Hey folks,
I'm working on an application that operates within a customer tenant, and I've managed to attach the Microsoft Graph Application.Read.All permissions. This allows me to successfully retrieve service principals by their `appId` in various customer tenants after obtaining the necessary consent.
Now, I'm trying to figure out how to assign the Fabric contributor role. I'm a bit puzzled about the right authentication model to use here. Should I implement a delegated call for when an authenticated admin user hits my app's endpoint (like `/fabric`)? In that case, would I then be making a call to the Fabric API (`POST /v1/workspaces/{workspaceId}/roleAssignments`) on their behalf?
Or is it more appropriate to go for an app-only call instead?
Also, could anyone guide me on how to implement this in C#? Is there a Fabric SDK available, or do I need to make an HTTP call myself?
2 Answers
I think a delegated approach is the way to go for this. Don't forget to check the required permissions in the API documentation: [Workspaces - Add Workspace Role Assignment](https://learn.microsoft.com/en-us/rest/api/fabric/core/workspaces/add-workspace-role-assignment?tabs=HTTP).
Yes, you can definitely go either route. If you opt for the delegated method, that means when a user calls your API, you'll need to perform an On-Behalf-Of flow to get a token for them to call the Fabric API. As for SDKs, you can either make REST API requests manually or check out the beta version of the Fabric client. Here’s a helpful link: [Microsoft Fabric .NET SDK](https://blog.fabric.microsoft.com/en-us/blog/microsoft-fabric-net-sdk/#).
With the SDK, you could use something like:
```csharp
await fabricClient.Core.Workspaces.AddWorkspaceRoleAssignmentAsync(...);
```
Absolutely, if you're going with the delegated option, you'll have to manage getting the token for the user through the OBO flow.