How to Connect Microsoft Fabric to Azure DevOps Using Service Principal
Following Azure DevOps Service Principal & Cross Tenant Support (Generally Available) announcement for service principal and cross-tenant support – Microsoft Fabric Git Integration with Azure DevOps (ADO), this blog post serves as a guide to connecting Fabric workspaces to Azure DevOps repositories using service principal.
Fabric Git Integration is the foundation for organizations implementing fully automated CI/CD pipelines, enabling seamless movement of assets across Development, Test, and Production environments.
Currently, Fabric Git Integration supports two major Git providers: Azure DevOps and GitHub. This blog post addresses the new service principal capability for Azure DevOps.
Let’s briefly review how Microsoft Fabric integrates with Azure DevOps—and how service principal support changes the game.
Azure DevOps: Automatic Git Credential – Preservice principal support
By default, each Fabric workspace is not connected to any Git repository. When an admin user wants to connect a workspace to an Azure DevOps (ADO) repository, the user must first log from the workspace settings. The system then identifies which ADO organizations the user can access within the current Fabric tenant, allowing the user to proceed with the configuration.
Alternatively, this connection process can be completed programmatically by calling the Fabric Git Connect API, providing the admin user identity token.
Once the initial connection is established, any additional user with at least contributor permissions in the same workspace does not need to repeat the connection process. Instead, the system attempts to authenticate the second user with the configured ADO repository. If the user lacks the necessary permissions, the Fabric Git Integration source control pane will display a red indicator. This streamlined authentication process, known as “Automatic Git Credential”, was the only option before Azure DevOps introduced service principal support.
Azure DevOps: Configured Credential – Post service principal support
With the introduction of service principal support, users now have an enhanced way to connect their workspaces to Azure DevOps repositories. Instead of relying solely on Automatic authentication, users can create a new Azure DevOps cloud connection and use it for login.
The new Azure DevOps connection supports two authentication methods:
- OAuth 2.0
- Service principal
Both methods include support for multi-tenant (cross-tenant) scenarios, giving organizations flexibility across environments. This new authentication approach is referred to as “Configured Credential.”
As noted earlier, any additional user with at least Contributor permissions on the same workspace does not need to repeat the connection process.
Previously, the system attempted to authenticate secondary users only through Automatic authentication.
With this release, if Automatic authentication fails, the system will try to connect using any configured credential available to the user. This ensures a smoother experience and reduces redundant setup steps.
To learn more, refer to the Automate git integration with service principal in Microsoft Fabric documentation.
