Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
SimonPl
New Member

Fabric REST API endpoints for GCC

‎07-16-2025 01:08 AM

Hi,

 

Context:

I am trying to run a PowerShell script using the Fabric REST APIs. We are working in a multi-tenant environment, so the idea is to run the script using a DevOps pipeline. The source tenant from where we are running DevOps is fully commercial (DevOps, Azure, o365). The target tenant uses the GCC compliant service description for o365 and commercial for the Azure. The script posted below works for all users and service principals when using the source tenant, but when trying the same on the target tenant, we get a "401 - Unauthorized" error. I am assuming there are different endpoints to be used between the different service descriptions, as PowerBI REST APIs also have different ones. 

When both connecting using a service principal's credentials and with our personal accounts, all get the same 401 error. However, when a user manually connects to the Fabric workspace, they can create workspaces, lakehouses, etc. Currently, we are mainly confused on why the API connections do not seem to be working if this is working. 

 

Specs:

For both tenants, I have enabled the following in the Fabric workspace:

  • Service principals can use Fabric APIs
  • Service principals can create workspaces, connections, and deployment pipelines

According to the documentation, this feels like to only settings that need to be enabled to list the workspaces. We explored the different API settings needd for the App service, but found the following (https://learn.microsoft.com/en-us/rest/api/fabric/articles/scopes)

SimonPl_0-1752653246263.png

 

 

Code (after connecting your Azure account):

# Set variables
    $fabricResourceUrl = "https://api.fabric.microsoft.com"
    # $fabricResourceUrl = "https://analysis.usgovcloudapi.net/powerbi/api"
    # API endpoint URL -> Use to execute POST/GET (REST) calls against workspace
    $fabricWorkspaceUrl = "https://api.fabric.microsoft.com/v1/workspaces"
    # $fabricWorkspaceUrl = "https://api.powerbigov.us/v1.0/myorg/groups"
#endregion

#region authentication
$fabricToken = (Get-AzAccessToken -ResourceUrl $fabricResourceUrl).Token

$fabricHeaders = @{
    'Content-Type' = "application/json"
    'Authorization' = "Bearer {0}" -f $fabricToken
}

# Get fabric workspace (to which there is access)
$response = Invoke-RestMethod -Method GET -Headers $fabricHeaders -Uri $fabricWorkspaceUrl -Verbose

# Print result
Write-Output $response

 

Questions:

Thanks in advance! 

Labels:
Message 1 of 5
460 Views
0
1 ACCEPTED SOLUTION
SimonPlancke
New Member
In response to ibarrau

‎07-28-2025 02:07 AM

Thank you for the reply! In the end, we found the following:

  • We were initially using PowerShell command (Get-AzAccessToken -ResourceUrl $fabricResourceUrl).Token to request our access token for a personal user.
  • We found out that any access token generated in this way on a GCC description does not provide access to any of the Fabric services. Since we are working with a service principal, we tried a different way of getting our access token: 

 

        $appId = $env:servicePrincipalId 
        $clientSecret = $env:servicePrincipalKey
        $tenantId = $env:tenantId

        $authority = "https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token"
        # access token
        $body = @{
            client_id = $appId
            scope = "$fabricResourceUrl/.default"
            client_secret = $clientSecret
            grant_type = "client_credentials"
        }
        
        $response = Invoke-RestMethod -Method Post -Uri $authority -ContentType "application/x-www-form-urlencoded" -Body $body
        $fabricToken = $response.access_token

 

  • This new method for token retrieval resolved the issues we were having. We could use exactly the same Fabric endpoints for GCC, but now with a valid access token. I do not have a clear explanation on why this resolves the issue. 

View solution in original post

Message 3 of 5
263 Views
0
4 REPLIES 4
v-prasare
Community Support
Community Support

‎07-22-2025 01:03 AM

Hi @SimonPl ,

We would like to follow up to see if the solution provided by the super user resolved your issue. Please let us know if you need any further assistance.


@ibarrau & @burakkaragoz , thanks for your prompt response.

 

 


Thanks,

Prashanth Are

MS Fabric community support


If our super user response resolved your issue, please mark it as "Accept as solution" and click "Yes" if you found it helpful.

Message 5 of 5
360 Views
0
burakkaragoz
Community Champion
Community Champion

‎07-21-2025 11:55 PM

Hi @SimonPl ,

The Fabric REST API docs don't clearly specify GCC endpoints, which is pretty frustrating when you're trying to build production solutions.

What I can say for sure:

  • Your assumption about different endpoints is probably correct (based on Power BI patterns)
  • The 401 vs 403 difference you're seeing suggests endpoint issues rather than just permissions
  • @ibarrau 's points about permissions are valid, but don't explain why it works manually but not via API

The reality: Microsoft hasn't published clear GCC endpoint documentation for Fabric REST APIs yet. This is a known gap that lots of people are running into.

Your best bet:

  1. Open a Microsoft support ticket - this is one of those cases where you need official guidance
  2. Check if there's a Fabric GCC preview program you can join for early documentation
  3. Try the Microsoft Tech Community forums - sometimes Microsoft engineers drop hints there

Quick test: Before going the support route, try hitting the regular Fabric endpoint from within the GCC tenant (like from a VM in that environment) to see if it's a network/routing issue rather than endpoint issue.

Sorry I can't give you the exact endpoints - this is genuinely underdocumented right now. Super annoying when you're trying to build automation.

If my response resolved your query, kindly mark it as the Accepted Solution to assist others. Additionally, I would be grateful for a 'Kudos' if you found my response helpful.

This response was assisted by AI for translation and formatting purposes.

Message 4 of 5
364 Views
0
ibarrau
Super User
Super User

‎07-21-2025 05:38 AM

Hi. I have been using the Rest API for quite time now and I haven't read anything about GCC. Usually a 401 means that the service principal or the user doesn't have access to a resource to run the request, for example you don't have the service principal as a member of a workspace, then how would it get a workspace with rest api. Then 403 tipically means that you don't have the permission to run that operation, when registering an App in EntraID for using the Rest API, you can assign permissions to let the service principal specific permission to prevent it can run anything. 

Maybe you could take a recap at how to get started with the rest api in here: https://blog.ladataweb.com.ar/post/740398550344728576/seteo-powerbi-rest-api-por-primera-vez

Consider that when working with 2 tenants, then you need two service principals and you need to get 2 different tokens for the requests.

Just for the heads up, if you want the rest api to run and read all. You need to allow it in read only admin requests. For example, if you want it to show all workspaces in the whole tenant you need to change that setting at Fabric admin portal adding a security group with the service principal to allow it to run that.

I hope that helps,


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

Message 2 of 5
380 Views
0
SimonPlancke
New Member
In response to ibarrau

‎07-28-2025 02:07 AM

Thank you for the reply! In the end, we found the following:

  • We were initially using PowerShell command (Get-AzAccessToken -ResourceUrl $fabricResourceUrl).Token to request our access token for a personal user.
  • We found out that any access token generated in this way on a GCC description does not provide access to any of the Fabric services. Since we are working with a service principal, we tried a different way of getting our access token: 

 

        $appId = $env:servicePrincipalId 
        $clientSecret = $env:servicePrincipalKey
        $tenantId = $env:tenantId

        $authority = "https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token"
        # access token
        $body = @{
            client_id = $appId
            scope = "$fabricResourceUrl/.default"
            client_secret = $clientSecret
            grant_type = "client_credentials"
        }
        
        $response = Invoke-RestMethod -Method Post -Uri $authority -ContentType "application/x-www-form-urlencoded" -Body $body
        $fabricToken = $response.access_token

 

  • This new method for token retrieval resolved the issues we were having. We could use exactly the same Fabric endpoints for GCC, but now with a valid access token. I do not have a clear explanation on why this resolves the issue. 
Message 3 of 5
264 Views
0

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All