Authentication Guide¶
fabricgov supports three authentication modes to access Microsoft Fabric and Power BI APIs:
- Service Principal β non-interactive authentication (recommended for automation)
- Device Flow β interactive browser-based authentication (recommended for manual use)
- Azure Key Vault β Service Principal without credentials on disk (recommended for production)
π Service Principal (Automation)¶
When to use¶
- Automated scripts
- CI/CD pipelines
- Scheduled notebooks
- Environments without human interaction
Prerequisites¶
1. Create an App Registration in Azure AD¶
- Go to the Azure Portal
- Navigate to Azure Active Directory β App registrations
- Click New registration
- Configure:
- Name:
fabricgov-automation(or any name) - Supported account types: "Accounts in this organizational directory only"
- Redirect URI: leave blank
- Click Register
2. Copy Credentials¶
After creating the App Registration:
- Application (client) ID β copy to
FABRICGOV_CLIENT_ID - Directory (tenant) ID β copy to
FABRICGOV_TENANT_ID
3. Create a Client Secret¶
- In the side menu, go to Certificates & secrets
- Click New client secret
- Configure:
- Description:
fabricgov-secret - Expires: 24 months (or per your company policy)
- Click Add
- IMPORTANT: Copy the Value immediately (only shown once) β
FABRICGOV_CLIENT_SECRET
4. Configure API Permissions¶
- In the side menu, go to API permissions
- Click Add a permission
- Select Power BI Service
- Choose Application permissions (not "Delegated")
- Add the following permissions:
Tenant.Read.AllWorkspace.ReadWrite.All- Click Add permissions
- CRITICAL: Click Grant admin consent for [your tenant]
- Only a tenant admin can do this
- Without this, the SP will not work
5. Enable Service Principals in Fabric Admin Portal¶
- Go to the Power BI Portal
- Navigate to Settings (gear icon) β Admin portal
- In the side menu, select Tenant settings
- Scroll to Admin API settings
- Enable:
- Service principals can use Fabric APIs
- Service principals can access read-only admin APIs
- Add the Service Principal to the allowed group (or select "Apply to the entire organization")
- Click Apply
Configuration¶
Option 1: Via .env file (recommended)¶
Create a .env file in the project root:
FABRICGOV_TENANT_ID=00000000-0000-0000-0000-000000000000
FABRICGOV_CLIENT_ID=11111111-1111-1111-1111-111111111111
FABRICGOV_CLIENT_SECRET=your-client-secret-here
Usage in code:
from fabricgov.auth import ServicePrincipalAuth
# Automatically reads from .env
auth = ServicePrincipalAuth.from_env()
Option 2: Via direct parameters¶
from fabricgov.auth import ServicePrincipalAuth
auth = ServicePrincipalAuth.from_params(
tenant_id="00000000-0000-0000-0000-000000000000",
client_id="11111111-1111-1111-1111-111111111111",
client_secret="your-client-secret-here"
)
Option 3: Via system environment variables¶
export FABRICGOV_TENANT_ID="00000000-0000-0000-0000-000000000000"
export FABRICGOV_CLIENT_ID="11111111-1111-1111-1111-111111111111"
export FABRICGOV_CLIENT_SECRET="your-client-secret-here"
Full Example¶
from fabricgov.auth import ServicePrincipalAuth
from fabricgov.collectors import WorkspaceInventoryCollector
from fabricgov.exceptions import ForbiddenError, UnauthorizedError
try:
auth = ServicePrincipalAuth.from_env()
collector = WorkspaceInventoryCollector(auth=auth)
result = collector.collect()
print(f"β Collected {result['summary']['total_workspaces']} workspaces")
except UnauthorizedError as e:
print(f"β Invalid credentials: {e.message}")
except ForbiddenError as e:
print(f"β Access denied: {e.message}")
print(" β Check if the SP is in the Fabric Administrators group")
π Device Flow (Interactive)¶
When to use¶
- Manual use via terminal
- Local development
- Environments where creating a Service Principal is not possible
- When the user needs to authenticate with their own credentials
Advantages¶
- β
No
tenant_idorclient_idrequired (uses public defaults) - β No need to create an App Registration in Azure AD
- β MFA supported automatically
- β Token cache between executions (valid for ~1h)
Requirements¶
- The authenticating user must have Fabric Administrator permissions in the tenant
- Access to a browser for authentication
Usage¶
from fabricgov.auth import DeviceFlowAuth
auth = DeviceFlowAuth()
# On first run, displays:
# ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# AUTHENTICATION REQUIRED
# ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# 1. Go to: https://microsoft.com/devicelogin
# 2. Enter the code: ABC12DEF
# 3. Sign in with your Microsoft account
# ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# Waiting for authentication...
# ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# After authenticating in the browser, the script continues automatically
Advanced Usage (Specific Tenant)¶
# Force authentication against a specific tenant
auth = DeviceFlowAuth(tenant_id="your-tenant-id")
# With your own App Registration
auth = DeviceFlowAuth(
tenant_id="your-tenant-id",
client_id="your-client-id"
)
π Azure Key Vault (Production)¶
When to use¶
- Production environments where storing
client_secreton disk is not acceptable - Organizations that already centralize credentials in a corporate Key Vault
- CI/CD pipelines with Managed Identity (Azure DevOps, GitHub Actions with OIDC)
Prerequisites¶
- Key Vault created in Azure with the 3 SP secrets
- Role assigned:
Key Vault Secrets Userfor your user/SP on the vault - Dependencies installed:
Creating the secrets¶
az keyvault secret set --vault-name MY-VAULT --name fabricgov-tenant-id --value "<tenant-id>"
az keyvault secret set --vault-name MY-VAULT --name fabricgov-client-id --value "<client-id>"
az keyvault secret set --vault-name MY-VAULT --name fabricgov-client-secret --value "<client-secret>"
Secret names are flexible β the
fabricgov-*defaults can be overridden via--tenant-id-secret,--client-id-secret, and--client-secret-secret.
Configuring fabricgov¶
# With default names
fabricgov auth keyvault --vault-url https://my-vault.vault.azure.net/
# With custom names
fabricgov auth keyvault \
--vault-url https://my-vault.vault.azure.net/ \
--tenant-id-secret pbi-tenant \
--client-id-secret pbi-client \
--client-secret-secret pbi-secret
How the vault is accessed¶
DefaultAzureCredential tries in order:
| Environment | Mechanism |
|---|---|
| Local development | az login (Azure CLI) |
| Azure VM / Container | Managed Identity |
| CI/CD | Env vars AZURE_CLIENT_ID + AZURE_TENANT_ID + AZURE_CLIENT_SECRET |
π Comparison: all three methods¶
| Aspect | Service Principal | Device Flow | Key Vault |
|---|---|---|---|
| Setup | App Registration | Zero | App Reg + Vault |
| Credentials on disk | β οΈ .env file |
β None | β Never |
| Interaction | Non-interactive | Browser | Non-interactive |
| Automation / CI-CD | β | β | β |
| Local development | β οΈ | β | β (with az login) |
| Enterprise production | β οΈ | β | β Recommended |
| Extra dependency | None | None | fabricgov[keyvault] |
π‘οΈ Error Handling¶
Service Principal Errors¶
AuthenticationError: Invalid Tenant ID¶
Solution: Check FABRICGOV_TENANT_ID in .env. Must be a valid GUID.
UnauthorizedError: Invalid or expired token¶
Solution: Verify FABRICGOV_CLIENT_SECRET is correct and not expired.
ForbiddenError: Access denied¶
Solution:
1. Verify the SP has Tenant.Read.All permission with admin consent granted
2. Confirm the SP is enabled in the Fabric Admin Portal
3. Wait up to 15 minutes for permissions to propagate
π Security Best Practices¶
Service Principal¶
β
DO:
- Use .env and add it to .gitignore
- Rotate client secrets every 6β12 months
- Use Key Vault for production environments β fabricgov auth keyvault
- Apply the principle of least privilege
β DON'T: - Commit credentials to Git - Share secrets via email or chat - Use the same SP across multiple environments - Hardcode secrets in source code
π Additional Resources¶
- Azure AD App Registrations
- Power BI Service Principal
- Fabric Admin APIs
- MSAL Python Documentation
- Azure Key Vault β fabricgov guide