Hey everyone! I'm working on an app that runs within a customer tenant and I've set up Microsoft Graph with Application.Read.All permissions. This allows me to retrieve service principals using their `appId` after getting consent. My main question is about how I should handle authentication when I want to assign a Fabric contributor role. Should I be using delegated permissions when an admin user calls my app's endpoint (like `/fabric`), meaning I'd make a call to the Fabric API (`POST /v1/workspaces/{workspaceId}/roleAssignments`) on their behalf? Or is it better to go with an app-only call? Also, any recommendations on how to implement this in C#? Is there a Fabric SDK available, or should I just go for a direct HTTP call?
1 Answer
I think using delegated permissions is the way to go here. You can find the necessary permissions outlined in the Microsoft documentation for adding workspace role assignments. Check it out [here](https://learn.microsoft.com/en-us/rest/api/fabric/core/workspaces/add-workspace-role-assignment?tabs=HTTP).
Right, if you go with delegated permissions, you'll need to get an on-behalf-of (OBO) token for the user when they invoke the Fabric API through your app.
If you prefer, you could make a REST API request yourself, or try the beta version of the Fabric client from NuGet. It could simplify things for you! You can find more info about the Microsoft Fabric .NET SDK [here](https://blog.fabric.microsoft.com/en-us/blog/microsoft-fabric-net-sdk/#). For example, you could use something like `await fabricClient.Core.Workspaces.AddWorkspaceRoleAssignmentAsync(...)`.