Share via

Clarification needed on "end users" requirement for Azure AI Foundry Agent with Fabric data agent integration

Durjan Hussain 155 Reputation points
2025-08-28T10:21:02.7533333+00:00

Hello Microsoft team,

I'm implementing Azure AI Foundry Agent Service with Microsoft Fabric data agent integration and need clarification on the prerequisites section in the documentation (https://learn.microsoft.com/en-us/azure/ai-foundry/agents/how-to/tools/fabric?pivots=portal#prerequisites).

Question 1: What does "end users" mean in this context?

The documentation states: "Developers and end users have at least Azure AI User RBAC role" and "Developers and end users have at least READ access to the Fabric data agent and the underlying data sources it connects with."

Does "end users" refer to:

  • The actual humans interacting with the application UI?
  • The application/service making API calls to Azure AI Foundry?
  • Both?

Question 2: Service Principal and Managed Identity support

Can I use the following authentication methods instead of user accounts:

  • Service Principal with appropriate RBAC roles assigned?
  • System-assigned Managed Identity (for an Azure Container App)?
  • User-assigned Managed Identity?

If yes, what specific roles/permissions need to be assigned to these identities?

Question 3: Azure Container App scenario with logged-in users

My specific use case:

  • Application running in Azure Container Apps
  • Users authenticate via Azure AD (with proper permissions to Fabric data)
  • Application needs to call Azure AI Foundry Agent on behalf of the authenticated user

Should I:

  1. Pass the user's token directly to Azure AI Foundry (maintaining user identity)?
  2. Use the container app's managed identity with some form of identity passthrough?
  3. Use On-Behalf-Of (OBO) flow to exchange user token for AI Foundry token?

Current Issue: I can successfully call the Fabric data agent when authenticated as my user account directly, but I'm getting connection errors when trying to use service principal authentication, even though the service principal has Admin role in the Fabric workspace.

Any guidance on the proper authentication flow for container-hosted applications would be greatly appreciated.

Thanks!

Azure AI services
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 23,931 Reputation points Volunteer Moderator
    2025-08-28T17:44:22.4633333+00:00

    Hello Durjan Hussain,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to clarify needs on "end users" requirement for Azure AI Foundry Agent with Fabric data agent integration.

    Regarding your explanation:

    1. About what does "End Users" mean In Azure AI Foundry + Fabric integration, "end users" refers to:
      • Human users interacting with the agent via UI or chat.
      • Service identities (e.g., managed identity or service principal) making API calls.
      Both must have:
    2. Yes, you can use:
    3. In reviewing Azure Container App scenario with Logged-In users, I will recommend flow: On-Behalf-Of (OBO):
    4. If you're getting connection errors with service principal:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.