Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
higgy7
Helper II
Helper II

FUAM Load_FUAM_Data_E2E error

‎05-29-2025 03:37 AM

I am having real issues with permissions.

 

We have a service principle account with no permissions as stated in the documentation.

 

We have assigned it to a security group and gave the security group access to the 2 api permissions in fabric.

 

We are running using a fabric admin account. The initial notebook runs to create all objects but when we run the pipeline load fuam data we get an access error.

 

When I test the load capacity pipeline on its own the fuam pbi- service-api admin connection is successful but the relative capacities url fails

Labels:
Message 1 of 14
1,198 Views
0
1 ACCEPTED SOLUTION
higgy7
Helper II
Helper II

‎05-30-2025 01:37 AM

Just an update on this. I discovered my issue was that the group with the SP account in it was not a member of the Admin Monitoring Workspace. When i added the group to this the pipeline ran successfully.

 

You do not need to add ANY permissions to the SP account in Azure.

View solution in original post

Message 14 of 14
1,060 Views
13 REPLIES 13
higgy7
Helper II
Helper II

‎05-30-2025 01:37 AM

Just an update on this. I discovered my issue was that the group with the SP account in it was not a member of the Admin Monitoring Workspace. When i added the group to this the pipeline ran successfully.

 

You do not need to add ANY permissions to the SP account in Azure.

Message 14 of 14
1,061 Views
burakkaragoz
Community Champion
Community Champion

‎05-29-2025 04:58 AM

Hi @higgy7 ,

 

This sounds like a classic case of partial permission propagation with service principals in Fabric.

Here are a few things to double-check:

  1. API Permissions Scope
    Make sure the security group assigned to the service principal has both:

    • Capacity.Read.All
    • Tenant.Read.All
      These are required for accessing capacity-related endpoints like relativecapacities.

  2. Admin Consent
    Even if the permissions are assigned, they won’t take effect unless admin consent has been granted in Azure AD. You can verify this in the Azure portal under Enterprise Applications > API permissions.

  3. Service Principal Role in Fabric
    Ensure the service principal is added as a Fabric Admin or at least has Capacity Admin rights in the Fabric portal. Sometimes being in the security group isn’t enough unless the group itself is granted Fabric-level roles.

  4. Token Scope
    When generating the token for the service principal, make sure the scope includes:

   https://analysis.windows.net/powerbi/api/.default

Otherwise, the token might not carry the right claims for capacity endpoints.

  1. Try Direct API Call
    As a test, try calling the relativecapacities endpoint directly using Postman or curl with the same token. This can help isolate whether the issue is with the pipeline or the token itself.

Let me know if you want help testing the token or checking the group setup.

If my response resolved your query, kindly mark it as the Accepted Solution to assist others. Additionally, I would be grateful for a 'Kudos' if you found my response helpful.

Message 2 of 14
1,173 Views
0
higgy7
Helper II
Helper II
In response to burakkaragoz

‎05-29-2025 05:02 AM

Hi Just on point 1. Does this not conflict with what has been described in the steps provided on github?

higgy7_0-1748520140742.png

 

Message 3 of 14
1,170 Views
0
KevinChant
Super User
Super User
In response to higgy7

‎05-29-2025 06:56 AM

Yes it does, and I have seen it cause issues.

 

On a side note, are you using the latest version of the install from the fabric-toolbox collection?

https://github.com/microsoft/fabric-toolbox/tree/main/monitoring/fabric-unified-admin-monitoring 

Message 10 of 14
1,118 Views
higgy7
Helper II
Helper II
In response to KevinChant

‎05-29-2025 07:04 AM

Hi Kevin, so does this mean that permissions DO need to be added within here?

higgy7_0-1748527438350.png

 

Message 11 of 14
1,104 Views
0
KevinChant
Super User
Super User
In response to higgy7

‎05-29-2025 07:10 AM

No, if you follow the steps in the laest guidelines you should be just fine. Only issue may be your own permissions in Fabric.

 

https://github.com/microsoft/fabric-toolbox/blob/main/monitoring/fabric-unified-admin-monitoring/how... 

Message 12 of 14
1,103 Views
higgy7
Helper II
Helper II
In response to KevinChant

‎05-29-2025 07:25 AM

Thanks i have been following those instructions and have had no luck so far. The only things that i might have done incorrectly and need to check/confirm are as follows:

 

Does SP have to be added to the Admin Monitoring Workspace?

Does SP have to be added as a capacity admin?

Does SP have to have grant admin consent turned off?

Message 13 of 14
1,100 Views
0
burakkaragoz
Community Champion
Community Champion
In response to higgy7

‎05-29-2025 05:06 AM

Good question. What I shared doesn’t contradict the GitHub steps, but rather adds some extra checks that are sometimes missed in real-world setups.

The GitHub guide usually assumes:

  • Admin consent has already been granted for the API permissions
  • The service principal is correctly assigned to the right roles in both Azure and Fabric
  • The token being used includes the correct scopes

In practice, though, we often see issues when:

  • The security group has the permissions, but the service principal isn’t fully synced or recognized yet
  • The token is missing the .default scope or is generated against the wrong resource
  • The Fabric role assignment hasn’t propagated fully (especially if it was just added)

So no contradiction — just a few extra layers to double-check when things don’t behave as expected.

Let me know if you want to walk through your setup step-by-step and compare it with the GitHub flow.

If my response resolved your query, kindly mark it as the Accepted Solution to assist others. Additionally, I would be grateful for a 'Kudos' if you found my response helpful.

Message 4 of 14
1,165 Views
0
higgy7
Helper II
Helper II
In response to burakkaragoz

‎05-29-2025 05:09 AM

I think a step by step would be really useful if possible. Thanks

Message 5 of 14
1,160 Views
0
burakkaragoz
Community Champion
Community Champion
In response to higgy7

‎05-29-2025 05:23 AM

Sure, here’s a step-by-step guide to setting up a service principal for use with Fabric APIs and pipelines. This assumes you're using it for automation (like notebooks or pipelines) and need access to capacity or workspace-level resources.

Step 1: Register the App (Service Principal) in Azure AD

  1. Go to Azure Portal > Azure Active Directory > App registrations
  2. Click New registration
  3. Give it a name (e.g., fabric-sp)
  4. Set the redirect URI to https://localhost (you can leave it blank if not needed)
  5. Click Register

Step 2: Assign API Permissions

  1. In the app you just registered, go to API permissions
  2. Click Add a permission > APIs my organization uses
  3. Search for Power BI Service and select it
  4. Add the following Application permissions:
    • Tenant.Read.All
    • Capacity.Read.All
  5. Click Grant admin consent (must be done by a global admin)

Step 3: Create a Client Secret

  1. Go to Certificates & secrets
  2. Click New client secret
  3. Set an expiration and copy the value (you’ll need this for token generation)

Step 4: Add the Service Principal to a Security Group (Optional but recommended)

  1. Create a security group in Azure AD (e.g., fabric-api-access)
  2. Add the service principal as a member
  3. Use this group to manage access in Fabric

Step 5: Assign Roles in Microsoft Fabric

  1. Go to Microsoft Fabric Admin Portal
  2. Under Tenant settings, make sure service principals are allowed
  3. Go to Workspaces or Capacities
  4. Add the service principal (or its security group) as:
    • Admin or Contributor on the workspace
    • Capacity Admin if needed

Step 6: Generate a Token

Use a tool like Postman or a script to get a token:

  client_id: <your-app-id>
  client_secret: <your-client-secret>
  scope: https://analysis.windows.net/powerbi/api/.default
  grant_type: client_credentials

Step 7: Test the API Call

Try calling a simple endpoint like:

GET https://api.powerbi.com/v1.0/myorg/capacities
Authorization: Bearer <your-access-token>

If this works, your setup is good.7

 

Message 6 of 14
1,157 Views
0
higgy7
Helper II
Helper II
In response to burakkaragoz

‎05-29-2025 06:02 AM

Thank you i will give this a go. However, the instructions are not very clear then as it says 

  • Create a new service principal with client secret within Azure Entra ID, without any API permissions.

It specifically says without any api permissions then in your instructions you are assigning api permissions? Should the github not say what permissions need added instead of don't give any permissions ?

 

 Step 2: Assign API Permissions

  1. In the app you just registered, go to API permissions
  2. Click Add a permission > APIs my organization uses
Message 7 of 14
1,138 Views
burakkaragoz
Community Champion
Community Champion
In response to higgy7

‎05-29-2025 06:20 AM

Great catch, and I totally get why that might seem confusing.

Here’s the clarification:

When the documentation says the service principal should have “no permissions,” it usually refers to not assigning any user-level roles or workspace access manually at first — especially when testing token generation or basic connectivity.

However, for the service principal to actually call Fabric or Power BI APIs, it absolutely needs API permissions assigned in Azure AD (Step 2 in the guide). These are application-level permissions like Tenant.Read.All or Capacity.Read.All, and they must be granted with admin consent.

So in short:

  • No user-level roles initially → to keep the setup clean and testable
  • Yes to API permissions → required for the token to work with Power BI endpoints

Let me know if you want me to walk through the permission scopes or show how to verify them in Azure.

Message 8 of 14
1,131 Views
0
higgy7
Helper II
Helper II
In response to burakkaragoz

‎05-29-2025 06:37 AM

Thanks for this, i guess my query then is isn't the permission applied via the following:

 

higgy7_0-1748525058597.png

So within the admin settings of Fabric/Power BI rather than within the app registration? If this is the case i have added the SP to a security group and then added the group to the 2 settings stated 

higgy7_1-1748525744185.png

higgy7_2-1748525800482.png

higgy7_3-1748525825178.png

 

 

 

Message 9 of 14
1,124 Views

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

View All