Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
Sukiazure007
Regular Visitor

Microsoft Fabric API Authentication & Deployment Issue | Azure DevOps Pipeline

‎03-11-2025 08:00 AM

Dear All,

We have configured Microsoft Fabric in our environment, with dedicated workspaces for Dev, UAT, and PROD. Instead of using Deployment Pipelines, we have integrated our workspaces with an Azure DevOps Git repository branch for version control.

Current Implementation

We are using the Fabric API to trigger deployments: 🔗 API Endpoint: https://api.fabric.microsoft.com/v1/workspaces/$WorkspaceId/git/updateFromGit

Initially, we used a service account for deployments. While testing via Postman, we were able to retrieve all workspace IDs, but the deployment API returned the following error:

{ "requestId": "3ef3a862-7c11-4e41-be58-9cb29dd82483", "errorCode": "InsufficientScopes", "message": "The caller does not have sufficient scopes to perform this operation" }

 

Actions Taken

  • Followed Microsoft documentation to create an Application ID and Client Secret.
  • Granted the following permissions to the App:
    • Workspace.ReadWrite.All
    • Workspace.GitUpdate
  • Added the App ID as a Workspace Admin.

Issue with API Token Authentication

When running the following PowerShell script in our Azure DevOps pipeline to generate an access token, we faced an authentication issue while retrieving workspace IDs or deploying contents:

Pipeline Script for Token Generation

$TenantId = "$(TENANT_ID)" $ClientId = "$(CLIENT_ID)" $ClientSecret = "$(CLIENT_SECRET)" $TokenUrl = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" $Body = @{ client_id = $ClientId client_secret = $ClientSecret scope = "https://api.fabric.microsoft.com/.default" grant_type = "client_credentials" } try { $Response = Invoke-RestMethod -Uri $TokenUrl -Method Post -Body $Body -ContentType "application/x-www-form-urlencoded" $AccessToken = $Response.access_token if (-not $AccessToken) { Write-Host "##[error]Failed to fetch Access Token!" exit 1 } Write-Host "Access Token (First 10 chars): $($AccessToken.Substring(0,10))..." Write-Host "##vso[task.setvariable variable=FabricAccessToken;isSecret=true]$AccessToken" } catch { Write-Host "##[error]Failed to retrieve access token: $_" exit 1 }

Error Message Returned --> { "requestId": "29bcee65-1313-4103-bcb6-56d7e572ec27", "errorCode": "Unauthorized", "message": "The caller is not authenticated to access this resource" }

Labels:
Message 1 of 10
1,496 Views
0
1 ACCEPTED SOLUTION
V-yubandi-msft
Community Support
Community Support
In response to Sukiazure007

‎03-18-2025 01:45 AM

Hi @Sukiazure007 ,

Thank you for the update. 

1. To prevent manual token generation, utilize certificate-based authentication or Managed Identity rather than a service account.

Please ensure the application is correctly registered in Microsoft Entra ID.

Please assign Workspace.ReadWrite.All and Workspace.GitUpdate permissions.

Reference: Apps & service principals in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn

 

2. After deploying from Git, the connections still point to the DEV environment instead of updating dynamically.

Grant the Connections.ReadWrite.All permission to the registered application.

After deploying from Git, use the Connections API to update connection settings dynamically.

If permission issues persist, verify the role assignments in the Fabric Admin Portal under Manage Workspaces.

 

I hope this helps streamline token generation and automate connection updates after deployment.


View solution in original post

Message 8 of 10
1,339 Views
0
9 REPLIES 9
Sukiazure007
Regular Visitor

‎03-17-2025 06:47 AM

Dear Team,

Apologies for the delayed response. Currently, I am using the service account for the updateFromGit process, and while the deployment itself is successful, we are facing two key challenges:

  1. Access Token Issue – The pipeline requires a manually generated access token each time. Despite MFA being disabled, it seems interactive login is not supported, causing an automation bottleneck.
  2. Connection Configuration Post-Deployment – After deployment from Git, all connections are still pointing to the DEV environment. We plan to use the Connections API to update them dynamically, but we are facing permission restrictions. Adding Connections.ReadWrite.All should help resolve this.?

Could you please advise on potential solutions for both issues? Your support would be greatly appreciated.

Message 7 of 10
1,351 Views
0
V-yubandi-msft
Community Support
Community Support
In response to Sukiazure007

‎03-18-2025 01:45 AM

Hi @Sukiazure007 ,

Thank you for the update. 

1. To prevent manual token generation, utilize certificate-based authentication or Managed Identity rather than a service account.

Please ensure the application is correctly registered in Microsoft Entra ID.

Please assign Workspace.ReadWrite.All and Workspace.GitUpdate permissions.

Reference: Apps & service principals in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn

 

2. After deploying from Git, the connections still point to the DEV environment instead of updating dynamically.

Grant the Connections.ReadWrite.All permission to the registered application.

After deploying from Git, use the Connections API to update connection settings dynamically.

If permission issues persist, verify the role assignments in the Fabric Admin Portal under Manage Workspaces.

 

I hope this helps streamline token generation and automate connection updates after deployment.


Message 8 of 10
1,340 Views
0
Sukiazure007
Regular Visitor
In response to V-yubandi-msft

‎03-18-2025 02:03 AM

Thanks, #02 - Will test with the permission Connections.ReadWrite.All and update here in couple of days. #01 --> Git - Update From Git - REST API (Core) | Microsoft Learn --> As per the article service principal are not supported for this API, still will i able to automate this process in pipeline? 

Message 9 of 10
1,335 Views
0
V-yubandi-msft
Community Support
Community Support
In response to Sukiazure007

‎03-19-2025 05:08 AM

Hi @Sukiazure007 ,

 

1. To avoid manual token generation, please use certificate-based authentication or Managed Identity instead of a service account.

Ensure that the application is properly registered in Microsoft Entra ID.

Reference: Apps & service principals in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn

Please assign Workspace.ReadWrite.All and Workspace.GitUpdate permissions.

2. Upon deployment from Git, the connections still point to the DEV environment instead of updating dynamically.

Please grant the Connections.ReadWrite.All permission to the registered application.

After deploying from Git, use the Connections API to update connection settings dynamically.

If permission issues persist, verify the role assignments in the Fabric Admin Portal under Manage Workspaces.

 

I hope this helps streamline token generation and automate connection updates after deployment.

 

Message 10 of 10
1,293 Views
0
V-yubandi-msft
Community Support
Community Support

‎03-17-2025 01:49 AM

Hi @Sukiazure007 ,

Has your issue been resolved, or do you require any further information? Your feedback is valuable to us. If the solution was effective, please mark it as 'Accepted Solution' to assist other community members experiencing the same issue.

Thank You.

Message 6 of 10
1,360 Views
0
yaronprigal
Microsoft Employee
Microsoft Employee

‎03-17-2025 01:11 AM

hi @Sukiazure007 

Also notice the updateFromGit API is currently supporting only user authentication and not SPN as mentioned in the doc: https://learn.microsoft.com/en-us/rest/api/fabric/core/git/update-from-git?tabs=HTTP.

 

 

Message 5 of 10
1,370 Views
0
V-yubandi-msft
Community Support
Community Support

‎03-13-2025 12:06 AM

Hello @Sukiazure007 ,

 

Thank you for reaching out.

To troubleshoot the authentication issue, please verify the access token after generating it. You can decode the token using  ’ jwt.ms ‘  to inspect its contents. Specifically, check the aud (audience) claim to ensure it matches.

This follows Microsoft's best practices for validating tokens, as outlined in the official documentation: Access tokens in the Microsoft identity platform - Microsoft identity platform | Microsoft Learn.

 

 

Web APIs must validate access tokens sent to them by a client. They must only accept tokens containing one of their AppId URIs as the aud claim.

Web apps must validate ID tokens sent to them by using the user's browser in the hybrid flow, before allowing access to a user's data or establishing a session.

 

 

Additionally, ensure the correct scopes are included in the token request for successful authentication.

FYI:

 

Vyubandimsft_0-1741849351722.png

I hope this helps..

 

Best regards,
Yugandhar.

Message 4 of 10
1,404 Views
0
lbendlin
Super User
Super User

‎03-11-2025 12:38 PM

direct permissions or delegated?  Have you checked the token scope at jwt.io ?

Message 2 of 10
1,471 Views
0
Sukiazure007
Regular Visitor
In response to lbendlin

‎03-17-2025 06:48 AM

Now trying delegated permission as direct is not supported for this API updatefromgit.

Message 3 of 10
1,350 Views
0

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

View All