Solved: Connnecting to the Fabric API with an Entra ID cod...

JesseLil · ‎03-13-2025

Hi!

We have an Entra ID app setup that we use to authorize users to Microsoft Products (Fabric API in this case, but it is also used for Bing Ads API).

I am using the following URL to guide the user to authorize the app to access the Fabric API:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=[app_client_id]&response_ty...

This succeeds, and redirects the user to our site:

https://[redirect_url]?code=[code]&session_state=[session_state]#

Next, I try to connect to the Fabric API using this code and cURL:

curl https://api.fabric.microsoft.com/v1/workspaces -H "Authorization: Bearer [code]"

The API returns:

{"requestId":"8f49a868-987f-4716-80fd-600edd835419","errorCode":"InvalidToken","message":"Access token is invalid"}

This is rather puzzling, considering that the Entra ID OAuth process succeeds with the scopes without issue. Any idea why this happens?

TomOs · ‎03-13-2025

You're using the authorization code incorrectly as a bearer token. Instead, you need to exchange it for an access token before making API requests. First, send a POST request to the token endpoint and then use it in your API request.

Also, make sure your OAuth request includes the necessary scopes for Fabric API, and check that your app registration in Entra ID has the right API permissions with admin consent granted. If you’re still getting the error, verify what response you get when exchanging the code for a token.

View solution in original post

JesseLil · ‎03-13-2025

That's it! Somehow I managed not to remember this had to be done. Thanks for the solution!

TomOs · ‎03-14-2025

Glad it helped!

TomOs · ‎03-13-2025

You're using the authorization code incorrectly as a bearer token. Instead, you need to exchange it for an access token before making API requests. First, send a POST request to the token endpoint and then use it in your API request.

Also, make sure your OAuth request includes the necessary scopes for Fabric API, and check that your app registration in Entra ID has the right API permissions with admin consent granted. If you’re still getting the error, verify what response you get when exchanging the code for a token.

JohnHu · ‎03-26-2025

Is there an example of this in code? What is a bearer token vs access token?

TomOs · ‎03-27-2025

Hi, here is how I usually handle the code exchange part in Python:

First, swap that auth code for a real token

token_data = {
"client_id": "your_app_id_here",
"client_secret": "your_secret_here", # keep this safe!
"code": "that_code_you_got_from_redirect",
"redirect_uri": "your_callback_url",
"grant_type": "authorization_code",
"scope": "https://api.fabric.microsoft.com/.default"
}

response = requests.post(
"https://login.microsoftonline.com/common/oauth2/v2.0/token",
data=token_data

Then grab the good stuff

access_token = response.json()["access_token"]

And now try hitting Fabric API

headers = {"Authorization": f"Bearer {access_token}"}
workspaces = requests.get(
"https://api.fabric.microsoft.com/v1/workspaces",
headers=headers

)

This should work

JohnHu · ‎03-27-2025

Thank you! My problem was the Service Principal was not added to the Fabric Admin Settings. Once I put the Service Principal (from the App Registration) in a sercurity group, and added the security group email to the Fabric Admin Settings, it worked!

Connnecting to the Fabric API with an Entra ID code gives "Access token is invalid" error

Helpful resources

Fabric Monthly Update - July 2025

Fabric Community Update - August 2025

Join us at FabCon Vienna from September 15-18, 2025

Connnecting to the Fabric API with an Entra ID code gives "Access token is invalid" error

Helpful resources

Fabric Monthly Update - July 2025

Fabric Community Update - August 2025