fabric-authlisted

# Fabric authentication & token audiences All Fabric operations require Microsoft Entra ID OAuth 2.0 bearer tokens. **Using the wrong audience is the #1 cause of 401 errors.** | Access Target | Token Audience / Scope | |---|---| | **Fabric REST API** | `https://api.fabric.microsoft.com/.default` | | **Power BI REST API** (refresh, data sources, permissions, DAX) | `https://analysis.windows.net/powerbi/api/.default` | | **OneLake** (DFS/Blob) | `https://storage.azure.com/.default` | | **Warehouse / SQL Endpoint / SQL Database** (TDS) | `https://database.windows.net/.default` | | **KQL / Kusto** | `https://kusto.kusto.windows.net/.default` | | **XMLA Endpoint** | `https://analysis.windows.net/powerbi/api/.default` | | **Azure Resource Management** | `https://management.azure.com/.default` | ```bash az login az account get-access-token --resource https://api.fabric.microsoft.com # Fabric REST az account get-access-token --resource https://database.windows.net # SQL / TDS az account get-access-token --resource https://analysis.windows.net/powerbi/api # Power BI ``` **Critical**: OneLake ONLY accepts `https://storage.azure.com/.default` — using `https://datalake.azure.net/` will fail. ## `az login` flow variants ```bash az login --allow-no-subscriptions --tenant <tid> # Fabric tenant with no Azure subscription az login --use-device-code --tenant <tid> # headless / SSH / no-browser az login --service-principal -u <appId> -p <secret> --tenant <tid>