I get below error while creating MS Fabric workspace. Is there a delegated permission i need to give the Service Principal or some switch i need to enable in admin portal? Or Do i need to add Service Principal under capacity contributor list?
Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
Authentication:
# Define Variables
$tokenUrl = "https://login.microsoftonline.com/**/oauth2/v2.0/token"
$scope= "https://api.fabric.microsoft.com/.default"
# Prompt for user credentials
$authParams = @{
"client_id" = $env:clientId
"scope" = $scope
"grant_type" = "client_credentials"
"client_secret" = $env:client_secret
}
# Get Access Token
$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $authParams
# Extract and Output the Token
$accessToken = $response.access_token
Write-Output "Full Response: $($response | ConvertTo-Json -Depth 10)"
# Ensure access token is retrieved
if (-not $response.access_token) {
Write-Error "Access token is empty."
exit 1
}
# Store Access Token as a Pipeline Variable (for next task)
Write-Output "##vso[task.setvariable variable=accessToken;isSecret=true]$accessToken"
Write-Output "Stored Access Token Length: $($accessToken.Length)"
Script:
# Define API Variables
$workspaceUrl = "https://api.fabric.microsoft.com/v1/workspaces"
$accessToken = "$(accessToken)" # Retrieve token from pipeline variable
# Ensure Access Token is Available
if (-not $accessToken) {
Write-Error "Access token is missing. Ensure authentication task ran successfully."
exit 1
}
# Define Workspace Payload
$workspaceBody = @{
"displayName" = "Salmans Workspace"
"description" = "This is a test workspace created via API"
"capacityId" = "**" # Replace with your actual capacity ID
} | ConvertTo-Json -Depth 10
# Define Headers
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
# Call API to Create Workspace
$workspaceResponse = Invoke-RestMethod -Method Post -Uri $workspaceUrl -Headers $headers -Body $workspaceBody
# Output Response
Write-Output "Workspace Creation Response: $($workspaceResponse | ConvertTo-Json -Depth 10)"
API permissions:
To create MS Fabric workspace, the user or service principal must have permission to create workspaces granted by the tenant admin and must have contributor permissions or be an Admin on the capacity.
While using client credentials flow to generate access token, delegated permissions won't work, and access is based on the service principal.
Initially, I too got same error when I ran your script without adding service principal to any group that have permissions access:
To resolve the error, make sure to enable access for entire organization or add your app registration to the group that have permissions to create workspaces.
Create workspaces permission:
Contributor permission:
When I ran the PowerShell script again, workspace created successfully as below:
# Define Variables
$tokenUrl = "https://login.microsoftonline.com/tenantId/oauth2/v2.0/token"
$scope= "https://api.fabric.microsoft.com/.default"
# Authentication Parameters
$authParams = @{
"client_id" = "appId"
"scope" = $scope
"grant_type" = "client_credentials"
"client_secret" = "secret"
}
# Get Access Token
$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $authParams
# Extract Token
$accessToken = $response.access_token
# Output Response for Debugging (Avoid Printing the Full Token for Security)
Write-Output "Access Token Retrieved: $($accessToken.Substring(0,10))... (truncated)"
Write-Output "Token Length: $($accessToken.Length)"
# Ensure Token Exists
if (-not $accessToken) {
Write-Error "Access token retrieval failed."
exit 1
}
# Define API Variables
$workspaceUrl = "https://api.fabric.microsoft.com/v1/workspaces"
# Define Workspace Payload
$workspaceBody = @{
"displayName" = "Sri Fabric Workspace"
"description" = "This is a test workspace created via API"
"capacityId" = "0c4b314b-9801-4b24-841f-876b75bab03d"
} | ConvertTo-Json -Depth 10
# Define Headers
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
# Call API to Create Workspace
try {
$workspaceResponse = Invoke-RestMethod -Method Post -Uri $workspaceUrl -Headers $headers -Body $workspaceBody
Write-Output "Workspace Creation Response: $($workspaceResponse | ConvertTo-Json -Depth 10)"
} catch {
Write-Error "Failed to create workspace. Error: $_"
exit 1
}
Response:
In addition to that, make sure to enable this setting to allow service principal access for calling Fabric API in your Admin Portal:
Reference: Workspaces - Create Workspace - REST API (Core) | Microsoft