Microsoft Fabric: Changes to tenant admin setting that governs the access of service principals to public APIs [MC1062447]

Coming soon for Microsoft Fabric: We will split the existing tenant admin setting that currently controls access for service principals to all public APIs, into two tenant admin settings. After the split, the new tenant admin settings will be:

• Service principal access to global APIs: Controls access to "global" APIs that are not protected by any Fabric permission model, such as the creation of workspaces. This setting will retain the existing configuration and will be disabled by default. Setting name: Service principals can create workspaces, connections, and deployment pipelines.
• Service principal access to permission-based APIs: Controls access to APIs protected by the Fabric permission model, including managing existing workspaces and full CRUD (create, read, update, and delete) operations for workspace sub-folders and items. This setting will adopt the existing configuration of the current setting and will be enabled by default. Setting name: Service principals can call Fabric public APIs.

Why are we introducing the change?

For years, one tenant admin setting has governed the access of service principals to public APIs in Microsoft Power BI and then in Microsoft Fabric overall (see screenshot of the current setting).

We originally introduced the single setting as a safeguard against potential misuse by multi-tenant app service principals, but as we have expanded into Fabric scenarios, we understand the need for a more flexible approach to unblock Fabric developers. When the current admin setting is set to disabled by default, developers are blocked. To enhance usability for Fabric developers while ensuring security and Fabric tenant admin control, we will split the existing setting into two settings.

The current setting:

Detailed plan and timelines

Starting mid-May 2025 and ending in early June 2025, we will hide the current Fabric tenant admin setting and expose the two new settings, Service principals can create workspaces, connections, and deployment pipelines and Service principals can call Fabric public APIs:

We will enable the two new settings as follows:

• For existing tenants, we will retain the same configuration of the old tenant setting in the two new tenant settings.
• For new tenants, the first setting (creation of workspaces, connections and deployment pipelines) will be disabled by default, and the second setting (service principals with appropriate roles and item permission call Fabric public APIs) will be enabled by default.

If you are part of a group of existing Fabric admins who have never touched the original setting (that was disabled by default), your screen will include a checked box next to Accept Microsoft’s change to enable service principal access for the entire organization. If you want the new second setting to stay disabled after the split, you can uncheck the box and select Apply to opt out before August 1, 2025. NOTE: This group does not include admins who enabled the setting and then disabled it. Effective August 1, 2025, we will automatically change this setting to Enabled for the entire organization for all tenants that have this box checked:

What you need to prepare

• When the two new settings are introduced after early June 2025, make sure their configurations (that we will copy from your old settings) still fit the needs and/or requirements of your organization, and make changes as needed.
• Tenant admins who are presented with the checked box to Accept Microsoft’s change to enable service principal access for the entire organization:You have until August 1, 2025 to opt out (uncheck and Apply) to leave the second setting disabled, make any other changes in this setting, or let us change it automatically to Enabled for the entire organization.
  

If you have questions or need further assistance, please do not hesitate to contact Microsoft Fabric support team.

We will update this post with new documentation before we implement the change.