Solved: Re: Getting unauthorized issue while executing Not...

Anonymous · ‎04-13-2025

Hi,

I have an Azure function , where I would consume Post method to connect and execute Notebook on demand

URI- https://api.fabric.microsoft.com/v1/workspaces/xxxx/items/yyy/jobs/instances?jobType=RunNotebook

. Here am using SPN+MI federated credentials to authenticate. this implementation worked seamleassly in PREPROD with PREPROD azure SPN and MI.

But gettting Unauthorized issue when am using PROD SPN+MI.

Below is the error message

Http.HttpConnectionResponseContent, Headers:
{
x-ms-public-api-error-code: Unauthorized
request-redirected: true
home-cluster-uri: https://df-msit-scus-redirect.analysis.windows.net/
RequestId: 0219d53d-ef90-42e7-9553-d1bf990b1750
Date: Mon, 14 Apr 2025 02:07:44 GMT
Content-Length: 147
Content-Type: application/json; charset=utf-8
}

Could you please share insights if somehing is missed here?

Thanks,

SARIKA

Anonymous · ‎04-16-2025

Closing this thread, as the issue is solved. There was a Security Group configured to allow Service principals and after adding the API call is successfull. Thankyou !

View solution in original post

v-sathmakuri · ‎04-17-2025

Hi @Anonymous ,

Thanks for the update! Glad to hear the issue is resolved. Please consider accepting it as the solution on your end so it’ll help others who come across the same issue.
Thank you for using Microsoft Community Forum.

Thank you!!

Anonymous · ‎04-16-2025

Closing this thread, as the issue is solved. There was a Security Group configured to allow Service principals and after adding the API call is successfull. Thankyou !

Anonymous · ‎04-13-2025

I have given Workspace Admin permission to the PROD SPN and in Azure App registratiion I have below permissions

v-sathmakuri · ‎04-14-2025

Hi @Anonymous ,

Thank you for reaching out to Microsoft Fabric Community.

To enable SPN MI to access Microsoft Fabric APIs, follow these steps. First, go to the Microsoft Fabric Admin Portal, and under Tenant Settings, navigate to Developer Settings, add the PROD SPN App ID to both the “Allow service principals to use APIs” setting and if necessary, “Allow service principals to create and use service principals”.

Ensure your Azure App Registration for the SPN has the required API permissions. Specifically, add and grant admin consent for the following:
Fabric.Read.All, Fabric.Execute.All, and Fabric.Workspaces.ReadWrite.All. You can manage these permissions within the Azure Portal under App Registrations, Your App, API permissions.

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it!

Thanks & Regards,

Rekha,

CustomerSupportTeam.

Anonymous · ‎04-14-2025

Hi @v-sathmakuri ,

I dont see, Tenant settings in Microsoft Admin portal . below is the screenshot. Could you let me know if I had to raise acces anywhere else for this options? Also, FYI I had given every permission under App Registration ->SPN-> API permissions.Below is the screenshot

Note: This feature is working as expected in UAT environment.Only the problem is with PROD SPN/MI. Also UAT and PROD workspace are in same tenant.

v-sathmakuri · ‎04-14-2025

Hi @Anonymous ,

You need Fabric Admin access in order to modify tenant settings.

Ask your Microsoft 365 Global Administrator (or someone managing your tenant) to navigate to fabrics admin portal.
Under Tenant settings, Admins, they must add your user account as a Fabric Admin.
Once added, sign out and sign in again, and you should now see Tenant Settings, including Developer Settings.

Please refer to the below documentation to enable service principal authentication.

https://learn.microsoft.com/en-us/fabric/admin/enable-service-principal-admin-apis

Additionally, ensure that the process is consistent across UAT and PROD, as UAT is working fine.

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it!

Thank You!!

Vinodh247 · ‎04-13-2025

Unauthorizedindicates an issue with permissions or authentication scope when invoking the Microsoft Fabric API from your azure function. The most common cause is either missing Fabric workspace permissions for your prod SPN or incorrect scope configuration in production's AAD app registration. Can you verify these configurations first and retry?

Please 'Kudos' and 'Accept as Solution' if this answered your query.

Regards,
Vinodh
Microsoft MVP [Fabric]
LI: https://www.linkedin.com/in/vinodh-kumar-173582132
Blog: vinsdata.in