Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fabric Data Days Monthly is back. Join us on March 26th for two expert-led sessions on 1) Getting Started with Fabric IQ and 2) Mapping & Spacial Analytics in Fabric. Register now

Reply
rayphoon
New Member

API call to modify Workspace Diagnostics does not work when run under a Service Principal

‎02-11-2026 06:12 PM

We are trying to use REST API calls to Fabric to configure diagnostic settings for our Fabric workspaces using a service principal as described in 

https://learn.microsoft.com/en-us/rest/api/fabric/core/onelake-settings/modify-diagnostics?tabs=HTTP

 

The API call returns a 500 error with message "InternalServerError". The same API call works when run using an access token from a user.

 

Tested that the "Get Settings" API call for the onelake diagnostic settings works fine using the service principal.

https://learn.microsoft.com/en-us/rest/api/fabric/core/onelake-settings/get-settings?tabs=HTTP

 

Checked that the user and service principal has the same roles (Admin) on the workspace as well as the target diagnostic workspace where the lakehouse resides.

 

Has anybody come across this issue?

 

Thanks.

 

Labels:
Message 1 of 9
571 Views
0
1 ACCEPTED SOLUTION
svenchio
Super User
Super User

‎02-12-2026 12:22 PM

hi @rayphoon , I have good news (hopefully 🤞) I was able to reproduce your issue, that is, using a SPN calling the interface as documented in the https://learn.microsoft.com/en-us/rest/api/fabric/core/onelake-settings/modify-diagnostics?tabs=HTTP and got the same the same 500 error, but I knew my SPN has all the neccesary Fabric tenant permissions because I use it to create Fabric items ALL THE TIME, also, the same way you do, have a security group with the SPN as member as admin of the workspace, so basically I knew it wasn't a permission issue. 

 

But then, I remember other instances where, in order for the SPN to execute some operations, IT NEEDS TO BE THE OWNER OF THE ITEMS, else get a 500 error, so, I decided to test this; as shown below, the SPN has admin permission on the workspace via an Entra ID sec. group, and I created a Lakehouse whitout schema support, as shown in the image, the SPN is the owner! 

 

svenchio_0-1770926919107.png

 

And after I did this, I invoked the interface using the SPN (as usual) and IT WORKED! 

 

svenchio_1-1770927049279.png

 

 I'm pretty confident it will work for you the same way it did for me ... give a try and let us know 😁🤞  ! 

 

@v-karpurapud  can you help us understand why would it be requiered for the SPN to be owner of the lakehouse in addition of workspace admin permissions?  Perhaps also @strzala  can you confirm the ownership of the lakehouse for your script to work? I think this confirmation will help figure this out! 

 

Don't forget a thumbs up if you find this information useful and accept as solution if appropiate. 

 

View solution in original post

Message 7 of 9
470 Views
8 REPLIES 8
svenchio
Super User
Super User

‎02-12-2026 12:22 PM

hi @rayphoon , I have good news (hopefully 🤞) I was able to reproduce your issue, that is, using a SPN calling the interface as documented in the https://learn.microsoft.com/en-us/rest/api/fabric/core/onelake-settings/modify-diagnostics?tabs=HTTP and got the same the same 500 error, but I knew my SPN has all the neccesary Fabric tenant permissions because I use it to create Fabric items ALL THE TIME, also, the same way you do, have a security group with the SPN as member as admin of the workspace, so basically I knew it wasn't a permission issue. 

 

But then, I remember other instances where, in order for the SPN to execute some operations, IT NEEDS TO BE THE OWNER OF THE ITEMS, else get a 500 error, so, I decided to test this; as shown below, the SPN has admin permission on the workspace via an Entra ID sec. group, and I created a Lakehouse whitout schema support, as shown in the image, the SPN is the owner! 

 

svenchio_0-1770926919107.png

 

And after I did this, I invoked the interface using the SPN (as usual) and IT WORKED! 

 

svenchio_1-1770927049279.png

 

 I'm pretty confident it will work for you the same way it did for me ... give a try and let us know 😁🤞  ! 

 

@v-karpurapud  can you help us understand why would it be requiered for the SPN to be owner of the lakehouse in addition of workspace admin permissions?  Perhaps also @strzala  can you confirm the ownership of the lakehouse for your script to work? I think this confirmation will help figure this out! 

 

Don't forget a thumbs up if you find this information useful and accept as solution if appropiate. 

 

Message 7 of 9
471 Views
v-karpurapud
Community Support
Community Support
In response to svenchio

‎02-12-2026 08:44 PM

Hi @svenchio

Just to clarify, I did not suggest that the service principal must be the Owner of the lakehouse. In this scenario, Workspace Admin permissions should be sufficient to modify OneLake diagnostic settings. My earlier comment only emphasized the importance of verifying the appropriate workspace-level roles on both the source and destination workspaces, rather than any item-level ownership requirements.

Regards,

Microsoft Fabric Community Support Team.

Message 9 of 9
400 Views
0
strzala
Frequent Visitor
In response to svenchio

‎02-12-2026 01:39 PM

In my case, I am the owner of the lakehouse not SP.

 

strzala_0-1770932102522.png

Did I answer your question?
Please mark as Solution to help others find the answer.
👍 Kudos are always appreciated!

Andrzej Strzala | Data Guideline
LinkedIn | Blog | YouTube

 

Message 8 of 9
457 Views
0
strzala
Frequent Visitor

‎02-12-2026 04:35 AM

Have you tried granting admin permissions to the Service Principal at the workspace level instead of to the entire security group?

You can also test the code below in PowerShell ISE and verify the response you receive. Make sure to provide the Service Principal details, as well as the Workspace ID and Lakehouse ID where diagnostic is enabled.
Request body is just a sample from documentation: https://learn.microsoft.com/en-us/rest/api/fabric/core/onelake-settings/modify-diagnostics

$TenantId       = "YOUR_TENANT_ID"
$ClientId       = "YOUR_CLIENT_ID"
$ClientSecret   = "YOUR_CLIENT_SECRET"

$WorkspaceId    = "YOUR_WORKSAPCE_ID"
$LakehouseItemId = "YOUR_LAKEHOUSE_ID"

$tokenUrl = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"

$tokenBody = @{
    grant_type    = "client_credentials"
    client_id     = $ClientId
    client_secret = $ClientSecret
    scope         = "https://api.fabric.microsoft.com/.default"
}

try {
    $tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $tokenBody
    $accessToken = $tokenResponse.access_token
    Write-Host "Access token acquired successfully." -ForegroundColor Green
}
catch {
    Write-Error "Failed to acquire access token: $_"
    exit 1
}

$apiUrl = "https://api.fabric.microsoft.com/v1/workspaces/$WorkspaceId/onelake/settings/modifyDiagnostics"

$body = @{
    status      = "Enabled"
    destination = @{
        type      = "Lakehouse"
        lakehouse = @{
            referenceType = "ById"
            itemId        = $LakehouseItemId
            workspaceId   = $WorkspaceId
        }
    }
} | ConvertTo-Json -Depth 5

$headers = @{
    Authorization  = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

try {
    $response = Invoke-WebRequest -Method Post -Uri $apiUrl -Headers $headers -Body $body -UseBasicParsing
    Write-Host "Response Code: $($response.StatusCode)" -ForegroundColor Green
    Write-Host "Diagnostics setting modified successfully." -ForegroundColor Green
    if ($response.Content) {
        $response.Content | ConvertFrom-Json | ConvertTo-Json -Depth 5
    }
}
catch {
    if ($_.Exception.Response) {
        $statusCode = [int]$_.Exception.Response.StatusCode
        Write-Error "API call failed with status code: $statusCode"
        $reader = New-Object System.IO.StreamReader($_.Exception.Response.GetResponseStream())
        $errorBody = $reader.ReadToEnd()
        Write-Error "Response body: $errorBody"
    }
    else {
        Write-Error "API call failed: $($_.Exception.Message)"
    }
}

 
You should receive following status:

strzala_1-1770899566136.png

 

 

Message 4 of 9
500 Views
rayphoon
New Member
In response to strzala

‎02-12-2026 07:03 AM

Thanks for your reply.

 

Yes, I had tried adding the service principal directly as admin on the workspace as well as the group it is a member of. I also tried giving Fabric Admin role to the Service Principal.

 

Running the code provided gives the following error:

PS C:\Users\rayp> .\test.ps1
Access token acquired successfully.
C:\Users\rayp\test.ps1 : API call failed with status code: 500
At line:1 char:1
+ .\test.ps1
+ ~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,test.ps1

C:\Users\rayp\test.ps1 : Response body: {"requestId":"889be9a9-b834-429d-ae49-f9e3d61b5e6c","errorCode":"InternalServer
Error","moreDetails":[{"errorCode":"ServerError","message":"","relatedResource":{"resourceId":"913c514f-8d8a-48f4-a365-
71e1d2574a77","resourceType":"Workspace"}}],"message":"An error
occured","relatedResource":{"resourceId":"913c514f-8d8a-48f4-a365-71e1d2574a77","resourceType":"Workspace"}}
At line:1 char:1
+ .\test.ps1
+ ~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,test.ps1

 

Message 5 of 9
476 Views
0
strzala
Frequent Visitor
In response to rayphoon

‎02-13-2026 01:16 AM

@rayphoon I've managed to recrete the issue. You are right, when lakehouse is in another Workspace I get the same error code. I think Microsoft should investigate this.

} : API call failed with status code: 500
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException

Response body: {"requestId":"d177ee27-301c-49b3-a111-ca375d4a12ba","errorCode":"InternalServerError","moreDetails":[{"errorCode":"ServerError","message":"","related
Resource":{"resourceId":"135911f1-13ef-4317-83ce-f822697e4ff1","resourceType":"Workspace"}}],"message":"An error occured","relatedResource":{"resourceId":"135922f1-13ef
-4317-83ce-f822697e4ff1","resourceType":"Workspace"}}
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException

 

 

Did I answer your question?
Please mark as Solution to help others find the answer.
👍 Kudos are always appreciated!

Andrzej Strzala | Data Guideline
LinkedIn | Blog | YouTube
Message 6 of 9
387 Views
0
rayphoon
New Member

‎02-12-2026 04:14 AM

Hi, I should have mentioned that testing was done using Postman so I could see the response codes returned.

Both workspaces are on the same capacity and the Service Principal is a member of a security group which has been granted API access for basically all settings in the Fabric Admin portal that has "service principal" in the setting name.

 

We have also tried adding the following API permissions to the App Registration service principal:

Azure Service Management - user_impersonation - Delegated

Azure Storage - user_impersonation - Delegated

Microsoft Graph - User.Read - Delegated

Power BI Service - App.Read.All, OneLake.ReadWrite.All - Delegated

 

The error is 500 - Internal server error with the following response:

{
    "requestId": "93ffd950-f22e-47aa-a5e7-f54235584ba6",
    "errorCode": "InternalServerError",
    "moreDetails": [
        {
            "errorCode": "ServerError",
            "message": "",
            "relatedResource": {
                "resourceId": "73fe3d71-d140-4377-a3c0-73916a1272a0",
                "resourceType": "Workspace"
            }
        }
    ],
    "message": "An error occured",
    "relatedResource": {
        "resourceId": "73fe3d71-d140-4377-a3c0-73916a1272a0",
        "resourceType": "Workspace"
    }
}
Message 3 of 9
514 Views
0
v-karpurapud
Community Support
Community Support

‎02-12-2026 03:51 AM

Hi @rayphoon 
Thank you for reaching out to the Microsoft Fabric community forum.
 

The behavior you’re observing indicates that authentication and initial authorization are working, as the GET endpoint is successful and no 401 or 403 errors are returned. However, the Modify OneLake Diagnostics operation fails during backend processing. While the API documentation states that service principals are supported, write operations follow a different execution path than read operations, including additional internal validation and handling for long-running operations.
 

Before assuming a product issue, please verify that tenant settings allow service principals to access Fabric APIs, that the service principal has the required roles on both the source and destination workspaces, that both workspaces are on the same capacity, and that the 202/long-running operation pattern is being handled correctly. If all these conditions are met and the request still returns a 500 error only when using a service principal but works with a user token, this likely indicates a backend issue.

 

For more details, please refer to the Microsoft official documentation on
Developer admin settings - Microsoft Fabric | Microsoft Learn
Tenant settings index - Microsoft Fabric | Microsoft Learn

 

If you have any further questions, feel free to reach out and we'll be glad to assist.

 

Regards,

Microsoft Fabric Community Support Team.
 

Message 2 of 9
518 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

February Fabric Update Carousel

Fabric Monthly Update - February 2026

Check out the February 2026 Fabric update to learn about new features.

View All