Automating Fabric's Deployment Pipelines & Workspaces

Setting the stage

In today’s fast-paced DevOps environments, automation is key to ensuring that resources are efficiently managed, reducing the potential for human error and improving overall productivity.

In this article, we’ll explore a comprehensive solution to automate the management of Microsoft Fabric's Deployment pipelines & Workspaces in a streamlined and repeatable process.

Solution

Solution consists of two mayor components:

• PowerShell script that provides functions to interact with Microsoft Fabric APIs, automating the management of services and workspace items. Complementing
• Azure DevOps YAML pipeline integrates with the script, enabling it to be triggered and executed seamlessly within the Azure DevOps environment

Sounds like "awesome?!" In deed it is 😁👍!!! Get the code and keep reading as I'm going to explain more in detail how this works 🤓

Permissions

Regardless of the Entra ID Account use to execute the script (user-authenticated with MFA or service without MFA), such account SHOULD HAVE the following roles and permissions:

1. Fabric Capacity Administrator role. Managing and configuring capacities, which represent the processing resources allocated to run workloads like reports, dataflows, datasets, and more; contact the Fabric admin or a Power BI administrator within your organization and request the role for the Account.
2. DevOps BASIC access level. Account with the Basic Access level can actively participate in development projects, such as contributing code, creating and managing work items and accessing Azure Repos, Pipelines, and other services essential for the development lifecycle; contact the Azure DevOps administrator for your organization and request the access for the Account.
3. Repository Contributor Role. Grants users the ability to contribute directly to the codebase within a repository. This role allows users to read, write, and manage code, making it crucial for active development and collaboration within a project.
4. Directory Readers role. This role allows you to read basic directory information, including user details, but you cannot modify them.

Only when you're executing the script from a DevOps Yaml pipeline, you are running parts of the code under the context of the service connection running the Power Shell task, that is why, in this case, make sure the service principal representing the connection has the User.ReadBasic.All permission.

PowerShell script

The benefit of using a PowerShell script is that it allows standalone execution, meaning I can run the script independently from the pipeline, which greatly improves debugging. It supports both MFA accounts and tokens for flexible testing of functionalities. By encapsulating the logic within a .ps1 file, the script is easier to read, maintain, and troubleshoot—something that would be far more complex if embedded directly in YAML pipelines.

Key features

• Workspace Creation: Automatically creates workspaces in Azure Fabric if they do not already exist.
• Git Integration: Connects workspaces to specific branches in Azure DevOps, facilitating Git-driven workflow management.
• Pipeline Automation: Creates deployment pipelines, assigns workspaces to stages, and automates deployment processes between environments.
• User Management: Manages user role assignments for both workspaces and pipelines.
• Interactive Execution: Optionally pauses execution for user input, making it easier to observe actions before proceeding.

Understanding the PowerShell Script

This script is broken into several functions, each responsible for a different part of the automation process. We will go through each function to explain its purpose and how it contributes to the overall automation workflow.

• CreateWorkspace. This function checks if a workspace exists based on the name provided. If the workspace is not found, it creates a new one.
• CreateNewGitBranch. The CreateNewGitBranch function handles the creation of a new Git branch in Azure DevOps.
• ConnectWorkspaceToGit. This function connects a workspace to a specific Git repository and initializes the connection.
• CreateDeploymentPipeline. This function checks for an existing deployment pipeline by name, and if one does not exist, it creates a new one.
• AssignWorkspaceToStage. This function assigns a specific workspace to a stage in the deployment pipeline. It includes retry logic to handle transient errors.
• DeployPipelineStage. The DeployPipelineStage function automates the deployment of changes between pipeline stages.
• User Management Functions. The script includes several functions for managing user role assignments: Get-UserOrGroupIdByUpn, AddWorkspaceUsers and AddPipelineUsers.

Execute the CreateEnvironment.ps1

Like most REST API endpoints, executing functions requires an access token. The script provides flexibility by allowing you to either supply tokens directly or generate them dynamically by authenticating through an account (1). If the script detects that tokens for Fabric or Azure DevOps are missing, it checks whether you’ve opted to use an authenticated account. If so, it connects to Azure and retrieves the necessary tokens.

Update the input parameters and run the script...

If successful, you should be able to see an output similar the the one shown next...

DevOps YAML Pipeline (CI/CD)

The YAML pipeline follows the same logical structure I explained (and use) in most of my articles, check this article if you need additional information.

Resilient Azure DevOps YAML Pipeline

Embark on a journey from Classic to YAML pipelines in Azure DevOps with me. I transitioned, faced challenges, and found it all worthwhile. Follow to learn practical configurations and detailed insights, bypassing the debate on YAML vs Classic. Your guide in mastering Azure DevOps.

TechTacoFridayHector Sven

Service account (aka Automation Account)

The pipeline primarily serves as a mechanism to gather the necessary parameters for the PowerShell script, allowing users to define workspace and pipeline names for each environment or medallion architecture layer, specify administrators, and control script execution. However, it's important to understand that DevOps pipelines are non-interactive, meaning we cannot rely on real-time user input for authentication. As such, tokens must be generated in advance or a service account—one without MFA—must be used. This service account, exempt from MFA, enables seamless automation by allowing the script to authenticate using Connect-AzAccount -Credential $psCred(2). The credentials, securely stored in Azure Key Vault (1), include the service account’s password, ensuring secure, automated execution without manual intervention.

If successful, you should be able to see an output similar the the one shown next...

Are you ready to give a try 😅?! I hope so! 😁🤞

Conclusion

This PowerShell script provides an automated and repeatable process for managing Azure Fabric workspaces, integrating with Git repositories, and automating deployment pipelines. By abstracting complex tasks into well-defined functions, this script enables DevOps teams to automate routine processes, improve efficiency, and reduce the risk of human error.

Whether you are managing multiple environments or enforcing strict branch naming conventions, this script offers flexibility and scalability to meet your organization's automation needs.

I would love to hear from you, subscribe and contact me, I would love to hear from you... Happy scripting!