Authentication¶
fabias supports multiple authentication methods to work in different environments.
Inside Microsoft Fabric (Automatic)¶
When running inside a Fabric notebook, authentication is fully automatic:
Service Principal (Recommended for Standalone)¶
For standalone applications, use a service principal:
import fabias
from fabias import ServicePrincipalAuth
auth = ServicePrincipalAuth(
tenant_id="your-tenant-id",
client_id="your-client-id",
client_secret="your-client-secret"
)
fabias.client(auth=auth)
Setting Up a Service Principal¶
- Go to Azure Portal → Azure Active Directory → App registrations
- Click "New registration"
- Give it a name and register
- Note the Application (client) ID and Directory (tenant) ID
- Go to Certificates & secrets → New client secret
- Note the secret value (shown only once)
- Grant API permissions as needed
Environment Variables¶
You can configure credentials via environment variables:
export AZURE_TENANT_ID="your-tenant-id"
export AZURE_CLIENT_ID="your-client-id"
export AZURE_CLIENT_SECRET="your-client-secret"
Then in Python:
From Key Vault¶
Load credentials from Azure Key Vault:
import fabias
from fabias import ServicePrincipalAuth
from fabias.integrations import keyvault
# Inside Fabric, only vault_url needed
keyvault.client(vault_url="https://my-vault.vault.azure.net/")
# Load credentials from Key Vault
auth = ServicePrincipalAuth(
tenant_id="your-tenant-id",
client_id=keyvault.get("fabric-client-id"),
client_secret=keyvault.get("fabric-client-secret")
)
fabias.client(auth=auth)
AutoAuth (Automatic Detection)¶
AutoAuth automatically selects the best method:
from fabias import AutoAuth
# Inside Fabric: uses FabricAuth
# Standalone with env vars: uses ServicePrincipalAuth
# Otherwise: raises error with helpful message
auth = AutoAuth()
Refresh Token (User-Delegated)¶
For user-delegated authentication using OAuth2 refresh tokens:
from fabias import RefreshTokenAuth
from fabias.integrations import keyvault
# Self-managed mode with Key Vault persistence
auth = RefreshTokenAuth(
tenant_id="your-tenant-id",
client_id="your-client-id",
refresh_token=keyvault.get("graph-refresh-token"),
on_refresh=lambda token: keyvault.set("graph-refresh-token", token)
)
fabias.client(auth=auth)
The on_refresh callback is called whenever the token is refreshed, allowing you to persist the new refresh token.
Delegated Mode (Token Broker)¶
For production scenarios with multiple concurrent jobs, use an external token broker:
from fabias import RefreshTokenAuth
from datetime import datetime
import requests
def get_from_broker(scope: str) -> tuple[str, datetime]:
response = requests.post(
"https://my-function/api/token",
json={"scope": scope}
)
data = response.json()
return data["access_token"], datetime.fromisoformat(data["expires_at"])
auth = RefreshTokenAuth(
tenant_id="your-tenant-id",
client_id="your-client-id",
token_provider=get_from_broker
)
Warning
Self-managed mode is NOT safe for concurrent use across multiple jobs that might refresh the token simultaneously. Use delegated mode with a token broker for production multi-job scenarios.
Multi-Client Usage¶
For connecting to multiple environments:
from fabias import ServicePrincipalAuth
from fabias import FabricClient
auth_prod = ServicePrincipalAuth(
tenant_id="...",
client_id="...",
client_secret="..."
)
auth_dev = ServicePrincipalAuth(
tenant_id="...",
client_id="...",
client_secret="..."
)
client_prod = FabricClient(auth=auth_prod)
client_dev = FabricClient(auth=auth_dev)
ws_prod = client_prod.workspace("PROD_WORKSPACE")
ws_dev = client_dev.workspace("DEV_WORKSPACE")
Required Permissions¶
Fabric API¶
The service principal needs:
- Fabric.ReadWrite.All (for most operations)
- Workspace Admin/Member role (for workspace-specific operations)
Key Vault¶
For fabias.secrets:
- Key Vault Secrets User role on the Key Vault
Microsoft Graph¶
For Teams messaging:
- ChannelMessage.Send (delegated or application)