I am working as a POC where I have to connect to Fabric Rest API from c# and I want to create Items. I am able to create items as per the instructions provided on https://learn.microsoft.com/en-us/rest/api/fabric/articles/get-started/fabric-api-quickstart. The challenge I am facing is with token creation. As per the instructions provided on this page, I am getting a login page and after successful authentication, the token is generated. I am going to use the token creation call inside api but I don't have a provision to authenticate. I need some guidance on how to generate the token using client secret if possible. I am currently using the code below:
using Microsoft.Identity.Client;
#region parameters section
string ClientId = "clientID";
string Authority = "https://login.microsoftonline.com/organizations";
string RedirectURI = "http://localhost";
#endregion
#region Acquire a token for Fabric APIs
// In this sample we acquire a token for Fabric service with the scopes
// Workspace.ReadWrite.All and Item.ReadWrite.All
string[] scopes = new string[] { "https://api.fabric.microsoft.com/Workspace.ReadWrite.All https://api.fabric.microsoft.com/Item.ReadWrite.All" };
PublicClientApplicationBuilder PublicClientAppBuilder =
PublicClientApplicationBuilder.Create(ClientId)
.WithAuthority(Authority)
.WithRedirectUri(RedirectURI);
IPublicClientApplication PublicClientApplication = PublicClientAppBuilder.Build();
AuthenticationResult result = await PublicClientApplication.AcquireTokenInteractive(scopes)
.ExecuteAsync()
.ConfigureAwait(false);
Console.WriteLine(result.AccessToken);
#endregion
I have created a new app registration in Azure active directory and added api permission for Power Bi and azure storage. I also provided the admin consent to the newly added permission. I created a client secret and tried to create a token in postman. The token is created but when using this token, its gives me a bad request. When using the token generated from the c# code, its working fine.
Initially, I registered one Entra ID application and created one client secret in it:
You need to add above service principal to Fabric workspaces giving at least Contributor role like this:
Before generating tokens, make sure to allow access to service principals to use Fabric APIs by enabling below option in Admin Portal:
Now, you can generate access token using client credentials flow via Postman with below parameters:
POST https://login.microsoftonline.com/tenantId/oauth2/v2.0/token
grant_type:client_credentials
client_id:appId
client_secret:secret
scope: https://api.fabric.microsoft.com/.default
Response:
When I used this token to list workspaces by calling Fabric API, I got the response successfully like this:
GET https://api.fabric.microsoft.com/v1/workspaces/
Response:
To get the same response in c# by generating token with client credentials flow, you can make use of below sample code:
#region
using Microsoft.Identity.Client;
using System.Net.Http.Headers;
string ClientId = "appId";
string ClientSecret = "secret";
string Authority = "https://login.microsoftonline.com/tenantId";
#endregion
#region
string[] scopes = new string[] { "https://api.fabric.microsoft.com/.default" };
ConfidentialClientApplicationBuilder confidentialClientAppBuilder =
ConfidentialClientApplicationBuilder.Create(ClientId)
.WithClientSecret(ClientSecret)
.WithAuthority(Authority);
IConfidentialClientApplication confidentialClientApplication = confidentialClientAppBuilder.Build();
AuthenticationResult result = await confidentialClientApplication.AcquireTokenForClient(scopes)
.ExecuteAsync()
.ConfigureAwait(false);
Console.WriteLine(result.AccessToken);
Console.WriteLine();
#endregion
// Create client
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
string baseUrl = "https://api.fabric.microsoft.com/v1/";
client.BaseAddress = new Uri(baseUrl);
// Call list workspaces API
HttpResponseMessage response = await client.GetAsync("workspaces");
string responseBody = await response.Content.ReadAsStringAsync();
Console.WriteLine(responseBody);
Response:
UPDATE:
When I tried to get the item from workspace where service principal does not have at least Contributor
access, I too got same error:
GET https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items/{itemId}
Response:
To resolve the error, make sure to grant at least Contributor
access to the service principal under the workspace in which you are getting error:
When I ran the call after granting access, I'm able to fetch the item successfully by invoking this API:
GET https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items/{itemId}
Response:
But for some other operations like creating items in workspace, etc... service principal authentication (client credentials flow) is not supported.
When I tried to create item under workspace with service principal token, I got error saying "The operation is not supported for the principal type" like this:
POST https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items/
{
"displayName": "Item 1",
"type": "Lakehouse"
}
Response:
Reference: Microsoft Fabric REST APIs | Microsoft