Solved: Fabric sql endpoint - Entra groups resolution

sarav_s · ‎10-29-2025

We have a solution in place to apply table level security via sql endpoints . The security group doesn't gets resolved at DB level while adding the security groups to the respective roles .

We are using pyODBC to execute SQL Security commands with a Service Principal. The commands
- Create a custom role
- Add a Security Group to the role

When executing these commands with the pyODBC and a Service Principal, it errors out with the following:

'42000', '[42000] [Microsoft][ODBC Driver 18 for SQL Server][SQL Server]Principal \'SEC-GLO-DaaS-NBI-Users\' could not be resolved. Error message: \'Server identity is not configured.
Please follow the steps in "Assign an Azure AD identity to your server and add Directory Reader permission to your identity"

https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-service-principal?view... (33134) (SQLExecDirectW)'

Note:
The Service Principal has admin rights on the workspace.
We can execute the same commands as a standard user that is an admin on the workspace.

We have tried the following which hasn't resolved the issue:
- Removing the Service Principal from the workspace and re-adding the SP - no difference
- Testing in clean environment just to be sure & it fails with the same error

We suspect something is changed for sql endpoint accessed via service principal, probably missing roles as per the error message above.

tayloramy · ‎10-29-2025

Hi @sarav_s,

I have bad news, this is the expected behaviour right now. Using service principals for DCL operations is not currently supported. See https://learn.microsoft.com/en-us/fabric/data-warehouse/service-principals#limitations

You will need to use a user account and not a sesrvice principal for this.

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

View solution in original post

v-venuppu · ‎11-03-2025

Hi @sarav_s ,

May I ask if you have resolved this issue? Please let us know if you have any further issues, we are happy to help.

Thank you.

v-venuppu · ‎10-31-2025

Hi @sarav_s ,

Thank you for reaching out to Microsoft Fabric Community.

Thank you @tayloramy for the prompt response.

I wanted to check if you had the opportunity to review the information provided and resolve the issue..?Please let us know if you need any further assistance.We are happy to help.

Thank you.

tayloramy · ‎10-29-2025

Hi @sarav_s,

I have bad news, this is the expected behaviour right now. Using service principals for DCL operations is not currently supported. See https://learn.microsoft.com/en-us/fabric/data-warehouse/service-principals#limitations

You will need to use a user account and not a sesrvice principal for this.

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

sarav_s · ‎11-04-2025

Hmm I am just confused as it did work until 28th of October . Thank you for the support though .

Fabric sql endpoint - Entra groups resolution

Helpful resources

Fabric Monthly Update - November 2025

FabCon Atlanta 2026

FabCon is coming to Atlanta

Fabric sql endpoint - Entra groups resolution

Helpful resources

Fabric Monthly Update - November 2025

FabCon Atlanta 2026