You can do many great things when you connect your app to Microsoft Fabric Data APIs. Many groups use API Access to make data pipelines work by themselves, change and clean data, and connect with other services. Some common uses are:

• Sorting data for study with Medallion architecture

• Making ELT or ETL workflows for better data handling

• Bringing together facts from money, factory, or shipping systems

• Helping work get better in healthcare, insurance, and non-profits

Microsoft Fabric works with both REST and GraphQL APIs. It also has Data Factory pipelines for easy connection.

Key Takeaways

• First, sign up your app in Microsoft Entra. This helps you get the right identity and permissions. You need these before you use Fabric Data APIs.

• Use MSAL or OAuth2 libraries to get access tokens safely. These tokens are needed for API calls. Do not use API keys or SAS tokens.

• Pick the best API method for your task. Use REST for easy jobs. Use GraphQL if you want flexible queries. Use Data Factory for big or automatic workflows.

• Always check your app roles and permissions. This helps you avoid 401 Unauthorized errors. It also keeps your data safe.

• Test your API calls with tools like Postman first. Do this before you add them to your app. Watch for errors using Azure Monitor or Application Insights.

Prerequisites

Accounts and Roles

You need the right accounts and roles before using Microsoft Fabric Data APIs. These accounts help keep your data safe. They also let you use the APIs without trouble.

• You must have a Microsoft Entra identity. This can be a user, service principal, or managed identity.

• Your app needs to be registered in Microsoft Entra (Azure AD). Registration helps your app get permissions and access tokens.

• Give your app or user the correct roles in your Fabric workspace. Most people need the contributor role to work with data.

• DataAccessRoles decide what you can do with data. You might get read or write access to certain tables or files.

• You can give roles to Microsoft Entra groups or to fabricItemMembers. You need the tenantId and objectId for each group or user. You can find these by using Microsoft Graph APIs.

• When setting permissions, use delegated API permissions like Workspace.Read.All or Workspace.ReadWrite.All from Power BI Services.

• The OneLake Data Access Security API needs delegated scopes like OneLake.ReadWrite.All.

• Always use MSAL to get access tokens with the right scope, such as https://api.fabric.microsoft.com/.default.

• If you do not have the right roles or permissions, you may see 401 Unauthorized errors.

Tip: Check your permissions often. Make sure only the right people and apps have access.

Tools Needed

You need the right tools to connect your app to Microsoft Fabric Data APIs. The table below lists some helpful tools and what they do:

You can also use Jupyter notebooks for custom data changes with Python or R. These tools help you build, test, and automate your data work in Fabric.

App Registration

Microsoft Entra Setup

You must register your app in Microsoft Entra first. This step gives your app its own identity. It also lets you control how it talks to the APIs. Here is how you do the setup:

1. Open your browser and go to the Azure Portal.

2. Click Microsoft Entra ID in the menu.

3. Pick "App registrations" and then "New registration."

4. Type a name for your app and choose account types.

5. Click "Register" to make your app.

6. If your app needs to send users to a page after sign-in, add a redirect URI.

7. Go to "Certificates & Secrets" and make a new client secret. Save the secret value in a safe place.

8. Copy the Client ID from the Overview page. You will need it for authentication.

Microsoft Entra has different ways to sign in. The table below shows the most used ones and when to use each:

Tip: Use Authorization Code Grant Flow if your app has user sign-in. Use Client Credentials Grant Flow for background services.

Permissions for API Access

After you register your app, you must set the right permissions. This step controls what your app can do with Microsoft Fabric Data APIs.

• Go to "API permissions" in your app registration.

• Click "Add a permission" and pick Microsoft Graph. Add permissions like "User.Read."

• Add other permissions, such as Power BI Service or OneLake, if you need them.

• Give admin consent for the permissions you added.

• Assign users or groups to your app if you want to control who can use it.

• For more control, make app roles and give them to users or groups.

Many developers make mistakes at this step. Watch out for these common problems:

• Mixing up Power BI and Fabric API permissions.

• Not picking the right type of permissions for your sign-in method.

• Forgetting to add your app as Contributor or Admin in the Fabric workspace.

• Skipping the admin consent step for permissions.

• Not checking the access token claims after setup.

Note: Always check your permissions and roles. This helps you avoid mistakes and keeps your API Access safe.

Authentication

To connect your app to Microsoft Fabric Data APIs, you must sign in safely. Microsoft Entra ID helps you do this. You cannot use SAS tokens or API keys here. Only Microsoft Entra sign-in is allowed. This keeps your data safe with strong security. It uses things like role-based access and multi-factor sign-in. You also do not need to keep secret keys in your code.

Access Token Process

You need an access token before your app can use the APIs. Here are the steps:

1. Register your app in Microsoft Entra ID. Add a Reply URI so your app gets codes.

2. Make client credentials. Use a client secret or upload a certificate.

3. Set up your app to use the Microsoft Identity Platform v2.0.

4. Add the scopes you need. For example, use offline_access and API scopes like user.read.

5. When a user signs in, your app gets a code.

6. Use MSAL.NET or another OAuth2 tool to swap the code for a token.

7. Save the token. Your app can use it later for more API calls.

Tip: MSAL.NET saves tokens for you. Your app can get tokens again without asking the user to sign in each time.

Using MSAL or OAuth2

You can use many languages to sign in. PowerShell, Python, and C# are good choices. These help you send HTTP requests and handle OAuth 2.0 sign-in. They also help you read JSON responses.

Here is a simple C# example with MSAL.NET:

var app = ConfidentialClientApplicationBuilder.Create(clientId)
    .WithClientSecret(clientSecret)
    .WithAuthority(new Uri(authority))
    .Build();

string[] scopes = new string[] { "https://api.fabric.microsoft.com/.default" };
var result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
string accessToken = result.AccessToken;

You can do the same thing in Python with the MSAL library:

import msal

app = msal.ConfidentialClientApplication(
    client_id,
    authority=authority_url,
    client_credential=client_secret,
)

result = app.acquire_token_for_client(scopes=["https://api.fabric.microsoft.com/.default"])
access_token = result["access_token"]

These examples show how to get an access token for API Access. After you have the token, you can use Microsoft Fabric Data APIs safely.

API Access and Requests

You can link your app to Microsoft Fabric Data APIs in different ways. This part explains how to make safe and strong API Access using REST, GraphQL, and Data Factory pipelines.

REST API Calls

REST APIs in Microsoft Fabric let you use normal HTTP methods to work with data. You need to do a few things to make a good call. First, get a Microsoft Entra token for the Fabric service. You can use MSAL.NET or another OAuth2 tool. Next, put the token in the Authorization header as a Bearer token. Set the Content-Type header to application/json. Use the right API endpoint, like https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items. Send your request with the needed JSON body.

Here is an example of a POST request to make a lakehouse:

POST https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items
Authorization: Bearer <your_access_token>
Content-Type: application/json

{
  "displayName": "MyLakehouse",
  "type": "Lakehouse"
}

You get a JSON response with status codes. A 200 or 201 code means it worked. If your token is wrong or you do not have permission, you see a 401 error.

Tip: Always check your token and permissions before you make API Access requests.

A normal REST API call in Fabric uses a JSON body to set things like file path, mode, or format. The answer gives you status codes and JSON content to show if it worked. Some actions, like uploading files, happen in the background. You may need to check if the job finished with another call.

REST APIs have many endpoints for different things. This makes them easy and good for quick jobs or resource-based systems. But you might need to make more than one call to get all your data.

GraphQL Queries

GraphQL lets you get and change data in Microsoft Fabric in a flexible way. You use one endpoint and write queries or mutations to ask for what you want.

To use GraphQL for API Access, you must get a Microsoft Entra token and put it in the Authorization header. Set the Content-Type header to application/json. Send your query or mutation in the request body.

Here is a simple GraphQL query example:

POST https://api.fabric.microsoft.com/graphql
Authorization: Bearer <your_access_token>
Content-Type: application/json

{
  "query": "query { lakehouses { id displayName } }"
}

You get a JSON response with only the fields you asked for. This saves data and stops you from getting too much.

Note: GraphQL queries let you get many items at once. This can make things faster, especially when you need complex or related data.

When you make GraphQL queries, remember these tips. Only ask for the data you need. Do not make very deep or hard queries. Use batching to group queries. Handle errors clearly. Use pagination for big sets of data. Test your queries often.

GraphQL is great for tricky and flexible data needs. REST APIs are better for simple, stateless, or resource-based jobs.

Data Factory Integration

You can use Data Factory pipelines to automate API Access and move data in Microsoft Fabric. Data Factory works with many data sources and lets you build workflows with little code.

To call Microsoft Fabric Data APIs from a Data Factory pipeline, do these steps. First, make a pipeline in Data Factory. Get an authorization token for Fabric. You can use a service principal or managed identity. Add a Web activity to your pipeline to call the Fabric REST API. Use the POST method. Set the endpoint to https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items/{PipelineId}/jobs/instances?jobType=Pipeline. Add the Authorization header with your Bearer token and set Content-Type to application/json. Put any needed parameters in the request body. Test your pipeline to make sure it calls the Fabric API as you want.

You can use Data Factory to bring in data from other APIs into Fabric. For batch jobs, Data Factory is good for big ETL jobs. For lots of or event-driven API calls, Azure Function Apps may be better.

Data Factory pipelines give you many good things for API Access. You can connect to over 170 data sources, including REST APIs. Use visual dataflows for tricky changes. Orchestrate and automate moving and changing data. Manage everything in one place with OneLake Data Hub. Watch and scale your workflows easily.

Tip: Use Data Factory pipelines for big, planned, or tricky data jobs. Use direct API calls for easy or one-time jobs.

Error Handling

Troubleshooting

You might get errors when using Microsoft Fabric Data APIs. Most errors happen when you sign in or do not have the right permissions. REST APIs show errors with HTTP status codes. A 401 Unauthorized error is very common. This means your sign-in did not work or you sent the wrong credentials. You may see this if you forget your access token or if it is expired.

Here are some usual authentication and permission errors:

You can fix many errors by doing these things:

1. Make sure you use the right sign-in method, like Azure Active Directory with a Service Principal or Managed Identity.

2. Check that your OAuth 2.0 token has the correct scope for API Access.

3. Always send the token in the Authorization header for every API call.

4. Make sure your app or identity has the right roles in Microsoft Fabric.

5. Use tools like Postman to test your API calls outside your app.

6. If you use Data Factory, check that all resources are in the same tenant and region.

7. Try Logic Apps or Azure Functions if you still have trouble with direct calls.

You might also see other errors, like FabricCannotConnect or FabricMessageTooLarge. These mean there are connection or data size problems.

Tip: Use tools like Azure Monitor Logs or Application Insights to watch for errors and API usage. These tools help you find problems early.

Security Tips

You need to keep your API credentials and tokens safe. Never put secrets right in your code. Use connection strings with parameters instead. Always use API access tokens to sign in, not user credentials. Only let trusted people see published datasets and reports.

Microsoft Fabric keeps all data safe when stored and uses TLS 1.2 or higher when sending data. You can use your own Azure Key Vault keys for more control. Fabric also uses signed tokens to keep API Access safe.

For rules, Microsoft Fabric follows standards like HIPAA BAA, ISO/IEC 27001, and ISO/IEC 27701. Microsoft Purview helps you label sensitive data, check user actions, and set rules to stop data loss. You can use Purview Audit to see who looks at your data and set alerts for risky actions.

Note: Check your security settings often. Make sure only trusted users and apps can use your APIs and data.

To link your app with Microsoft Fabric Data APIs, do these steps: First, register your app in Microsoft Entra. Write down your client and tenant IDs. Next, add API permissions and set up how your app signs in. Turn on the authorization code flow. After that, make a GraphQL API in Fabric. Change your app settings to match the new API. Now, start your app and sign in. Use API Access to get data.

Try REST, GraphQL, and Data Factory to handle data in different ways. If you want to learn more, read the Microsoft Fabric docs and look at the "Develop with APIs" part.

FAQ

How do you refresh an expired access token?

You can use MSAL.NET or the MSAL Python library to refresh your token. These tools handle token renewal for you. You do not need to ask the user to sign in again if you use the right scopes.

Can you use API keys or SAS tokens with Fabric Data APIs?

No, you cannot use API keys or SAS tokens. Microsoft Fabric Data APIs only support Microsoft Entra authentication. This keeps your data secure and follows best practices.

What should you do if you get a 401 Unauthorized error?

First, check your access token. Make sure it is valid and not expired. Then, confirm your app has the right permissions and roles in Microsoft Entra and Fabric. Try your request again after fixing these issues.

How do you test API calls before adding them to your app?

You can use tools like Postman or curl to test your API calls. These tools let you set headers, add tokens, and see responses. Testing helps you find problems before you write code.

Can you call Fabric Data APIs from Power Automate or Logic Apps?

Yes, you can. Use the HTTP action in Power Automate or Logic Apps. Add your access token in the Authorization header. This lets you automate workflows with Fabric Data APIs.