Prerequisites

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

This section helps you prepare to configure the Microsoft Fabric OCF connector in Alation, including verifying your Fabric environment, registering an Azure AD application, creating a service principal, and configuring the required permissions.

Before you begin, ensure you have the following:

• Verify Microsoft Fabric is Enabled

• Register an Application with Microsoft Entra ID

• Create a Security Group

• Enable Fabric Tenant Settings

• Grant Workspace Access

• Lineage Prerequisites

Verify Microsoft Fabric is Enabled

Before requesting the Microsoft Fabric connector installation, verify that your Microsoft Fabric environment meets the following requirements. A Fabric administrator is required to perform these checks.

1. Verify Fabric is enabled on your tenant

   1. Sign in to the Microsoft Fabric portal as a Fabric administrator.

   2. Navigate to Admin Portal > Tenant Settings > Microsoft Fabric.

   3. Confirm that the Users can create Fabric items setting is enabled.

   For more information, see Enable Microsoft Fabric for your organization.

2. Verify Service principals can call Fabric APIs

   1. In the Admin Portal, navigate to Tenant Settings > Developer settings.

   2. Confirm that the Service principals can call Fabric public APIs setting is enabled.

   3. Confirm that the security group containing your service principal is included in the allowed list (or the setting is enabled for the entire organization).

   For more information, see Developer admin settings.

3. Verify you have a Fabric capacity

   1. In the Admin Portal, navigate to Capacity settings.

   2. Confirm you have at least one active Fabric capacity (F2 or higher, or Power BI Premium P1+ with Fabric enabled).

4. Verify workspaces with Fabric items exist

   1. Confirm you have at least one workspace containing Lakehouse or Warehouse items.

Note

If any of the above checks fail, work with your Microsoft 365 or Fabric administrator to enable the required settings before proceeding with the connector installation request.

Register an Application with Microsoft Entra ID

To register an application with Microsoft Entra ID, refer Register app with Microsoft Entra ID for more information.

1. Log in to the Azure portal as Cloud Application Administrator or Application Administrator. If the creation of registered applications is not enabled for the entire organization, any one of the roles is required.

2. Select Microsoft Entra ID.

3. Click App registrations (on the left pane) > New registration.

4. Specify a name for your client application in the Name field. Retain the default values in the Supported account types and Redirect URI sections and then click Register.

5. From the App registrations screen, copy the value of Application (client) ID and store it in a secure location.

6. From the Overview screen of the new app, copy the value of Tenant ID and store it in a secure location.

7. Click Certificates & secrets from the left menu on the new app.

8. On the Certificates & secrets page, in Client secrets section, click + New client secret.

9. In the Add a client secret screen, specify the following information:

   • Description for your client secret.

   • Expiry

10. Click Add.

11. Copy the client secret value displayed under the Value column and store it in a secure location.

Create a Security Group

Create a security group in Microsoft Entra ID and add the service principal to it. This group will be used to control access in Fabric tenant settings.

1. Sign in to the Azure portal as Cloud Application Administrator or Application Administrator.

2. Select Microsoft Entra ID.

3. Go to Manage > Groups.

4. Click the New group button.

5. Set the following values:

   • Set the Group type to Security.

   • Enter a Group name (for example, Fabric-Alation-Integration) and a Group description.

   • Select the No members selected link in Members.

   • For service principal authentication, search for the application that you registered in Register an Application with Microsoft Entra ID and click to select it.

6. Click Select.

7. Click Create.

8. After creation, open the security group and copy the Name or Object ID from the group’s Overview page. You will need this when configuring the Fabric tenant settings in the next step.

Note

If you want to enable service principal access for the entire organization, you can skip creating a security group. However, using a security group is recommended for better access control.

Enable Fabric Tenant Settings

Enable the tenant settings that allow service principals to use Fabric APIs and read-only admin APIs. For more information, see Enable service principal authentication in the Microsoft Fabric documentation.

1. Sign in to the Microsoft Fabric portal as a Fabric administrator.

2. Navigate to Admin Portal > Tenant Settings > Developer settings and perform the following configuration:

   1. Enable Service principals can use Fabric APIs.

   2. Under Apply to, select the security group that contains the service principal, or select The entire organization.

   3. Click Apply to apply the settings.

3. Navigate to Tenant Settings > Admin API settings and perform the following configuration:

   1. Enable Allow service principals to use read-only Power BI admin APIs.

   2. Select Specific security groups and select the security group created in Create a Security Group.

   3. Click Apply to apply the settings.

Important

If the service principal is not in the specified security group, the connector will receive a 403 Forbidden error when calling the Fabric REST API. Ensure the service principal is added to the correct security group.

Grant Workspace Access

The service principal or its security group must have access to the Fabric workspaces you want to catalog. Grant member-level access to enable the connector to extract metadata.

1. In the Microsoft Fabric portal, navigate to the workspace you want to catalog.

2. Click the Manage access icon (or go to Workspace settings > Access).

3. Add the service principal (by its application name) or the security group as a Member or Admin. The minimum required role is Member.

4. Repeat for each workspace you want to extract metadata from.

For more information, refer to the following Microsoft documentation:

• Add a service principal or security group manually

• Add a service principal or security group by using PowerShell

Note

The connector can only discover workspaces that the service principal has access to. Workspaces without access will not appear during metadata extraction.

Lineage Prerequisites

To view lineage between Fabric Lakehouse or Warehouse objects and Power BI semantic models or reports, ensure that:

• The Power BI Scanner OCF Connector version 2.13.0 or higher is installed in Alation.

• The Power BI data source is cataloged in Alation.