With Fabric taking a more and more prominent role in working with data and organising your data platform, the need for programmatical access or automation is also increasing. Many of the task you can do through the portal are requested to be done through scripting or from custom applications.

The source for this is clearly the Fabric REST API documentation, Microsoft Fabric REST APIs for automation and embedded analytics – Microsoft Fabric REST APIs | Microsoft Learn

However, it can be overwhelming to start using it from scratch.

For this introduction, I’ll use Powershell and will take out a couple of examples that can be ran using an app registration as security principal. This avoids having to use a personal account while running some of these calls.

Simplified, you need two steps to call the API:

  • Authenticate and retrieve a token
  • Call the API, passing:
    • the token in the headers
    • potential parameters
    • a body in the call with additional configuration options

All the rest is preparation and gathering of required identifiers.

Preparation

Following table of values you will have to collect up-front:

  • tenantId : You can find this most easily in the Azure Portal, under Entra ID, Overview Basic Information – How to find your tenant ID – Microsoft Entra | Microsoft Learn
  • workspaceId : This is part of the URL displayed when you open the Fabric workspace you are using for this example.
    https://app.powerbi.com/groups/5b617a79-3361-4689-9189-995bcc2c2d19/list
  • servicePrincipalId : You can find this when opening the App Registration in Azure portal, under overview, essentials, Application (client) ID
  • servicePrincipalSecret : The value of the secret you added in the App Registration. Not the Secret ID, but the value that is only visible when you create the secret. You can add a new secret (if you’re the owner of the app registration) and copy that value.
    This should best not be in plaintext in your PowerShell script file, but retrieved from KeyVault. For clarity, I’ll leave it plain in this example.

There are a couple of static values which I’ll also list here. These will all become variable in the PowerShell script.

  • resourceURL : https://api.fabric.microsoft.com
  • apiURL : https://api.fabric.microsoft.com/v1/
  • contentType : application/json

Let’s summarize this as the first part of our PowerShell script:

$tenantId = "1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a"
$servicePrincipalId = "385c13cd-fd1b-4aa8-be42-0b413ce15aa8"
$servicePrincipalSecret = "abt8Q~jF4yJb9vzexxxxxxrCqMb5tz5Va53"
$workspaceId = "5b617a79-3361-4689-9189-995bcc2c2d19"
$resourceURL = "https://api.fabric.microsoft.com"
$apiURL = "https://api.fabric.microsoft.com/v1/"
$contentType = "application/json"

Authentication

Now that we gathered everything, the first step is to authenticate:

$secureStringPwd = ConvertTo-SecureString $servicePrincipalSecret -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $servicePrincipalId, $SecureStringPwd
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $tenantId 
Set-AzContext -Tenant $tenantId
$azContext = Get-AzContext
$authToken = (Get-AzAccessToken -ResourceUrl $resourceUrl).Token

The above connects to Azure with the credential of the service principal, and retrieves the AzContext. It then extracts the Token and stores in a variable $authToken, which we’ll use in the next step

Call the API

The next few line prepare for the

$itemInfoURL = "$apiURL/workspaces/$workspaceId/items"
$fabricHeaders = @{
'Content-Type' = $contentType
'Authorization' = "Bearer {0}" -f $authToken
}

$response = Invoke-RestMethod -Headers $fabricHeaders -Method GET -Uri $itemInfoURL

After calling this, you’ll receive a status 200 OK and the body will contain the results of the API call.

{
    "value": [
        {
            "id": "8reg889-8891-4dbd-494a-0efeeaf3c4e3",
            "type": "SemanticModel",
            "displayName": "Gold WareHouse",
            "description": "",
            "workspaceId": "5b617a79-3361-4689-9189-995bcc2c2d19"
        },
        {
            "id": "8c84219d-d4f8-45b5-b2ee-235e26448f49",
            "type": "SQLEndpoint",
            "displayName": "Bronze LakeHouse",
            "description": "",
            "workspaceId": "5b617a79-3361-4689-9189-995bcc2c2d19"
        },
        {
            "id": "4efg889-b4f5-4030-494a-7773bfd1b306",
            "type": "Warehouse",
            "displayName": "Gold WareHouse",
            "description": "",
            "workspaceId": "5b617a79-3361-4689-9189-995bcc2c2d19"
        },
...

These results you can now further use to automate some of the tasks around Fabric.

What could go wrong

  • Make sure the service principal is member of the “Service Principals can use Fabric APIs” setting in the PowerBI tenant settings. He should be include either directly or through an EntraID group that has access
  • Make sure the service principal has at least Contributor access to the Fabric workspace
  • Make sure the secret of the service principal is not expired – can be seen in the Azure portal, app registrations, secrets
  • Make sure the service principal has the required permissions as specified by the API. This can include permissions like Workspace.ReadWrite.All, Item.ReadWrite.All, which can be added to the app registration under API permissions, Add a permission, PowerBI Service, Delegated permissions.
  • PrincipalTypeNotSupported : for some API calls, you can’t use a service principal and the status returned will be 400 Bad Request, with the details in the body. Nothing to do about this one, unless the support is added to the API later on.