Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us at FabCon Vienna from September 15-18, 2025, for the ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM. Get registered

Reply
piotr_szczerba
Frequent Visitor

How to remove workspace using Service Principal via Azure Pipeline

‎01-27-2025 04:51 AM

Hello,

currently we have a terragrunt setup (with Fabric API Shell scripts) for Fabric deployments.

I'm trying to automate it using Azure Pipelines and so far it was looking promising, I was able to modify and create workspaces and all related resources inside. However when I try to remove the workspace (and it's role assignments) I'm receiving an error:

 

"errorCode":"InsufficientPrivileges","message":"The caller does not have sufficient permissions to access the requested resource","relatedResource":{"resourceId":"xxxxxxxxxx-xxxx-xxxx-xxxxxx-xxxxxxxx" (blured),"resourceType":"Workspace"}}

 

 
My Service Principal has highest Tenant.WriteReadAll Permissions with type "Application". All Admin Portal settings are set corretly too for that SPN's. After workspace creation, service principal is granted with Admin role on the workspace.

This issue doesn't appear when I use terragrunt destroy locally using Fabric Administrator role.
What exactly permissions for my SPN am I missing?
When I look at App Reg API Permissions there are some for Workspaces Scope but they are all with 'Delegated' type which I'm not really interested in.

Labels:
Message 1 of 9
884 Views
1 ACCEPTED SOLUTION
v-saisrao-msft
Community Support
Community Support
In response to piotr_szczerba

‎02-09-2025 01:44 AM

Hi @piotr_szczerba,

 

Thank you for your patience, and I apologize for the delayed response!

 

Based on your findings, the issue appears to be primarily related to the execution order of Terraform rather than API permissions. Since an Admin role cannot be removed if it is the only one remaining, your automation should first delete the workspace while the SPN still has Admin access. Once the workspace is deleted, role assignments are automatically removed, thereby avoiding the API restriction.

Regarding API permissions, you are correct that the "Workspace.ReadWrite.All" permission required for role removal is Delegated, meaning it requires a signed-in user rather than an SPN using Application permissions. Unfortunately, Azure Entra does not provide this permission in Application mode, so your SPN cannot directly remove role assignments via the API. However, this should not impact the deletion of the workspace itself if the execution order is correctly followed.

  • The error is likely caused by Terraform trying to remove the Admin role before deleting the workspace, rather than an issue with API permissions.
  • Adjust the Terraform execution order to ensure the workspace is deleted first while the SPN retains Admin access.
  • Since SPNs cannot utilize Delegated permissions, role removal through the API is not feasible for your setup. However, deleting the workspace should automatically address the role assignments.

If you find this post helpful, kindly accept it as a solution to assist other community members who might be facing a similar issue.

 

View solution in original post

Message 4 of 9
710 Views
0
8 REPLIES 8
salman_crs
Frequent Visitor

‎02-21-2025 07:15 AM

Hi @piotr_szczerba 

 

Can you pls tell me which API's are you using for modification and creation of workspace and its files. Are you using  token based authentication or any SDK's or cmdlets ?

 

Thanks,

Salman

Message 9 of 9
605 Views
0
v-saisrao-msft
Community Support
Community Support

‎02-17-2025 03:19 AM

Hi @piotr_szczerba,

 

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

 

Thank you.

Message 8 of 9
647 Views
0
v-saisrao-msft
Community Support
Community Support

‎02-11-2025 11:20 PM

Hi @piotr_szczerba,


I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.


Thank you.

Message 7 of 9
672 Views
0
v-saisrao-msft
Community Support
Community Support

‎01-28-2025 04:36 AM

Hi @piotr_szczerba , 

Thank you for reaching out to the Microsoft Forum Community.


Based on the error message, it appears to be an issue with insufficient privileges. Please follow these troubleshooting steps, which may help resolve the problem:

  • Although you have given "Tenant.WriteReadAll", it may not directly provide the granular permissions required for specific Fabric API actions. Tenant-level permissions typically apply to Azure AD objects, rather than individual resources within services like Fabric. 
  • Verify the service principal has a direct Admin role on the workspace.
  • Ensure there are no Azure Policies that restrict the deletion of workspaces by Service Principals. Such policies could override permissions. 
  • Confirm that the Azure Pipeline correctly authenticates using the Service Principal credentials is also significant. Any misconfiguration in authentication could lead to permission-related errors during operations like deletion.

If this post helps, then please give us Kudos and consider Accept it as a solution to help the other members find it more quickly.

Thank you

 

 

Message 2 of 9
826 Views
0
salman_crs
Frequent Visitor
In response to v-saisrao-msft

‎03-05-2025 06:22 AM

Hi @v-saisrao-msft 

 

I am unable to work with update API, specifically Update from Git API, since it is not compatible with Service Principal. Can you pls provide me 2 APIs which I can use for 1. creation of workspace 2. Updating files on workspace

Message 6 of 9
432 Views
0
piotr_szczerba
Frequent Visitor
In response to v-saisrao-msft

‎01-28-2025 05:22 AM

Hi @v-saisrao-msft 

Thank you for the reply.
I just found that it's not really issue with workspace deletion itself but removal of last Role Assignment (Admin Role of SPN).
Terraform first creates the Workspace, then assigns Roles, as well as Admin role for SPN.
When I try to remove the workspace, terraform tries to remove role assignments first and I think this leads to the issue.
According to this documentation:
Workspaces - Delete Workspace Role Assignment - REST API (Core) | Microsoft Learn
In order to remove workspace role assignment I need:
1. Admin role on a workspace
2. Delegated Scope "Workspace.ReadWrite.All"
3. Admin role cannot be removed when it's the only admin role left there.
My question is:
I assume that my terraform automation has to remove the workspace first (while it still has access to it) instead of removing last Admin Role (SPN role used for automation) before workspace removal? and thats why I receive that error with a bit misleading error description?

Or this error description is more likely related with a type of API Permission which I use. Its docummented that this API Request requires Delegated Scope "Workspace.ReadWrite.All". I have currently Tenant Write.Read.All Application Type permissions on Power Bi Scope, and it's the only possible API Permissions role available in Azure Entra with Application Type Permission. 



 

Message 3 of 9
821 Views
0
v-saisrao-msft
Community Support
Community Support
In response to piotr_szczerba

‎02-20-2025 04:15 AM

Hi @piotr_szczerba,

 

We haven’t heard back from you regarding your issue. If it has been resolved, please mark the helpful response as the solution and give a ‘Kudos’ to assist others. If you still need support, let us know.

 

Thank you.

Message 5 of 9
624 Views
0
v-saisrao-msft
Community Support
Community Support
In response to piotr_szczerba

‎02-09-2025 01:44 AM

Hi @piotr_szczerba,

 

Thank you for your patience, and I apologize for the delayed response!

 

Based on your findings, the issue appears to be primarily related to the execution order of Terraform rather than API permissions. Since an Admin role cannot be removed if it is the only one remaining, your automation should first delete the workspace while the SPN still has Admin access. Once the workspace is deleted, role assignments are automatically removed, thereby avoiding the API restriction.

Regarding API permissions, you are correct that the "Workspace.ReadWrite.All" permission required for role removal is Delegated, meaning it requires a signed-in user rather than an SPN using Application permissions. Unfortunately, Azure Entra does not provide this permission in Application mode, so your SPN cannot directly remove role assignments via the API. However, this should not impact the deletion of the workspace itself if the execution order is correctly followed.

  • The error is likely caused by Terraform trying to remove the Admin role before deleting the workspace, rather than an issue with API permissions.
  • Adjust the Terraform execution order to ensure the workspace is deleted first while the SPN retains Admin access.
  • Since SPNs cannot utilize Delegated permissions, role removal through the API is not feasible for your setup. However, deleting the workspace should automatically address the role assignments.

If you find this post helpful, kindly accept it as a solution to assist other community members who might be facing a similar issue.

 

Message 4 of 9
711 Views
0

Helpful resources

Announcements
May FBC25 Carousel

Fabric Monthly Update - May 2025

Check out the May 2025 Fabric update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All