Authenticating to Fabric via Microsoft365DSC

2024-12-05

We recently added support for Fabric settings in Microsoft365DSC via the FabricAdminTenantSettings resource. This resources uses a the Fabric API (api.fabric.microsoft.com), which was never used as part of the solution before the introducton of this resource. Important: this API is currently read-only and only allows you to read settings, for snapshot/export of monitoring pruposes. It canot be used to change settings at the moment; this is a Fabric API restriction and not a "direct" limitation of M365DSC. There are some things that need to be configured on your tenant before the API will allow a service principal to authenticate properly. We will cover these steps as part of this article. For the purpose of this post, we will assume that you create a brand new application registration and want to use it to authenticate, using a certificate thumbprint. For additional details on how to create such an app registration, please refer to the Getting Started with Microsoft365DSC article. In my case, I created a new app registration named FabricTest and uploaded a certficate for it.

Step 1 - Create a Security Group for the Service Principal

The first thing we need to do is create a brand new security group in Entra ID and add our service principal as a member. This group will be used to specify what principals will have access to our Fabric APIs. In my case I created a new security group named Fabric API Access and added my FabricText service principal as a member of it.

Creating a new security group in Entra Id

Step 2 - Grant Entra ID Roles to your Service Principal

In order to be allowed to authenticate to the Fabric API, your service principal will need to be granted an appropriate Entra ID role. We recommend granting it the Fabric Administrator role, but it will also work with the Global Reader role.

Assigning permissions to your service principal

Step 3 - Allow Service Principals to Access Read-Only APIs

Navigate to the Fabric admin portal Tenant settings page(https://app.fabric.microsoft.com/admin-portal/tenantSettings). Once on the page, scroll down to the Admin API settings section, and expand the Service principals can access read-only admin APIs option. Make sure the toggle is set to Enabled and in the "Specific security groups" box, enter the name of your security group, in my case "Fabric API Access". Click Apply

Configuring security groups that have access to the Fabric read-only APIs

Conclusion

After performing the above steps, you will be able to execute a new Snapshot/Export of your tenant's configuration or perform monitoring for any configuration drift. There are currently no known plans to update the APIs to allow for the full CRUD set of operations (create & update).