Error while Creating MS Fabric workspace using API
I get below error while creating MS Fabric workspace. Is there a delegated permission i need to give the Service Principal or some switch i need to enable in admin portal? Or Do i need to add Service Principal under capacity contributor list?
Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
Authentication:
# Define Variables
$tokenUrl = "https://login.microsoftonline.com/**/oauth2/v2.0/token"
$scope= "https://api.fabric.microsoft.com/.default"
# Prompt for user credentials
$authParams = @{
"client_id" = $env:clientId
"scope" = $scope
"grant_type" = "client_credentials"
"client_secret" = $env:client_secret
}
# Get Access Token
$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $authParams
# Extract and Output the Token
$accessToken = $response.access_token
Write-Output "Full Response: $($response | ConvertTo-Json -Depth 10)"
# Ensure access token is retrieved
if (-not $response.access_token) {
Write-Error "Access token is empty."
exit 1
}
# Store Access Token as a Pipeline Variable (for next task)
Write-Output "##vso[task.setvariable variable=accessToken;isSecret=true]$accessToken"
Write-Output "Stored Access Token Length: $($accessToken.Length)"
Script:
# Define API Variables
$workspaceUrl = "https://api.fabric.microsoft.com/v1/workspaces"
$accessToken = "$(accessToken)" # Retrieve token from pipeline variable
# Ensure Access Token is Available
if (-not $accessToken) {
Write-Error "Access token is missing. Ensure authentication task ran successfully."
exit 1
}
# Define Workspace Payload
$workspaceBody = @{
"displayName" = "Salmans Workspace"
"description" = "This is a test workspace created via API"
"capacityId" = "**" # Replace with your actual capacity ID
} | ConvertTo-Json -Depth 10
# Define Headers
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
# Call API to Create Workspace
$workspaceResponse = Invoke-RestMethod -Method Post -Uri $workspaceUrl -Headers $headers -Body $workspaceBody
# Output Response
Write-Output "Workspace Creation Response: $($workspaceResponse | ConvertTo-Json -Depth 10)"
API permissions:
Solution
To create MS Fabric workspace, the user or service principal must have permission to create workspaces granted by the tenant admin and must have contributor permissions or be an Admin on the capacity.
While using client credentials flow to generate access token, delegated permissions won't work, and access is based on the service principal.
Initially, I too got same error when I ran your script without adding service principal to any group that have permissions access:
To resolve the error, make sure to enable access for entire organization or add your app registration to the group that have permissions to create workspaces.
Create workspaces permission:
Contributor permission:
When I ran the PowerShell script again, workspace created successfully as below:
# Define Variables
$tokenUrl = "https://login.microsoftonline.com/tenantId/oauth2/v2.0/token"
$scope= "https://api.fabric.microsoft.com/.default"
# Authentication Parameters
$authParams = @{
"client_id" = "appId"
"scope" = $scope
"grant_type" = "client_credentials"
"client_secret" = "secret"
}
# Get Access Token
$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $authParams
# Extract Token
$accessToken = $response.access_token
# Output Response for Debugging (Avoid Printing the Full Token for Security)
Write-Output "Access Token Retrieved: $($accessToken.Substring(0,10))... (truncated)"
Write-Output "Token Length: $($accessToken.Length)"
# Ensure Token Exists
if (-not $accessToken) {
Write-Error "Access token retrieval failed."
exit 1
}
# Define API Variables
$workspaceUrl = "https://api.fabric.microsoft.com/v1/workspaces"
# Define Workspace Payload
$workspaceBody = @{
"displayName" = "Sri Fabric Workspace"
"description" = "This is a test workspace created via API"
"capacityId" = "0c4b314b-9801-4b24-841f-876b75bab03d"
} | ConvertTo-Json -Depth 10
# Define Headers
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
# Call API to Create Workspace
try {
$workspaceResponse = Invoke-RestMethod -Method Post -Uri $workspaceUrl -Headers $headers -Body $workspaceBody
Write-Output "Workspace Creation Response: $($workspaceResponse | ConvertTo-Json -Depth 10)"
} catch {
Write-Error "Failed to create workspace. Error: $_"
exit 1
}
Response:
In addition to that, make sure to enable this setting to allow service principal access for calling Fabric API in your Admin Portal:
Reference: Workspaces - Create Workspace - REST API (Core) | Microsoft
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions