Set up Microsoft Fabric with Azure API Management
Configure Azure API Management (APIM) as a gateway so that Atlan can connect to Microsoft Fabric using managed identity authentication instead of a direct service principal. This setup is for customers who route Fabric API traffic through APIM.
Prerequisites
Before you begin, make sure you have:
- Access to the Azure portal and an active Azure subscription
- Permission to create resources in an Azure resource group
- Fabric Administrator privileges in the Microsoft Fabric admin portal
- Cloud Application Administrator or Application Administrator role in Microsoft Entra ID
Create APIM service
Create an Azure API Management service that acts as the gateway between Atlan and the Microsoft Fabric APIs.
- Log in to the Azure portal.
- Search for API Management services and select it.
- Click + Create.
- Select your Subscription and Resource group (for example,
atlan-prod). - Enter a Name for your APIM instance (for example,
atlan-fabric-apim-dev). - Choose the Region, Organization name, and Administrator email.
- Select the Pricing tier that meets your SLA requirements.
- Click Review + create, then Create.
Deployment typically takes 30–60 minutes. Azure sends a confirmation email to the administrator email address when it's complete.
Once deployment completes, your APIM gateway URL follows this format:
https://<apim-name>.azure-api.net/fabric/v1
Enable system-assigned managed identity
Enable a system-assigned managed identity on your APIM instance. This identity is used by APIM to obtain tokens from Microsoft Entra ID and call the Fabric and Power BI admin APIs on Atlan's behalf.
- In the Azure portal, navigate to your APIM instance.
- Click Managed identities in the left menu.
- Under System assigned, set the Status toggle to On.
- Click Save.
- Copy and store the Object (principal) ID that appears—you'll need it when adding the APIM identity to workspaces and security groups.
Define API endpoints in APIM
Define the Fabric and Power BI API endpoints in your APIM instance, and configure inbound policies so that APIM uses managed identity authentication when forwarding requests.
- Import via OpenAPI spec
- Add API operations manually
You can add all API operations at once by uploading an OpenAPI specification file.
Fabric APIs
fabric-apis.yaml
openapi: 3.0.1
info:
title: Fabric Admin API
version: '1.0'
servers:
- url: 'https://<apim-name>.azure-api.net/fabric/v1'
paths:
/admin/items:
get:
summary: GetAdminItems
operationId: getadminitems
parameters:
- name: workspaceId
in: query
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/{workspace_id}/lakehouses:
get:
summary: ListLakehouses
operationId: listlakehouses
parameters:
- name: workspace_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/{workspace_id}/warehouses:
get:
summary: ListWarehouses
operationId: listwarehouses
parameters:
- name: workspace_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/{workspace_id}/dataPipelines:
get:
summary: ListDataPipelines
operationId: listdatapipelines
parameters:
- name: workspace_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/{workspace_id}/semanticModels:
get:
summary: ListSemanticModels
operationId: listsemanticmodels
parameters:
- name: workspace_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/{workspace_id}/reports:
get:
summary: ListReports
operationId: listreports
parameters:
- name: workspace_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/{workspace_id}/dataPipelines/{pipeline_id}/getDefinition:
post:
summary: GetPipelineDefinition
operationId: getpipelinedefinition
parameters:
- name: workspace_id
in: path
required: true
schema:
type: string
- name: pipeline_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/{workspace_id}/semanticModels/{model_id}/getDefinition:
post:
summary: GetSemanticModelDefinition
operationId: getsemanticmodeldefinition
parameters:
- name: workspace_id
in: path
required: true
schema:
type: string
- name: model_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/{workspace_id}/reports/{report_id}/getDefinition:
post:
summary: GetReportDefinition
operationId: getreportdefinition
parameters:
- name: workspace_id
in: path
required: true
schema:
type: string
- name: report_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/getInfo:
post:
summary: TriggerWorkspaceScan
operationId: triggerworkspacescan
responses:
'200':
description: ''
/workspaces/scanStatus/{scan_id}:
get:
summary: GetScanStatus
operationId: getscanstatus
parameters:
- name: scan_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/scanResult/{scan_id}:
get:
summary: GetScanResult
operationId: getscanresult
parameters:
- name: scan_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/token/sql:
get:
summary: GetSQLToken
operationId: getsqltoken
responses:
'200':
description: ''
/operations/{operation_id}:
get:
summary: GetLROStatus
operationId: getlrostatus
parameters:
- name: operation_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/operations/{operation_id}/result:
get:
summary: GetLROResult
operationId: getlroresult
parameters:
- name: operation_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
components:
securitySchemes:
apiKeyHeader:
type: apiKey
name: Ocp-Apim-Subscription-Key
in: header
apiKeyQuery:
type: apiKey
name: subscription-key
in: query
security:
- apiKeyHeader: []
- apiKeyQuery: []
- Copy the specification and save it as
fabric-apis.yamlon your machine. Replace<apim-name>with your APIM instance name. - In your APIM instance, click APIs in the left menu.
- Click + Add API and select OpenAPI.
- Click Select a file and upload the
fabric-apis.yamlfile you saved. - Set the Display name to
Fabric APIsand the API URL suffix tofabric/v1. - Click Create.
Power BI API
powerbi-api.yaml
openapi: 3.0.1
info:
title: Power BI API
version: '1.0'
servers:
- url: 'https://<apim-name>.azure-api.net/powerbi/v1.0'
paths:
/myorg/groups/{workspace_id}/dataflows/{dataflow_id}:
get:
summary: GetDataflowDefinition
operationId: getdataflowdefinition
parameters:
- name: workspace_id
in: path
required: true
schema:
type: string
- name: dataflow_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/getInfo:
post:
summary: TriggerWorkspaceScan
operationId: triggerworkspacescan
responses:
'200':
description: ''
/workspaces/scanStatus/{scan_id}:
get:
summary: GetScanStatus
operationId: getscanstatus
parameters:
- name: scan_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/workspaces/scanResult/{scan_id}:
get:
summary: GetScanResult
operationId: getscanresult
parameters:
- name: scan_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
/dataflows:
get:
summary: GetDataflows
operationId: getdataflows
responses:
'200':
description: ''
/dataflows/{dataflow_id}/export:
get:
summary: GetDataflowDefinitionAdmin
operationId: getdataflowdefinitionadmin
parameters:
- name: dataflow_id
in: path
required: true
schema:
type: string
responses:
'200':
description: ''
components:
securitySchemes:
apiKeyHeader:
type: apiKey
name: Ocp-Apim-Subscription-Key
in: header
apiKeyQuery:
type: apiKey
name: subscription-key
in: query
security:
- apiKeyHeader: []
- apiKeyQuery: []
- Copy the specification and save it as
powerbi-api.yamlon your machine. Replace<apim-name>with your APIM instance name. - Click + Add API and select OpenAPI.
- Click Select a file and upload the
powerbi-api.yamlfile you saved. - Set the Display name to
Power BI APIand the API URL suffix topowerbi/v1.0. - Click Create.
To add operations one by one, create two APIs with the following configuration and add each operation individually.
Fabric APIs
API settings:
- Display name:
Fabric APIs - Web service URL:
https://api.fabric.microsoft.com/v1 - API URL suffix:
fabric/v1
Operations to add:
| Display name | Method | URL template |
|---|---|---|
| GetAdminItems | GET | /admin/items |
| ListLakehouses | GET | /workspaces/{workspace_id}/lakehouses |
| ListWarehouses | GET | /workspaces/{workspace_id}/warehouses |
| ListDataPipelines | GET | /workspaces/{workspace_id}/dataPipelines |
| ListSemanticModels | GET | /workspaces/{workspace_id}/semanticModels |
| ListReports | GET | /workspaces/{workspace_id}/reports |
| GetPipelineDefinition | POST | /workspaces/{workspace_id}/dataPipelines/{pipeline_id}/getDefinition |
| GetSemanticModelDefinition | POST | /workspaces/{workspace_id}/semanticModels/{model_id}/getDefinition |
| GetReportDefinition | POST | /workspaces/{workspace_id}/reports/{report_id}/getDefinition |
| TriggerWorkspaceScan | POST | /workspaces/getInfo |
| GetScanStatus | GET | /workspaces/scanStatus/{scan_id} |
| GetScanResult | GET | /workspaces/scanResult/{scan_id} |
| GetSQLToken | GET | /token/sql |
| GetLROStatus | GET | /operations/{operation_id} |
| GetLROResult | GET | /operations/{operation_id}/result |
Power BI API
API settings:
- Display name:
Power BI API - Web service URL:
https://api.powerbi.com/v1.0 - API URL suffix:
powerbi/v1.0
Operations to add:
| Display name | Method | URL template |
|---|---|---|
| TriggerWorkspaceScan | POST | /workspaces/getInfo |
| GetScanStatus | GET | /workspaces/scanStatus/{scan_id} |
| GetScanResult | GET | /workspaces/scanResult/{scan_id} |
| GetDataflows | GET | /dataflows |
| GetDataflowDefinition | GET | /myorg/groups/{workspace_id}/dataflows/{dataflow_id} |
| GetDataflowDefinitionAdmin | GET | /dataflows/{dataflow_id}/export |
Apply managed identity policies
Apply an inbound policy to each API so that APIM automatically obtains a managed identity token and forwards it as a Bearer token to the backend.
Fabric APIs policy
- In your APIM instance, click APIs and select the Fabric APIs API.
- Click All operations.
- In the Inbound processing section, click the Policy editor (
</>) icon. - Replace the default policy with the following:
<policies>
<inbound>
<base />
<authentication-managed-identity
resource="https://api.fabric.microsoft.com"
output-token-variable-name="fabric-token" />
<set-header name="Authorization" exists-action="override">
<value>@("Bearer " + (string)context.Variables["fabric-token"])</value>
</set-header>
</inbound>
<backend>
<set-backend-service base-url="https://api.fabric.microsoft.com/v1" />
</backend>
<outbound>
<base />
</outbound>
</policies>
- Click Save.
Fabric SQL token policy
The GetSQLToken operation requires a separate policy because it returns a SQL access token (for Warehouse connections) directly from the managed identity, rather than forwarding to the Fabric backend.
- Select the Fabric APIs API and click the GetSQLToken operation.
- In the Inbound processing section, click the Policy editor (
</>) icon. - Replace the policy with the following:
<policies>
<inbound>
<base />
<authentication-managed-identity
resource="https://database.windows.net"
output-token-variable-name="sql-token" />
<return-response>
<set-status code="200" reason="OK" />
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
<set-body>@("{\"access_token\":\"" + (string)context.Variables["sql-token"] + "\",\"token_type\":\"Bearer\",\"expires_in\":3600}")</set-body>
</return-response>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
- Click Save.
Power BI API policy
- Select the Power BI API and click All operations.
- In the Inbound processing section, click the Policy editor (
</>) icon. - Replace the policy with the following:
<policies>
<inbound>
<base />
<authentication-managed-identity
resource="https://analysis.windows.net/powerbi/api"
output-token-variable-name="pbi-token" />
<set-header name="Authorization" exists-action="override">
<value>@("Bearer " + (string)context.Variables["pbi-token"])</value>
</set-header>
<set-backend-service base-url="https://api.powerbi.com/v1.0" />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
- Click Save.
Create security group in Microsoft Entra ID
Create a security group in Microsoft Entra ID that includes the APIM managed identity. You'll use this group to grant access in the Fabric tenant settings.
- In the Azure portal, navigate to Microsoft Entra ID.
- Click Groups under the Manage section.
- Click + New group.
- Set the Group type to Security.
- Enter a Group name (for example,
fabric-apim) and an optional description. - Click No members selected.
- Search for your APIM instance by name (for example,
atlan-fabric-apim-dev) and select it. - Click Select, then click Create.
Configure Fabric tenant settings
Grant the APIM managed identity permission to call Fabric admin APIs and access workspaces.
Enable service principal access in Fabric
By default, service principals can't interact with Fabric APIs. A Fabric Administrator must enable this setting before the APIM managed identity can be used.
- Log in to Microsoft Fabric.
- Click the Settings icon on the top panel.
- Click Admin Portal under the Governance and insights section.
- Select Tenant settings from the sidebar.
- Under Developer settings, find Service principals can use Fabric APIs.
- Set it to Enabled.
- Under Apply to, select Specific security groups and add your
fabric-apimsecurity group. - Click Apply.
Enable admin API access
-
In the same Tenant settings page, under Admin API settings, configure the following:
-
Service principals can access read-only admin APIs:
- Set to Enabled
- Add your
fabric-apimsecurity group under Specific security groups - Click Apply
-
Enhance admin APIs responses with detailed metadata:
- Set to Enabled
- Add your
fabric-apimsecurity group - Click Apply
-
Enhance admin APIs responses with DAX and mashup expressions:
- Set to Enabled
- Add your
fabric-apimsecurity group - Click Apply
-
After making these changes, wait 15–30 minutes for the settings to propagate across Microsoft's services.
Add APIM identity to workspaces
Grant the APIM managed identity access to each Fabric workspace you want Atlan to catalog.
- Open the Microsoft Fabric homepage.
- Navigate to Workspaces and open the workspace you want to catalog.
- Click Manage access.
- Click Add people or groups.
- Search for the name of your APIM instance (for example,
atlan-fabric-apim-dev). - Select it and assign the Contributor role.
- Click Add.
Repeat these steps for each workspace you want Atlan to access.
Verify what Atlan accesses—and how to confirm it
A common concern when granting a third-party tool access to your data platform is: how do I know it's only reading metadata and not touching actual data?
With APIM in place, every API call Atlan makes passes through your gateway. This means you have full, independent visibility into what's being called and what's being returned—without relying on Atlan to tell you. Your security and governance teams can verify this at any time, on their own.
There are three ways to do this, ranging from quick spot-checks to full audit trails:
- APIM Test tab: Call any of Atlan's APIs yourself from the Azure portal and inspect the raw response
- APIM built-in Analytics: A lightweight dashboard showing which APIs were called, when, and from where
- Application Insights: A detailed, real-time feed of every request, including the full request URL, response code, and response body
All three confirm the same thing: Atlan only calls metadata APIs. The responses contain asset names, IDs, types, and states—not table rows, not column values, not any actual business data.
- APIM Test tab
- APIM built-in Analytics
- Application Insights (full audit trail)
You don't need to wait for Atlan to run a crawl. You can call any of Atlan's APIs directly from the Azure portal and see exactly what they return.
- In your APIM instance, click APIs in the left menu.
- Select Fabric Admin API.
- Click any operation—for example, GetAdminItems.
- Click the Test tab.
- Fill in any required parameters (for example,
workspaceId). - Click Send.
The response panel shows the full HTTP response: status code, all response headers, and the raw JSON body. You'll see entries like this:
{
"id": "63ae6cfc-d263-4eb3-a439-b353a60ffb3a",
"type": "Lakehouse",
"name": "fabric_lakehouse",
"state": "Active",
"workspaceId": "d5179b08-03ca-474c-9849-e54596f0f992"
}
Notice what's not here: no table rows, no column values, no business records. These are the same asset names and IDs you see in the Fabric admin portal.
Use Trace to see full request lifecycle
Instead of clicking Send, click Trace. This shows the complete internal lifecycle of the request through APIM:
- Inbound: the request as it arrived at the gateway, including all headers, policies that ran (such as the managed identity token being fetched), and the final URL forwarded to the back end
- Back end: the exact request that was sent to
api.fabric.microsoft.comorapi.powerbi.com, with all headers - Outbound: the response as it came back from the back end, before being returned to Atlan
This is useful for confirming that the managed identity policy is working correctly and that requests are being routed to the right back end.
APIM includes a built-in analytics dashboard that requires no additional setup. After Atlan runs a crawl, you can see a summary of all API activity at a glance.
- In your APIM instance, click Analytics under the Monitoring section in the left menu.
- If prompted, connect a Log Analytics workspace:
- Click Collect data from a resource
- Select an existing Log Analytics workspace or create a new one
- Click Save
- Allow 2–3 hours for data to begin appearing after first connecting
The Analytics page shows:
- Timeline: when requests were made during a crawl
- Geography: where requests originated from
- APIs: which specific APIs were called (Fabric APIs, Power BI API)
- Operations: which operations within each API were used (for example,
GetAdminItems,GetScanResult) - Subscriptions: which subscription key was used (useful to confirm all requests came from Atlan's subscription)
The Analytics (classic) tab shows the same information using an older format built directly into APIM, with no Log Analytics workspace needed. It's scheduled to be retired in March 2027.
Application Insights provides the deepest level of visibility: a complete, real-time audit trail of every single API request, including the full response body. This is what your security team needs to confirm, line by line, what Atlan retrieved from the Fabric APIs.
Create workspace for log storage
Application Insights requires a Log Analytics workspace to store data. You can create a separate one to keep this data isolated.
- In the Azure portal, search for Log Analytics workspaces and select it.
- Click + Create.
- Select your Subscription and Resource group.
- Enter a Name (for example,
atlan-fabric-apim-logs). - Choose the same Region as your APIM instance.
- Click Review + create, then Create. Data takes 2–3 hours to appear after the workspace is ready.
Create application insights resource
- In the Azure portal, search for Application Insights and select it.
- Click + Create.
- Select your Subscription and Resource group.
- Enter a Name (for example,
atlan-fabric-apim-insights). - Under Log Analytics workspace, select the workspace you just created (or create a new dedicated one to keep the data separate from other resources).
- Click Review + create, then Create.
Connect Application Insights to your APIM instance
- Navigate to your APIM instance in the Azure portal.
- Click Application Insights under the Monitoring section in the left menu.
- Click + Add.
- Select the Application Insights resource you just created.
- Enable the following:
- Enable default logging: collects data for all APIs automatically. Keep this on.
- Add availability monitor: periodically checks that your APIM gateway is reachable. Recommended for production.
- Click Create.
Configure logging to capture full request and response data
By default, Application Insights doesn't collect headers or response body payloads. You need to enable this explicitly to see the full picture.
-
In your APIM instance, click APIs in the left menu.
-
Select All APIs to configure globally (you can also override per API).
-
Click Settings and scroll to the Application Insights section. Configure the following:
- Set Application Insights to Enabled.
- Set Destination to your Application Insights resource.
- Set Sampling (%) to 100 to capture every request during initial verification. Reduce to 50 once satisfied; App Insights uses statistical analysis so 50% is sufficient for ongoing monitoring.
- Turn on Always log errors to capture all failed requests regardless of sampling rate.
- Turn on Log client IP to log where each request originated from.
- Set Verbosity to Verbose to capture full request and response data including headers and body. Switch to Basic for lower overhead once verification is complete.
- Set Correlation protocol to W3C to enable end-to-end tracing so each crawl run can be followed as a single transaction chain across the gateway and back end.
-
Expand the Additional settings section and enable payload and header logging for all four points in the API lifecycle:
- Frontend request: the request as it arrives at APIM from Atlan
- Frontend response: the response APIM sends back to Atlan
- Back-end request: the request APIM forwards to
api.fabric.microsoft.com - Back-end response: the raw response from the Fabric API
-
Click Save.
Inspect data after crawl
After Atlan runs a crawl, navigate to your Application Insights resource. Allow a few minutes for data to populate.
Performance view
See every operation Atlan called.
Go to Investigate → Performance. This lists every API operation that ran through your APIM gateway with operation name, average duration, and call count. Filter by time range to scope to a specific crawl. You'll see operations like:
getadminitems: fetches workspace asset inventory (names, IDs, types)getscanresult: retrieves the scanner API result (workspace metadata)getsemanticmodeldefinition: retrieves semantic model structure
Dependencies view
See the exact back-end URLs called.
Click the Dependencies tab. This shows the actual back-end URLs that APIM forwarded requests to, for example:
Backend (https://api.fabric.microsoft.com): GET /v1/admin/itemsBackend (https://api.fabric.microsoft.com): GET /v1/admin/workspaces/scanResult/{scan_id}
This confirms Atlan is only hitting Microsoft's official admin endpoints—not any data plane endpoints, not any storage or SQL endpoints, not any endpoint that returns row-level data.
End-to-end transaction details
See the full response body for any individual request.
Click any operation in the Performance view, then select a specific request to open the End-to-end transaction details. This shows:
- The exact URL that was called
- The HTTP response code
- All request and response headers
- The full Response Body: the raw JSON Atlan received
The response body for a metadata API looks like this (asset names, IDs, and states—no data values):
{
"id": "63ae6cfc-d263-4eb3-a439-b353a60ffb3a",
"type": "Lakehouse",
"name": "fabric_lakehouse",
"state": "Active",
"workspaceId": "d5179b08-03ca-474c-9849-e54596f0f992",
"creatorPrincipal": { "id": "...", "type": "User" }
}
Application map
Visualize how Atlan connects to back-end services.
Go to Application map in the left menu. This shows a diagram of your APIM instance and all the back-end services it communicated with (Fabric API, Power BI API). It's a quick visual confirmation that Atlan's requests stayed within the expected boundaries.
Transaction search
Search and filter all requests.
Go to Transaction search to see all individual API calls. You can filter by time range, operation name, response code, and more. Click any entry to open the full end-to-end transaction detail.
Next steps
- Crawl Microsoft Fabric: Discover and catalog your Microsoft Fabric workspaces and assets using the APIM connection