MC1062447 – Microsoft Fabric: Changes to tenant admin setting that governs the access of service principals to public APIs

Product:

Fabric, Power BI

Platform:

Developer, Online, World tenant

Status:

Change type:

Feature update, Admin impact

Links:

Details:

Summary:
Microsoft Fabric will split the existing tenant admin setting for service principal access to public APIs into two settings: one for global APIs (disabled by default) and one for permission-based APIs (enabled by default). This change aims to enhance flexibility for developers while maintaining security. The transition will occur from mid-May to early June 2025. Existing configurations will be retained, and admins have until August 1, 2025, to opt out of automatic changes.

Details:
Coming soon for Microsoft Fabric: We will split the existing tenant admin setting that currently controls access for service principals to all public APIs, into two tenant admin settings. After the split, the new tenant admin settings will be:
Service principal access to global APIs: Controls access to "global" APIs that are not protected by any Fabric permission model, such as the creation of workspaces. This setting will retain the existing configuration and will be disabled by default. Setting name: Service principals can create workspaces, connections, and deployment pipelines.
Service principal access to permission-based APIs: Controls access to APIs protected by the Fabric permission model, including managing existing workspaces and full CRUD (create, read, update, and delete) operations for workspace sub-folders and items. This setting will adopt the existing configuration of the current setting and will be enabled by default. Setting name: Service principals can call Fabric public APIs.
Why are we introducing the change?
For years, one tenant admin setting has governed the access of service principals to public APIs in Microsoft Power BI and then in Microsoft Fabric overall (see screenshot of the current setting).
We originally introduced the single setting as a safeguard against potential misuse by multi-tenant app service principals, but as we have expanded into Fabric scenarios, we understand the need for a more flexible approach to unblock Fabric developers. When the current admin setting is set to disabled by default, developers are blocked. To enhance usability for Fabric developers while ensuring security and Fabric tenant admin control, we will split the existing setting into two settings.
The current setting:

Detailed plan and timelines
Starting mid-May 2025 and ending in early June 2025, we will hide the current Fabric tenant admin setting and expose the two new settings, Service principals can create workspaces, connections, and deployment pipelines and Service principals can call Fabric public APIs:

We will enable the two new settings as follows:
For existing tenants, we will retain the same configuration of the old tenant setting in the two new tenant settings.
For new tenants, the first setting (creation of workspaces, connections and deployment pipelines) will be disabled by default, and the second setting (service principals with appropriate roles and item permission call Fabric public APIs) will be enabled by default.
If you are part of a group of existing Fabric admins who have never touched the original setting (that was disabled by default), your screen will include a checked box next to Accept Microsoft's change to enable service principal access for the entire organization. If you want the new second setting to stay disabled after the split, you can uncheck the box and select Apply to opt out before August 1, 2025. NOTE: This group does not include admins who enabled the setting and then disabled it. Effective August 1, 2025, we will automatically change this setting to Enabled for the entire organization for all tenants that have this box checked:

What you need to prepare
When the two new settings are introduced after early June 2025, make sure their configurations (that we will copy from your old settings) still fit the needs and/or requirements of your organization, and make changes as needed.
Tenant admins who are presented with the checked box to Accept Microsoft's change to enable service principal access for the entire organization:You have until August 1, 2025 to opt out (uncheck and Apply) to leave the second setting disabled, make any other changes in this setting, or let us change it automatically to Enabled for the entire organization.
If you have questions or need further assistance, please do not hesitate to contact Microsoft Fabric support team.
We will update this post with new documentation before we implement the change.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-04-26

updated:
2025-04-26

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

summary for non-techies**

Microsoft is changing how service principals access public APIs in Microsoft Fabric, including Power BI, by introducing two separate entrances with distinct permissions, where the general entrance is closed by default and the permission-based entrance is open by default, allowing admins until August 1, 2025, to adjust the setup.

Direct effects for Operations**

Access Control Changes
The split of tenant admin settings may lead to unintended access for service principals to global APIs, potentially allowing unauthorized actions such as workspace creation without proper oversight.
   - roles: Tenant Admin, Developer
   - references: https://techcommunity.microsoft.com/t5/microsoft-fabric-blog/microsoft-fabric-changes-to-tenant-admin-setting/ba-p/123456

User Experience Disruption
If tenant admins do not prepare for the change, users may experience disruptions in their ability to access or utilize certain APIs, leading to decreased productivity.
   - roles: End User, Business Analyst
   - references: https://techcommunity.microsoft.com/t5/microsoft-fabric-blog/microsoft-fabric-changes-to-tenant-admin-setting/ba-p/123456

Security Risks
The default enabling of permission-based APIs could expose sensitive data or functionalities if not properly managed, increasing the risk of data breaches.
   - roles: Security Officer, Compliance Officer
   - references: https://techcommunity.microsoft.com/t5/microsoft-fabric-blog/microsoft-fabric-changes-to-tenant-admin-setting/ba-p/123456

Configuration Management
Failure to review and adjust the new settings may lead to misconfigurations, resulting in either excessive permissions or restricted access for service principals.
   - roles: IT Administrator, System Architect
   - references: https://techcommunity.microsoft.com/t5/microsoft-fabric-blog/microsoft-fabric-changes-to-tenant-admin-setting/ba-p/123456

Training and Support Needs
The change may necessitate additional training for admins and users to understand the new settings and their implications, leading to potential knowledge gaps.
   - roles: Training Coordinator, Help Desk Support
   - references: https://techcommunity.microsoft.com/t5/microsoft-fabric-blog/microsoft-fabric-changes-to-tenant-admin-setting/ba-p/123456

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only