Fabric REST API Service Principal Alternative solutions

Question

I currently have a React application that makes calls on behalf of the user to the Fabric API Job Scheduler - Run On Demand Item Job via the MSAL library. The endpoint is being used to trigger a pipeline which in turn runs a series of notebooks. This works perfectly when signing in as myself because I'm also the admin of the Fabric workspace. The challenge is that for other users (about 50), they all receive a 403 error due to not having access to the Fabric resource. I don't believe I'm able to simply give users access to the pipeline and it's really not feasible to add all those users to the workspace.

Seeing as the Fabric API doesn't yet support Service Principal auth (which would 100% resolve this issue), are there any other ways I could get around this? Perhaps via Logic Apps or similar middle-tier service? Thanks

Answer 1

Note that: For Job Scheduler API, Service principal authentication isn't supported. Refer this MsDoc

Hence as a workaround, create a service account in Microsoft Entra ID with MFA disabled and give this service account the permissions required to access the workspace.

And make use of below code to access Power BI API:

def get_rest_api_token():
app_id=app_client_id
scopes=["[https://analysis.windows.net/powerbi/api/.default"]]  
authority=f"`[https://login.microsoftonline.com/{tenant_id}"] 
app = msal.ConfidentialClientApplication(client_id=app_id, authority=authority, client_credential=app_client_secret) 
result = app.acquire_token_by_username_password(username, password, scopes=scopes)
return(result)

This might work as an alternative to Service principal.

Otherwise, check the below:

• Create a Microsoft Entra ID application and enable Allow public client flows.
• Assign API permissions like delegated Workspace.Read.All.
• Generate refresh token, refer this blog.

Reference:

GitHub - ArchwayTrust/Fabric-GITAuth: Some helper code for authenticating against Fabric APIs for GIT pipelines. by Ben