Merge pull request #15 from microsoft/agh-auth-deployment-error

refactor: exit gracefully on 401 unauthorized

Author: Yamini-Microsoft

azure.yaml

@@ -5,7 +5,7 @@ metadata:
   template: real-time-intelligence-operations-solution-accelerator@1.0
 
 requiredVersions:
-  azd: ">1.19.0"
+  azd: ">= 1.19.0"
 
 hooks:
   postprovision:

docs/DeploymentGuide.md

@@ -70,7 +70,7 @@ Before starting, ensure your deployment identity has the following requirements.
 - [ ] **`Microsoft.EventHub` Resource Provider Access**: Verify your Azure Subscription has Event Hub resource provider enabled
 
 ### 🔗 API Permissions
-- [ ] **Service principals and managed identities support on Fabric REST API**: To use service principals and managed identities with Fabric REST APIs (GitHub actions require it), [enable the `Service principals can use Fabric` APIs tenant setting](https://learn.microsoft.com/rest/api/fabric/articles/identity-support)
+- [ ] **Service principals and managed identities support on Fabric REST API**: To use service principals and managed identities with Fabric REST APIs (GitHub actions require it), [enable the `Service principals can use Fabric` APIs tenant setting](https://learn.microsoft.com/rest/api/fabric/articles/identity-support). You must be a [Microsoft 365 administrator](https://learn.microsoft.com/microsoft-365/admin/add-users/assign-admin-roles) to enable this setting
 - [ ] **Fabric REST API - Workspace Management**: Access to create and manage Fabric workspaces ([see scopes](https://learn.microsoft.com/rest/api/fabric/articles/scopes))
 - [ ] **Fabric REST API - Item Creation**: Access to create Eventhouses, KQL databases, and dashboards ([see scopes](https://learn.microsoft.com/rest/api/fabric/articles/scopes))
 - [ ] **Azure Event Hubs API**: Access to create and manage Event Hub resources
@@ -270,7 +270,7 @@ Deploy using automated CI/CD pipeline with GitHub Actions and Azure federated id
 
 **Setup**:
 1. Fork the repository to your GitHub account
-2. Configure [Azure service principal with federated identity credentials](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure-openid-connect) for GitHub Actions (recommened)
+2. Configure [Azure service principal with federated identity credentials](https://learn.microsoft.com/azure/developer/github/connect-from-azure-openid-connect) for GitHub Actions (recommened)
 3. Set repository variables in GitHub:
    - `AZURE_CLIENT_ID`: Service principal client ID
    - `AZURE_TENANT_ID`: Azure tenant ID  

infra/scripts/fabric/deploy_fabric_rti.py

@@ -58,6 +58,7 @@
 from fabric_auth import authenticate, authenticate_workspace
 from fabric_workspace import setup_workspace
 from fabric_workspace_admins import setup_workspace_administrators
+from fabric_api import FabricApiError
 from fabric_eventhouse import setup_eventhouse  
 from fabric_database import setup_fabric_database
 from fabric_data_ingester import load_data_to_fabric
@@ -122,17 +123,40 @@ def main():
     # Step 1: Setup workspace
     print_step(1, 11, "Setting up Fabric workspace and capacity assignment", capacity_name=capacity_name, workspace_name=workspace_name)
     try:
-        workspace_result = setup_workspace(
+        workspace_id = setup_workspace(
             fabric_client=fabric_client,
             capacity_name=capacity_name,
             workspace_name=workspace_name
         )
-        if workspace_result is None:
+        if workspace_id is None:
             print_steps_summary(solution_name, solution_suffix, executed_steps, ["setup_workspace"])
             sys.exit(1)
         print(f"✅ Successfully completed: setup_workspace")
         executed_steps.append("setup_workspace")
-        workspace_id = workspace_result.get('id')
+    except FabricApiError as e:
+        if e.status_code == 401:
+            print(f"\n⚠️  WARNING: Authentication failed (401 Unauthorized)")
+            print(f"\n📋 AUTHENTICATION ISSUE DETECTED:")
+            print(f"   The current user does not have sufficient permissions to create workspaces")
+            print(f"   or assign capacities in Microsoft Fabric.")
+            print(f"\n🔧 REQUIRED PERMISSIONS:")
+            print(f"   • Enable the 'Service principals can use Fabric APIs' tenant setting.")
+            print(f"     You must be a Microsoft 365 administrator to enable this setting.")
+            print(f"     (https://learn.microsoft.com/rest/api/fabric/articles/identity-support")
+            print(f"   • Fabric REST API - Workspace Management: Access to create and manage")
+            print(f"     Fabric workspaces (see scopes: https://learn.microsoft.com/rest/api/fabric/articles/scopes)")
+            print(f"   • Fabric REST API - Item Creation: Access to create Eventhouses, KQL")
+            print(f"     databases, and dashboards (see scopes: https://learn.microsoft.com/rest/api/fabric/articles/scopes)")
+            print(f"\n💡 NEXT STEPS:")
+            print(f"   1. Contact your Fabric Administrator to grant the necessary permissions")
+            print(f"   2. Ensure you're logged in with the correct account (az login)")
+            print(f"\n☑️ Exiting gracefully due to insufficient permissions.")
+            print_steps_summary(solution_name, solution_suffix, executed_steps, [])
+            sys.exit(0)  # Exit gracefully for auth issues
+        else:
+            print(f"❌ FabricApiError while executing setup_workspace: ({e.status_code}) {e}")
+            print_steps_summary(solution_name, solution_suffix, executed_steps, [])
+            sys.exit(1)
     except Exception as e:
         print(f"❌ Exception while executing setup_workspace: {e}")
         print_steps_summary(solution_name, solution_suffix, executed_steps, [])

infra/scripts/fabric/fabric_workspace.py

@@ -19,7 +19,7 @@
 import sys
 from fabric_api import FabricApiClient, FabricWorkspaceApiClient, FabricApiError
 
-def setup_workspace(fabric_client: FabricApiClient, capacity_name: str, workspace_name: str) -> object:
+def setup_workspace(fabric_client: FabricApiClient, capacity_name: str, workspace_name: str) -> str:
     """
     Create a workspace (if it doesn't exist) and assign it to the specified capacity.
     
@@ -29,83 +29,49 @@ def setup_workspace(fabric_client: FabricApiClient, capacity_name: str, workspac
         workspace_name: Name of the workspace to create
         
     Returns:
-        True if successful, False otherwise
+        str: Workspace ID if successful, or None if failed
     """
-    try:
-        print(f"🔍 Searching for capacity: '{capacity_name}'")
-
-        capacity = fabric_client.get_capacity(capacity_name)
-        if not capacity:
-            print(f"❌ Capacity '{capacity_name}' not found. Exiting.")
-            return None
-
-        capacity_id = capacity['id']
-        print(f"✅ Capacity found: ID = {capacity_id}, Name = {capacity['displayName']}")
-
-        existing_workspace = fabric_client.get_workspace(workspace_name)
-        
-        if existing_workspace:
-            workspace_id = existing_workspace['id']
-            print(f"ℹ️  Using existing workspace: {workspace_name}")
-        else:
-            print(f"📁 Creating new workspace: '{workspace_name}'")
-            try:
-                workspace_id = fabric_client.create_workspace(name=workspace_name)
-                print(f"✅ Successfully created workspace: {workspace_name} (ID: {workspace_id})")
-            except FabricApiError as e:
-                if e.status_code == 409:
-                    print(f"ℹ️ Workspace '{workspace_name}' already exists")
-                    workspace_id = fabric_client.get_workspace(workspace_name)['id']
-                else:
-                    print(f"❌ Failed to create workspace: {e}")
-                    return None
-        
-        workspace_setup_response = {"id": workspace_id }
-
-        print(f"🔧 Initializing workspace-specific client...")
-        workspace_client = FabricWorkspaceApiClient(workspace_id=workspace_id)
-        
-        print(f"⚡ Assigning workspace '{workspace_name}' to capacity '{capacity_name}'...")
+    # Step 1: Get or create workspace
+    existing_workspace = fabric_client.get_workspace(workspace_name)
+    
+    if existing_workspace:
+        workspace_id = existing_workspace['id']
+        print(f"ℹ️  Using existing workspace: {workspace_name} ({workspace_id})")
+    else:
+        print(f"📁 Creating new workspace: '{workspace_name}'")
         try:
-            workspace_client.assign_to_capacity(capacity_id)
-            print(f"✅ Successfully assigned workspace to capacity!")
+            workspace_id = fabric_client.create_workspace(name=workspace_name)
+            print(f"✅ Successfully created workspace: {workspace_name} ({workspace_id})")
         except FabricApiError as e:
-            print(f"❌ FabricApiError ({e.status_code}): {e}")
-            return None
-        
-        print(f"🔍 Verifying workspace assignment...")
-        try:
-            workspace_info = workspace_client.get_workspace_info()
-            assigned_capacity_id = workspace_info.get('capacityId')
-            
-            if assigned_capacity_id == capacity_id:
-                print(f"✅ Verification successful: Workspace is assigned to capacity {capacity_name}")
-                
-                print(f"\n📊 Workspace Summary:")
-                print(f"   Name: {workspace_info.get('displayName', 'Unknown')}")
-                print(f"   ID: {workspace_info.get('id', 'Unknown')}")
-                print(f"   Capacity: {capacity['displayName']} ({capacity_id})")
-                print(f"   Type: {workspace_info.get('type', 'Unknown')}")
-                
-                items = workspace_client.get_items()
-                print(f"   Items: {len(items)} total")
-                
-                return workspace_setup_response
+            if e.status_code == 409:
+                # Handle race condition where workspace was created between check and create
+                print(f"ℹ️ Workspace '{workspace_name}' already exists (created during operation)")
+                existing_workspace = fabric_client.get_workspace(workspace_name)
+                workspace_id = existing_workspace['id']
             else:
-                print(f"⚠️  Warning: Workspace shows different capacity assignment: {assigned_capacity_id}")
-                return None
-                  
-        except FabricApiError as e:
-            print(f"⚠️  Could not verify assignment: {e}")
-            print(f"✅ Workspace creation and assignment completed (verification failed)")
-            return workspace_setup_response
-        
-    except Exception as e:
-        print(f"❌ Unexpected error: {e}")
+                print(f"❌ Failed to create workspace: {e}")
+                raise
+
+    # Step 2: Find the capacity
+    print(f"🔍 Searching for capacity: '{capacity_name}'")
+    capacity = fabric_client.get_capacity(capacity_name)
+    if not capacity:
+        print(f"❌ Capacity '{capacity_name}' not found.")
         return None
 
+    capacity_id = capacity['id']
+    print(f"✅ Capacity found: {capacity['displayName']} ({capacity_id})")
+
+    # Step 3: Assign workspace to capacity
+    print(f"⚡ Assigning workspace to capacity '{capacity_name}'...")
+    workspace_client = FabricWorkspaceApiClient(workspace_id=workspace_id)
+    workspace_client.assign_to_capacity(capacity_id)
+    print(f"✅ Successfully assigned workspace to capacity")
+    
+    return workspace_id
+
 def main():
-    """Main function to handle command line arguments and execute the workspace creation."""
+    """Main function to handle command line arguments and execute workspace setup."""
     parser = argparse.ArgumentParser(
         description="Create a Fabric workspace and assign it to a capacity",
         formatter_class=argparse.RawDescriptionHelpFormatter,
@@ -139,7 +105,7 @@ def main():
         workspace_name=args.workspace_name
     )
 
-    print(f"\n✅ Workspace ID: {result.get('id') if result else 'Failed'}")
+    print(f"\n✅ Workspace ID: {result if result else 'Failed'}")
     print(f"✅ Workspace Name: {args.workspace_name}")