Edit

Scopes

  • Article

To use the Microsoft Fabric REST APIs with a user, you need to acquire an Microsoft Entra token with delegated scopes.

The scopes required by the API are listed in the Required Delegated Scopes section in the API reference page.

For more information about Microsoft Fabric access permissions, see Introduction to permissions and consent.

Generic and specific scopes

For item CRUD APIs, there are 2 kinds of scopes which you can use, generic and specific scopes.

Using generic scopes, for example: Item.ReadWrite.All, would create a token that can be used to manage any item type, which makes it a very strong token.

Using specific scopes for the specific item types that you want to manage, which would create a more secure token, and would allow you to get specific consent from the user to manage only these item types.

Specific scopes are built in the following format <itemType>.Read.All or <itemType>.ReadWrite.All, for example: Notebook.ReadWrite.All.

To decide between the 2 types of scopes, you would have to weigh security and specific consent versus convenience and a cleaner consent prompt for the user.

Example for consent prompt for generic scope:

Screenshot that shows a consent prompt for a generic scope.

Example for consent prompt for specific scopes:

Screenshot that shows a consent prompt for a specific scope.

Fabric scopes

There are 2 kinds of scopes for Fabric items as we explained above.

Generic scopes

There are 4 generic scopes:

  • Item.Read.All: Calling application is allowed to read all Fabric items.
  • Item.ReadWrite.All: Calling application is allowed to read and write all Fabric items.
  • Item.Execute.All: Calling application is allowed to execute on all Fabric items.
  • Item.Reshare.All: Calling application is allowed to reshare all Fabric items.

Specific scopes

There are 4 types of scopes for every item type:

  • <itemType>.Read.All - Calling application is allowed to read all artifacts of type <itemType> that the user has access to.
  • <itemType>.ReadWrite.All - Calling application is allowed to read and write all artifacts of type <itemType> that the user has access to.
  • <itemType>.Execute.All - Calling application is allowed to execute all artifacts of <itemType> that the user has access to.
  • <itemType>.Reshare.All - Calling application is allowed to reshare all artifacts of type <itemType> that the user has access to.

There are also other kinds of scopes in Fabric that follow similar patterns, for example: Workspace.ReadWrite.All.

For a full list of the available scopes, please refer go to Azure portal > App registrations > YouAppRegistration > Add permissions > Power BI Service

Screenshot that shows a list of all scopes available in azure portal.