independent of resource rights)

‎11-18-2024 08:06 AM

Hello everyone,

As part of our DataMesh approach to empowering business users, some of our users are completely autonomous in their workspaces, with their own data sources.

In order to gain in maturity, they would like to obtain metadata in order to be able to establish a detailed data lineage, in order to document the data in the report, from the dataset to the information in the tables and columns that make up the dataset.

To do this, there are the Admin APIs, and in particular the metadata API.

vivien57_0-1731946037772.png

 

However, one sentence catches my attention :


"Service principals included in allowed security groups will have read-only access to all the information available through admin APIs."

Does this mean that if someone has the client_id/secret_id, they can obtain all the metadata for all the tenant's resources (including workspaces for which they do not have authorisation, etc) ?

In short, is it an all-or-nothing right? Or does it allow users to access metadata, but only for resources for which they have access ?

Thank you for your return

Vivien

PS : I am going to start a test phase, and I will be able to add to it when I have the results.

Labels:
Message 1 of 4
402 Views
0
1 ACCEPTED SOLUTION
vivien57
Helper V
Helper V

‎12-19-2024 01:34 AM

Hello,

After testing, the Admin API returns the data for the whole tenant (so it should only be used by admins 🙂 )

Have a nice day,

Vivien

View solution in original post

Message 4 of 4
155 Views
0
3 REPLIES 3
vivien57
Helper V
Helper V

‎12-19-2024 01:34 AM

Hello,

After testing, the Admin API returns the data for the whole tenant (so it should only be used by admins 🙂 )

Have a nice day,

Vivien

Message 4 of 4
156 Views
0
v-rzhou-msft
Community Support
Community Support

‎11-18-2024 10:57 PM

Hi @vivien57 ,

 

As far as I know, client_id and secret_id belong to the service principal's authentication key, which is confidential data and needs to be kept safe.

When you use this feature, you can use service principal to get the data through the supported REST API.

You can refer to the following official documentation to learn what REST APIs are supported by service principal, as well as some detailed steps.

Enable service principal authentication for read-only admin APIs - Microsoft Fabric | Microsoft Lear...

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Message 2 of 4
354 Views
0
vivien57
Helper V
Helper V
In response to v-rzhou-msft

‎11-18-2024 11:04 PM

Hello,

Thank you for your feedback and explanations.

However, what I'm trying to find out exactly is if I activate this option for a few security groups (service principal), will they see information for all the tenant's metadata (all workspaces, etc.) or only the metadata for the resources to which they have access ?

Thank in advance for your return,

Have a nice day,

Vivien

Message 3 of 4
348 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All