Question: How do I troubleshoot a 401 (Unauthorized) error from Fabric REST API?
I have an App Registration that that uses a secret to authenticate with Fabric and I am able to issue REST API calls from DevOps for the purposes of automated deployments. So, the plumbing from DevOps through the App Registration out to Fabric works. Note: DevOps uses a Managed Identity in the service connection to retrieve the App Registration secret from the Azure Key Vault. I am golden here.
But, now I am attempting to implement Federated Credentials on the same App Registration for the purpose of eliminating the need for a secret (eliminate developer maintenance of renewing expired secrets and prevent leaking of the secret). This required a new service connection in DevOps.
In the build pipeline, I am able to use the new service connection (Note: it is a two-step process that requires getting both the Issuer and Subject Identifier from the App Registration's Federated Credential) to request a bearer token, which I received; However, I am getting stuck at calling the REST API when I present the bearer token - I get a 401 (Unauthorized) error. I have searched high and low on the internet to figure out how to resolve this, but I have come up empty handed.
Documentation online detailing the configuration and testing is sparse. Admittedly, there is more documentation on the former than the latter. But, the latter is the kicker - Federated Credentials doesn't work for me when the Fabric REST API rejects my bearer token.
Here is the PowerShell script that I using in the build pipeline. How do I fix this? Can the same App Registration be used for authentication either with a secret or federated credentials. Or, am I calling the pipeline incorrectly
write-host "Requesting bearer token."
$bearerToken = (Get-AzAccessToken -ResourceUrl "https://api.fabric.microsoft.com").Token | ConvertFrom-SecureString
$headers = @{
"Authorization" = "Bearer $bearerToken"
"Content-Type" = "application/json"
}
write-host "The bearer token is: $bearerToken"
Write-Host "Calling Fabric API..."
$headers = @{ Authorization = "Bearer $bearerToken" }
$scope = 'https://analysis.windows.net/powerbi/api/.default'
$fabricApiUrl = 'https://api.fabric.microsoft.com/v1/workspaces'
$response = Invoke-RestMethod -Uri $fabricApiUrl -Headers $headers -Method Get
Write-Host "$response"

404is defined as "not found".