Before ingesting Microsoft Fabric metadata into Dawiso, prepare your account for authentication by configuring an Azure Application and granting the necessary permissions.
Supported Fabric versions
- Dawiso reads metadata from the Power BI Admin API and Fabric API and is up to date with the latest API changes.
- Preview objects are included in the ingestion too.
Connection prerequisites
- An active Azure Portal subscription (you can create one for free).
- Microsoft Entra administrative access.
- Fabric tenant and account with administrative privileges. You can use this simple tutorial to configure it.
Connection configuration
Authentication to Power BI Admin API and Fabric API is performed via service principal.
In this guide, you will:
- Configure an Azure application.
- Generate a Client Secret.
- Test the application for a successful connection to Azure AD.
- Configure a Fabric Tenant to allow service principals to read the new Admin API.
- Allow the service principal access to individual fabric workspaces.
Register a new application
You need to register a new application in Microsoft Entra ID.
- In your Azure Portal, navigate to Microsoft Entra ID.
- In the left menu, select the App Registrations. Click the + New Registration button.
- Choose a name name for your application, e.g., Dawiso Integration. You can keep default values for the rest of the form.
- Click Register and wait for the deployment to finish.
Client and tenant IDs
On the Overview page, you can find important values that identify your application. These will be used in the connection setup in Dawiso:
- Application (client) ID is the unique identification of the application.
- Directory (tenant) ID is the unique identification of your tenant (organization).
Generate Client Secret
Now, you will need to generate a client secret to later authenticate the connection.
- In the left menu, select Certificates & secrets.
- Here, click + New client secret.
- Choose a descriptive name for the client secret and select an expiration date that fits your organization’s requirements.
- Click Add to finish creating the secret.
- Once the secret is created, make sure to copy the value and store it somewhere safe for later use. The secret cannot be displayed twice.
The secret value is displayed only once. Copy and save it immediately, otherwise you will need to generate a new client secret if it is lost.
Create a security group in Microsoft Entra ID
To follow security best practices, assign Fabric admin APIs access to the service principal only via a Microsoft Entra ID security group.
- In your Microsoft Entra ID, navigate to Groups.
- Click New group.
- Choose the Security group type and choose a descriptive name, e.g., in this case,
Fabric Service Principals.
- Click Create to finish the group configuration.
Add members to the group
- On the Groups page, click the name of the newly created group.
- Click + Add members.
- Using the search box, find your application (in our case Dawiso Integration) and select it using the checkbox.
- Click Select to finish adding the application as a member.
- On the group’s page, you can double-check whether the application has been added successfully.
Configure Fabric Tenant
Using an account with administrative privileges, navigate to your Fabric Admin Portal. Here, you will setup necessary permissions for the service principal to access all APIs required.
-
Select Tenant settings in the Portal.
-
In the Developer settingssection:
- Find the service principals can call Fabric public APIs item and enable it.
- Apply it to Specific security groups.
- Find the newly created security group (in our case Fabric Service Principals) and add it.
- Click Apply to save the configuration.
-
In the Admin API settings section:
- Find the Allow service principals to use read-only admin APIs item and enable it.
- Apply it to Specific security groups.
- Find the newly created security group (in our case Fabric Service Principals) and add it.
- Click Apply to save the configuration.
-
Also in the Admin API settingssection:
- Find the Enhance admin APIs responses with detailed metadata item and enable it.
- Apply it to Specific security groups.
- Find the newly created security group (in our case Fabric Service Principals) and add it.
- Click Apply to finish the configuration.
-
Finally, again in the Admin API settingssection:
- find the Enhance admin APIs responses with DAX and mashup expressions item and enable it.
- Apply it to Specific security groups.
- Find the newly created security group (in our case Fabric Service Principals) and add it.
- Click Apply to save the configuration.
Allow service principal access to individual workspaces
Several asset types can be ingested directly only from the admin APIs. Other asset types and their advanced properties can be ingested only when service principal has access to the workspace with the asset.
For example, when it comes to warehouses:
| Workspace access | Ingested metadata |
|---|---|
| No workspace access“ | Only the IDs, names, and few other basic properties are ingested. |
| Direct workspace access | Underlying objects (e.g., schemas, tables, views) are ingested. How these child assets are ingested, depends on the role: Viewer: Ingest schemas, tables and views. Procedures and functions can be ingested to without their SQL definitions., Contributor: All of the above will be ingested, plus definitions for views and procedures, which can be used for features like advanced lineage. |
| In general, to enable all Dawiso features, we recommend adding the service principal to the Contributor role on each workspace that should be fully ingested. |
- On your Fabric homepage, select the workspace for which you want to configure the access.
- Click Manage access.
- Continue with clicking Add people or groups.
- Find the newly created security group (in our case Fabric Service Principals) and change its role to Contributor.
- Click Add to allow the security group to access your workspace with contributor rights.
