Fabric Data Agent Authentication

Priyal Pathak 0 Reputation points
2026-07-13T14:12:28.6833333+00:00

We authenticate to Azure AI Foundry Agent Service using the Azure AI Projects SDK and a Microsoft Entra Service Principal (ClientSecretCredential). The agent has a Fabric Data Agent connected as a tool. Does the Foundry Fabric tool invoke the Fabric Data Agent using the same Service Principal, or does it only support delegated user identity (OAuth/OBO)? If supported, what additional configuration is required?

Foundry Agent Service
Foundry Agent Service

A fully managed platform in Microsoft Foundry for hosting, scaling, and securing AI agents built with any supported framework or model

0 comments No comments

1 answer

Sort by: Most helpful
  1. Christos Panagiotidis 81 Reputation points
    2026-07-14T08:40:48.9566667+00:00

    Hi, the right authentication pattern depends on where the agent runs and whose permissions should govern the data request. For an interactive user experience, delegated OAuth preserves the user's Fabric permissions. For unattended service-to-service use, use a supported service principal or managed identity only if the Fabric item and API explicitly support it, then grant the minimum workspace/item permissions and test token audience/tenant carefully. Do not pass a user's refresh token into a hosted agent. If the current Data Agent preview exposes only user OAuth, that is a product limitation rather than something a custom Entra role can bypass; use an approved middle-tier API or wait for workload-identity support, and confirm the design with Fabric support before production.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.