Set up an Entra ID application
For your workload to work in Fabric, you need to register an application with the Microsoft identity platform, also known as Microsoft Entra ID. This application is used to authenticate your workload against Azure.
Prerequisites
- At least a Cloud Application Administrator role.
Step 1: Register an Entra ID application
To create a new Entra ID application, follow these steps:
Sign into the Microsoft Entra admin center.
Navigate to Identity > Applications > App registrations and select New registration.
Enter a display Name for your application.
In the Supported account types section, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
Select Register.
Step 2: Configure the redirect URI
You need to configure your redirect URI to a URI that closes the page immediately when navigating to it. For more information, see Redirect URI (reply URL) outline and restrictions.
To configure your Entra ID application, follow these steps:
Sign into the Microsoft Entra admin center.
Navigate to Applications > App registration and select your application.
Select Add a Redirect URI.
From Platform configurations,* select Add a platform.
In the Configure platforms pane, select Single-page application.
In the Configure single-page application, add a redirect URI to Redirect URIs. The sample example uses
http://localhost:60006/close
as the redirect URI.Select Configure.
Step 3: Verify that you have a multitenant app
To verify that your app is a multitenant app, follow these steps.
Sign into the Microsoft Entra admin center.
Navigate to Applications > App registration and select your application.
In your application, from the Manage section, select Authentication.
In the Supported account types, verify that Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) is selected. If it isn't, select it and then select Save.
Step 4: Enter an application ID URI
Create an application ID URI using this format: api://localdevinstance/<tenant ID>/<workload name>/<(optional)subpath>
. The ID URI can't end with a slash.
- Workload name - The name of the workload you're developing. The workload name must be identical to the WorkloadName specified in the backend manifest, and start with
Org.
. - Tenant ID - Your tenant ID. If you don't know what's your tenant ID, see How to find your Microsoft Entra tenant ID.
- Subpath - (Optional) A string of English lower or upper case letters, numbers, and dashes. The subpath string can be up to 36 characters long.
Here are examples of valid and invalid URIs when the tenant ID is bbbbcccc-1111-dddd-2222-eeee3333ffff, and the workload name is Fabric.WorkloadSample then:
Valid URIs
- api://localdevinstance/bbbbcccc-1111-dddd-2222-eeee3333ffff/Org.WorkloadSample
- api://localdevinstance/bbbbcccc-1111-dddd-2222-eeee3333ffff/Org.WorkloadSample/abc
Invalid URIs:
- api://localdevinstance/bbbbcccc-1111-dddd-2222-eeee3333ffff/Org.WorkloadSample/af/
- api://localdevinstance/bbbbcccc-1111-dddd-2222-eeee3333ffff/Org.WorkloadSample/af/a
To add an application ID URI to your app, follow these steps.
Sign into the Microsoft Entra admin center.
Navigate to Applications > App registration and select your application.
In your application, from the Manage section, select Expose an API.
Next to Application ID URI, select Add.
In the Edit application ID URI pane, add your application ID URI.
Step 5: Add scopes
You need to define scopes (also known as permissions) for your app. The scopes allow others to use your app's functionality. For example, the workload sample gives four examples of API permissions that other can use. You can see these mock permissions in scopes.cs:
Item1.Read.All
- For reading workload itemsItem1.ReadWrite.All
- For reading and writing workload itemsFabricLakehouse.Read.All
- For reading lakehouse filesFabricLakehouse.ReadWrite.All
- For reading and writing lakehouse files
To add scopes to your app, follow these steps.
Sign into the Microsoft Entra admin center.
Navigate to Applications > App registration and select your application.
In your application, from the Manage section, select Expose an API.
In Scopes defined by this API, select Add a scope.
Select Add a scope and follow the instructions in Add a scope.
Step 6: Add Client applications
Allow Fabric to request a token for your application without user consent.
Sign into the Microsoft Entra admin center.
Navigate to Applications > App registration and select your application.
In your application, from the Manage section, select Expose an API.
In Scopes defined by this API, select Add a scope.
Select Add a client application.
Add the client applications listed below. You can find the application IDs of these apps in Application IDs of commonly used Microsoft applications. You need to add each client application on its own.
d2450708-699c-41e3-8077-b0c8341509aa
- The Fabric client for backend operations.871c010f-5e61-4fb1-83ac-98610a7e9110
- The Fabric client for frontend operations.
Step 7: Add API permissions
API permissions allow your app to use external service dependencies. To add API permissions to your app, follow the steps in Add permissions to an application.
Step 8: Generate a secret for your application
To configure the backend, you need to configure a secret for your application.
Sign into the Microsoft Entra admin center.
Navigate to Applications > App registration and select your application.
In your application, from the Manage section, select Certificates & secrets.
Select the Client secretes and then select New client secret.
In the Add a client secret pane, enter the following:
- Description - The name you want to use as a secret.
- Expires - Select the expiration date for the secret.
Select Add.
Step 9: Add an idtyp optional claim
Te idtype
claim signals that the token that the workload gets from Fabric is an app only token.
Sign into the Microsoft Entra admin center.
Navigate to Applications > App registration and select your application.
In your application, from the Manage section, select Token configuration.
Select Add optional claim.
In the Add optional claim pane, for Token type, select Access.
In Claim, select idtyp.
Select Add.
Related content
- Learn how to work with authentication in workloads.