Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
bsmucker
Frequent Visitor

User token grant flow for Fabric Git APIs in Azure DevOps CI/CD

‎09-10-2024 09:02 AM

Hello, all,

 

As part of a CICD workflow, I am looking to connect, initialize, and update several workspaces from Azure DevOps using Git Integration for Power BI and the Fabric APIs for Git

 

The problem with the Fabric GIT APIs is that they only support the User identity type, and the rest of the workflow is driven using service principals making API calls in Python scripts that obtain Bearer access tokens using the client_credentials auth flow.

Using Connect-PowerBIServiceAccount or the FabricPS-PBIP module to get an access token for my logged in user account creates an interactive login window when I run the scripts locally. Because this script will be run remotely on a server using Azure DevOps, I'm not sure how to obtain the access token dynamically based on the user who starts the ADO pipeline and without requiring interactive login.


My understanding is that the Azure DevOps agent will run as the connected Azure service connection, which is a service principal. If I have to use a User identity for the Git APIs, I'd rather use a generic User identity instead of an actual person's account to mimic the behavior of a service principal.

 

With the resource owner password auth flow discouraged and posing security risks, the ideal beavior would be to use something like the on-behalf-of workflow (OBO) to call the Fabric APIs as a User on behalf of the service principal, but that still leaves me with requiring an interactive login for the auth code or device code workflows to obtain a Bearer access token for the generic User account.

 

I am aware that MSAL for Python exists, but I feel like I need to settle on an auth flow first.

Does anyone have experience or solutions using the Fabric Git APIs in an automated Web API that calls other Web API design? The suggested auth flow seems to be OBO, but I'm struggling to obtain a Bearer token as the user to then pass to that workflow. I'm also not sure which auth flow I should be using to obtain my User access token in this setup if I want to avoid the interactive login.

 

I think my Microsoft Entra account and owned service principal application are configured correctly with the delegated scopes that they need for the Git APIs, but  I received consent_required errors when I tested the password grant_type. I did not grant admin consent at the application permission level because the Git APIs don't require them, and I wasn't sure if I needed to grant the user_impersonation scope to the service principal application whose client_id and client_secret I'm using.

Message 1 of 3
1,189 Views
0
2 REPLIES 2
Anonymous
Not applicable

‎09-10-2024 08:44 PM

Hi  @bsmucker ,

 

Have you granted the Workspace.ReadWrite.All delegated type permissions required by the Git API for the configured appllication and granted admin consent?

Grant tenant-wide admin consent to an application - Microsoft Entra ID | Microsoft Learn

In addition to this, according to the documentation, it does not support AAD tokens generated as service principal, but only user delegated and requires the admin role of the workspace.

vyangliumsft_0-1726026254594.png

 

vyangliumsft_1-1726026254598.png

 

Best Regards,

Liu Yang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 3
1,139 Views
0
bsmucker
Frequent Visitor
In response to Anonymous

‎09-11-2024 08:03 AM

Hi Liu,

I've set the following API permissions on my application, but I did not grant admin. consent because the APIs don't seem to require them:

bsmucker_0-1726065759455.png

I've also set up my redirect URI to http://localhost.

I'm currently stuck trying to generate an AAD token for my account, but my goal is to create a basic User identity with a password to act like a service principal in the workflow. The RPOC auth flow, which documentation advises against, returned an "InvalidToken" response after I tried to use its Bearer token in a Git API call.

If my Azure DevOps pipeline is making a call to a Python script that needs to make Power BI API calls as a User identity, is the more appropriate automated solution to use an auth code as the User with an offline_access scope for a one-time local setup, obtain the refresh the token, and use that in the subsequent scripted API calls?

Message 3 of 3
1,117 Views
0

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

View All