Reply
vivien57
Post Patron
Post Patron

Admin API - All access for tenant ? (independent of resource rights)

‎11-18-2024 08:06 AM

Hello everyone,

As part of our DataMesh approach to empowering business users, some of our users are completely autonomous in their workspaces, with their own data sources.

In order to gain in maturity, they would like to obtain metadata in order to be able to establish a detailed data lineage, in order to document the data in the report, from the dataset to the information in the tables and columns that make up the dataset.

To do this, there are the Admin APIs, and in particular the metadata API.

vivien57_0-1731946037772.png

 

However, one sentence catches my attention :


"Service principals included in allowed security groups will have read-only access to all the information available through admin APIs."

Does this mean that if someone has the client_id/secret_id, they can obtain all the metadata for all the tenant's resources (including workspaces for which they do not have authorisation, etc) ?

In short, is it an all-or-nothing right? Or does it allow users to access metadata, but only for resources for which they have access ?

Thank you for your return

Vivien

PS : I am going to start a test phase, and I will be able to add to it when I have the results.

Labels:
Message 1 of 4
490 Views
0
1 ACCEPTED SOLUTION
vivien57
Post Patron
Post Patron

‎12-19-2024 01:34 AM

Hello,

After testing, the Admin API returns the data for the whole tenant (so it should only be used by admins 🙂 )

Have a nice day,

Vivien

View solution in original post

Message 4 of 4
243 Views
0
3 REPLIES 3
vivien57
Post Patron
Post Patron

‎12-19-2024 01:34 AM

Hello,

After testing, the Admin API returns the data for the whole tenant (so it should only be used by admins 🙂 )

Have a nice day,

Vivien

Message 4 of 4
244 Views
0
v-rzhou-msft
Community Support
Community Support

‎11-18-2024 10:57 PM

Hi @vivien57 ,

 

As far as I know, client_id and secret_id belong to the service principal's authentication key, which is confidential data and needs to be kept safe.

When you use this feature, you can use service principal to get the data through the supported REST API.

You can refer to the following official documentation to learn what REST APIs are supported by service principal, as well as some detailed steps.

Enable service principal authentication for read-only admin APIs - Microsoft Fabric | Microsoft Lear...

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Message 2 of 4
442 Views
0
vivien57
Post Patron
Post Patron
In response to v-rzhou-msft

‎11-18-2024 11:04 PM

Hello,

Thank you for your feedback and explanations.

However, what I'm trying to find out exactly is if I activate this option for a few security groups (service principal), will they see information for all the tenant's metadata (all workspaces, etc.) or only the metadata for the resources to which they have access ?

Thank in advance for your return,

Have a nice day,

Vivien

Message 3 of 4
436 Views
0
avatar user

Helpful resources

Announcements
March PBI video - carousel

Power BI Monthly Update - March 2025

Check out the March 2025 Power BI update to learn about new features.

March2025 Carousel

Fabric Community Update - March 2025

Find out what's new and trending in the Fabric community.

Stop
View All
Top Solution Authors (Last Month)
View All
Top Kudoed Authors (Last Month)
View All