Microsoft Fabric’s GraphQL API allows querying data stores in a flexible and efficient way. In this post I will walk through how you can integrate the Fabric GraphQL API into a .NET application, covering authentication, making queries, and handling responses. We are going to implement the solution by using service principal, but you can also use the interactive auth also if you want to.
Authentication
As shown in my earlier blog post, Microsoft Fabric currently supports two different authentication methods: Interactive authentication as an user or service principal (or Managed Identity). In this post we will use the service principal, because it is more suitable for automation and integration.
First we need to create new app registration. Microsoft Learn has quite good documentation, that you can use to add the Microsoft Entra app. If you use app registration with https://api.fabric.microsoft.com/.default scope you don’t need the Power BI Graph API permissions, but you will need a valid client secret, so don’t forget to create that.
For authentication we will use the trusty MSAL library Microsoft.Identity.Client. Install the NuGet package, paste following code and fill the Configuration.ClientId (Copy from Entra), Configuration.Secret (Copy from Entra) and your Azure Tenant Id (or Directory Id as it is in portal)
var app = ConfidentialClientApplicationBuilder.Create(Configuration.ClientId)
.WithClientSecret(Configuration.Secret)
.WithAuthority(new Uri($"https://login.microsoftonline.com/{Configuration.TenantId}"))
.Build();
var token = await app.AcquireTokenForClient(["https://api.fabric.microsoft.com/.default"]).ExecuteAsync();
Now we can acquire working access token by using the token class. Next we will need a HTTP client to do the Post against GraphQL, but before that we need to create the GraphQL resource to Fabric and check that API access is enabled at tenant level.
Fabric GraphQL
GraphQL API in Fabric is own type of resource and like other Fabric resources it can be created through new item menu in workspace. API for GraphQL resource gives us an endpoint, that we can use to query the underlying datastore. The resource has also a nice playground that can be used to build and test queries.
After creating the API resource, we can use the playground to build some queries and see how our data behaves. In my example app I am using Titanic data from GitHub. After finding suitable query, click copy endpoint to get the URL for GraphQL API.
Fabric Permissions
Now that we have our GraphQL API set, we need to do few more extra steps to enable the API access. First we need to make sure that our Fabric tenant is allowing API calls from service principals. Head into Fabric admin portal and search for “Service principals can use Fabric APIs“. This setting needs to be enabled or otherwise the API call will return unauthorized 401.
Finally we need to give access for our service principal. You can do this at API level or by using the workspace permissions. For simplicity you can add the service principal as workspace contributor. This gives maybe too much permissions for the app, but I wouldn’t be too worried about it at this point. If you want to add extra security, you can allow the “Run Queries and Mutations” permission for the GraphQL API resource + read permission for the datastore.
The Code
OK, now we have service principal with client secret to use, fabric tenant setting set to allow API calls for service principals AND permissions set for the service principal at Fabric. Now we can start making some GraphQL API calls!
You can use GraphQL libraries to simplify the query building, but for this simple sample we can just use the HTTP client and System.Text.Json serializer.
using HttpClient client = new();
client.DefaultRequestHeaders.Add("Authorization", $"Bearer {token.AccessToken}"); // Use the MSAL token
// Simple query to run against the Titanic data
var query = new
{
query = "{ titanics { items { PassengerId, Survived, Age, Name} } }"
};
var content = new StringContent(JsonSerializer.Serialize(query), Encoding.UTF8, "application/json");
// Make the request by using POST
HttpResponseMessage response = await client.PostAsync(Configuration.FabricGraphqlEndpoint, content);
if (response.IsSuccessStatusCode)
{
string responseData = await response.Content.ReadAsStringAsync();
// Dump the result into Console
Console.WriteLine(responseData);
}
else
{
Console.WriteLine($"Error: {response.StatusCode}");
}
If you receive Unauthorized exception, just wait few minutes and try again. Sometimes Entra changes can take some time to apply. Next check that service principal client id, secret and tenant is set correctly. Then check that Fabric admin portal setting for service principals is enabled and finally try to add the contributor rights for the service principal if you didn’t do that in the first time.
For my sample app the query result looks like this:
Summary
GraphQL provides nice and easy to setup way to query the data from outside of Fabric. The performance isn’t the best, but you can use it in internal apps quite easily. I will next post a blog post that will contain more performance measures about the API. Hope you enjoyed this one and see you on the part II post of Fabric GraphQL API.