Tutorial: Connect App Service to a SQL database in Fabric using Service Connector

In this guide, you learn how to connect an Azure App Service resource to a SQL database in Microsoft Fabric using Service Connector. This setup enables your web app to seamlessly interact with the SQL database in Microsoft Fabric.

Create a service connection between Azure App Service and a SQL database in Fabric
Grant database access permissions to your web app

Prerequisites

Before you begin, ensure you have:

An Azure account with an active subscription. Create an account for free.
An app hosted on App Service. If you don't have one, create and deploy an app to App Service.
A SQL database in Microsoft Fabric. If you don't have one, create a SQL database in Fabric.

Create a service connection

Create a new service connection from App Service to a SQL database in Fabric, using the Azure CLI or the Azure portal.

Azure CLI
Azure portal

Install the Service Connector passwordless extension for the Azure CLI.
```
az extension add --name serviceconnector-passwordless --upgrade
```
Gather the required information:
- Subscription ID: Found in your App Service Overview tab
- Resource group name: Found in your App Service Overview tab
- Fabric workspace UUID (universally unique identifier) and SQL database UUID: Found by navigating to your SQL database in the Fabric portal. The browser URL should look like this: https://msit.powerbi.com/groups/<fabric_workspace_uuid>/sqldatabases/<fabric_sql_db_uuid>. The first UUID in the URL is the Fabric workspace UUID, and the second UUID is the SQL database UUID.
- App ID (for user-assigned managed identity authentication only): Found in the Microsoft Entra admin center under Entra ID > Enterprise apps. Search for your application and locate Application ID.

Create the service connection using a system-assigned managed identity or a user-assigned managed identity. In both cases, Service Connector enables a managed identity for authentication and adds a connection string named FABRIC_SQL_CONNECTIONSTRING to App Settings.

System-assigned managed identity:

az webapp connection create fabric-sql \
    --source-id /subscriptions/<subscription-ID>/resourceGroups/<source-resource-group>/providers/Microsoft.Web/sites/<site> \
    --target-id https://api.fabric.microsoft.com/v1/workspaces/<fabric_workspace_uuid>/SqlDatabases/<fabric_sql_db_uuid> \
    --system-identity

User-assigned managed identity:

az webapp connection create fabric-sql \
    --source-id /subscriptions/<subscription-ID>/resourceGroups/<source-resource-group>/providers/Microsoft.Web/sites/<site> \
    --target-id https://api.fabric.microsoft.com/v1/workspaces/<fabric_workspace_uuid>/SqlDatabases/<fabric_sql_db_uuid> \
    --user-identity client-id=<app-ID> "subs-id=<subscription-ID>"

For more information about these commands and more options, see az webapp connection create.

In the Azure portal, open your App Service resource.
In the service menu, select Settings > Service Connector.

Select Create, and configure the following settings in the Create connection panel that opens.

Setting	Example	Description
Service type	SQL database in Fabric	The target service type: SQL database in Fabric.
Connection name	fabricsql_8293d	A connection name that identifies the connection between your App Service and SQL database. Optionally edit the connection name suggested by default by Service Connector.
Workspace	My Workspace	The Microsoft Fabric Workspace that contains your SQL database.
SQL database	my_sql_database	The target SQL database you want to connect to.
Client type	.NET	The application's tech stack or library.

Select Next: Authentication and choose your preferred managed identity authentication option (system-assigned or user-assigned). In both cases, Service Connector enables a managed identity for authentication and adds a connection string to App Settings named FABRIC_SQL_CONNECTIONSTRING.
Select Next: Networking > Review + Create to review your connection configuration.
Check the box stating that you understand that additional manual steps are required to configure this service connection, and select Create On Cloud Shell. The command is automatically executed in the Azure Cloud Shell. Alternatively, if you have the Azure CLI installed, copy and run the provided CLI commands on your local machine.
Once the command finishes running, close the Create connection pane.

Configure database access permissions

After creating the service connection, you need to grant your managed identity the necessary permissions to access the SQL database.

In the Azure portal, go to your App Service's Service Connector menu and select Refresh to see your new connection.
Under Resource name, select the SQL database link to open your database in the Microsoft Fabric portal.
In the Fabric portal, navigate to the Security tab and select Manage SQL security.
Navigate to the permission management interface by selecting the db_datareader role, then select Manage access. You're not granting this role to your managed identity; this is just how you access the Fabric permission settings.
Look for your managed identity name under People, groups or apps in this role. If you see a Share database option, continue to the next step. Otherwise, the permissions are already configured.
Enter and select the name of your managed identity as it appears on the Manage access pane, check Read all data using SQL database, and select Grant.

Clean up resources

When no longer needed, delete the resource group and all related resources created for this tutorial. To do so, select the resource group or the individual resources you created and select Delete.

Feedback

Was this page helpful?

Last updated on 2025-06-27