Problems with connecting to Fabric Kusto using man...

FawadAhmedMAQ · ‎05-26-2025

Hi Fabric Community,

I am facing an issue when trying to connect my C# Solution to my Fabric Eventhouse Kusto Database using user assigned managed identity as credential. I have tried the below 2 options:

1. Using SDK

2. Generating access token using Kusto scope

Both while using a user assigned managed identity, who I have given contributor access at workspace and also given direct access to KQL database from its "manage permissions".

The error I am getting is essentially this in both cases (Completed error at the last):
"Principal 'aadapp=<UserAssignedClientID>;<TenantID>' is not authorized to read database '<DatabaseID> (<DatabaseName>)"

Could someone please guide me if managed identity is even possible in Fabric Eventhouse Kusto DB? If not what is the alternative for Production critical applications?

Important Note: This is not the normal ADX, any suggestions/answers I try to find are tailored for that eg: to run queries such as .add database sdktestdata viewers ('aadapp=[application-id];[tenant-guid]'). What I am using is the Native Fabric Eventhouse Kusto Database, where I cannot run these queries and I believe access is provisioned from the UI of the Fabric Portal itself.

Full error:

Forbidden (403-Forbidden): {
  "error": {
    "code": "Forbidden",
    "message": "Caller is not authorized to perform this action",
    "@type": "Kusto.Data.Exceptions.KustoRequestDeniedException",
    "@message": "Forbidden (403-Forbidden): {
      \"error\": {
        \"code\": \"Forbidden\",
        \"message\": \"Caller is not authorized to perform this action\",
        \"@type\": \"Kusto.DataNode.Exceptions.UnauthorizedDatabaseAccessException\",
        \"@message\": \"Principal 'aadapp=<UserAssignedClientID>;<TenantID>' is not authorized to read database '<DatabaseID> (<DatabaseName>)'.\",
        \"@context\": {
          \"timestamp\": "<Timestamp>",
          \"serviceAlias\": "<ServiceAlias>",
          \"clientRequestId\": "<ClientRequestId>",
          \"activityId\": "<ActivityId>",
          \"subActivityId\": "<SubActivityId>",
          \"activityType\": "<ActivityType>",
          \"parentActivityId\": "<ParentActivityId>",
          \"activityStack\": "<ActivityStack>"
        },
        \"@permanent\": true
      }
    }. This normally represents a permanent error, and retrying is unlikely to help.
    Error details:
    DataSource='<ClusterEndpoint>',
    DatabaseName='<DatabaseName>',
    ClientRequestId='<ClientRequestId>',
    ActivityId='<ActivityId>',
    Timestamp='<Timestamp>'.
  },
  "@context": {
    "timestamp": "<Timestamp>",
    "serviceAlias": "<ServiceAlias>",
    "clientRequestId": "<ClientRequestId>",
    "activityId": "<ActivityId>",
    "subActivityId": "<SubActivityId>",
    "activityType": "<ActivityType>",
    "parentActivityId": "<ParentActivityId>",
    "activityStack": "<ActivityStack>"
  },
  "@permanent": true
}

v-nmadadi-msft

Hi @FawadAhmedMAQ

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If our responses has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.

Thank you.

v-nmadadi-msft

Hi @FawadAhmedMAQ

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

v-nmadadi-msft · ‎05-27-2025

Hi @FawadAhmedMAQ
Thanks for reaching out to the Microsoft fabric community forum.

Currently Managed Identities are not supported. You can use Workspace Identity if that helps. A Fabric workspace identity is an automatically managed service principal that can be associated with a Fabric workspace.
For more information please refer to this link: Workspace identity - Microsoft Fabric | Microsoft Learn

If you find this post helpful, please mark it as an "Accept as Solution" and consider giving a KUDOS. Feel free to reach out if you need further assistance.
Thank you

FawadAhmedMAQ · ‎05-27-2025

Hi @v-nmadadi-msft,

Thanks for confirming that Managed Identities are not yet supported.

I can definitely try using the Workspace Identity, I have identified the SPN for it. Could you please assist in the next steps on how I can use this identity to generate token? I cannot see an option for this App to create a secret or FIC which will help in using it from my App Service. In the doc you shared the only example given for Workspace Identity Authentication is to Storage Accounts.

v-nmadadi-msft · ‎05-31-2025

Hi @FawadAhmedMAQ ,
Thanks for reaching out to the Microsoft fabric community forum.

Currently, Workspace Identity is intended for internal use within Fabric-native services such as pipelines, notebooks, dataflows, and other direct integrations within the Fabric environment. It is not designed to be used externally for example, from an Azure App Service or custom application because it does not expose client secrets or support federated credential setups like traditional managed identities or app registrations. As a result, it cannot be impersonated outside the scope of the Fabric workspace.

For your scenario where you need to authenticate from an external C# application hosted in App Service the best path today is to use:

User
Service principal

For more information on them check out: Identity support for logging into the Microsoft Fabric - Microsoft Fabric REST APIs | Microsoft Lear...

just ensure that you have enabled this service principal option in admin portal

If you find this post helpful, please mark it as an "Accept as Solution" and consider giving a KUDOS. Feel free to reach out if you need further assistance.
Thank you

FawadAhmedMAQ · ‎06-03-2025

Hi @v-nmadadi-msft

I am a little confused on the point that you mentioned regarding managed identites not supported in Fabric Kusto, as below link says otherwise:

https://learn.microsoft.com/en-us/kusto/api/get-started/app-authentication-methods?view=azure-data-e...

This specifically states that this applies to "Microsoft Fabric" as well. Do you have any source that confirms that Managed Identities are not supported in Fabric Kusto environments?

v-nmadadi-msft · ‎06-08-2025

Hi @FawadAhmedMAQ ,
Thanks for reaching out to the Microsoft fabric community forum.

Apologies for the unintended error I have based my previous answer on this idea post Enable Support for User-Assigned Managed Identity ... - Microsoft Fabric Community
as this has recently been updated, I thought UAMI are not supported yet.

I have re checked based on the source you have provided and also from the below article
Items - Get KQL Database - REST API (KQLDatabase) | Microsoft Learn
UAMI is supported for Fabric KQL database.

To try to resolve your error while using UAMI,
As you are facing a 403 error,
Please make sure you have given the following scopes KQLDatabase.Read.All or KQLDatabase.ReadWrite.All or Item.Read.All or Item.ReadWrite.All in your App Registrations.

Also these are the calls you can make from your C# software

you will face error if you try some other operation other than these.

Additionally for any operation you are trying to accomplish, ensure you are correctly making the call with the right interface.
For ex for List KQL database this is the interface
GET https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/kqlDatabases

If this post helps, then please consider Accepting as solution to help the other members find it more quickly and consider giving a KUDOS. Feel free to reach out if you need further assistance.
Thank you

Problems with connecting to Fabric Kusto using managed identity

Helpful resources

Fabric Monthly Update - May 2025

Fabric Community Update - June 2025

Become a Certified Power BI Data Analyst!

Problems with connecting to Fabric Kusto using managed identity

Helpful resources

Fabric Monthly Update - May 2025

Fabric Community Update - June 2025