Merge pull request #1582 from MicrosoftDocs/main638760349360351192syn…

…c_temp

For protected branch, push strategy should use PR and merge to target branch method to work around git push error

docs/data-engineering/api-graphql-overview.md

@@ -23,11 +23,18 @@ Exposing data sources to a GraphQL item in Microsoft Fabric is quick and easy. S
 Currently, the following supported data sources can be exposed through the Fabric API for GraphQL:
 
 - Microsoft Fabric Data Warehouse
+- Microsoft Fabric SQL database
 - Microsoft Fabric Lakehouse via SQL Analytics Endpoint
-- Microsoft Fabric Mirrored Databases via SQL Analytics Endpoint
-- Microsoft Fabric SQL databases
-- Azure SQL databases
-- Datamarts
+- Microsoft Fabric Mirrored Databases via SQL Analytics Endpoint, including:
+    - Mirrored databases from Azure SQL Database
+    - Mirrored databases from Azure SQL Managed Instance
+    - Mirrored databases from Azure Cosmos DB
+    - Mirrored databases from Microsoft Fabric SQL Database
+    - Mirrored databases from Azure Databricks
+    - Mirrored databases from Snowflake
+    - Open mirrored databases
+- Azure SQL database
+- Datamart
 
 ## Features
 

docs/data-engineering/connect-apps-api-graphql.md

@@ -16,11 +16,11 @@ To connect an application to an API for GraphQL, you need three important pieces
 
 ## Prerequisites
 
+* Before you connect an application, you must have an API for GraphQL in Fabric. For more information, see [Create an API for GraphQL in Fabric and add data](get-started-api-graphql.md).
+
 * Currently API for GraphQL requires applications to use Microsoft Entra for authentication. Your application needs to be registered and configured adequately to perform API calls against Fabric. For more information, see [Create a Microsoft Entra app in Azure](/rest/api/fabric/articles/get-started/create-entra-app).
 
-* The authenticated user calling the API requires Execute permissions to the GraphQL API (Run Queries and Mutations option when adding direct access permissions) and, if using Single sing-on (SSO) as the connectivity option in the API, read or write permissions are required in the data source of choice accordingly. For more information, see [Connect to a data source and build your schema](get-started-api-graphql.md).
-
-* Before you connect an application, you must have an API for GraphQL in Fabric. For more information, see [Create an API for GraphQL in Fabric and add data](get-started-api-graphql.md).
+* The authenticated credential (user principal, service principal, or managed identity) calling the API requires Execute permissions to the GraphQL API (Run Queries and Mutations option when adding direct access permissions) and, if using single sign-on (SSO) as the connectivity option in the API, read or write permissions are required in the data source of choice accordingly. For more information, see [Connect to a data source and build your schema](get-started-api-graphql.md).
 
 ## Create a Microsoft Entra app
 
@@ -29,7 +29,7 @@ In the following steps, we showcase how to configure support for a ReactJS appli
 1. Register an application using the steps described on [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
 2. Your Microsoft Entra app **Application (client) ID** and **Directory (tenant) ID** values are displayed in the Summary box. Record these values as they're required later.
 1. Under the *Manage* list, select **API permissions**, then **Add permission**. 
-2. Add the **PowerBI Service**, select **Delegated permissions**, and select **GraphQL.Execute.All** permissions. Make sure admin consent isn't required.
+2. Add the **PowerBI Service**, select **Delegated permissions**, and select **GraphQLApi.Execute.All** permissions. Make sure admin consent isn't required.
 3.  Back to the *Manage* list, select **Authentication** > **Add a platform**, > **Single-page application**.
 4.  For local development purposes, add `http://localhost:3000` under **Redirect URIs** and confirm that the application is enabled for the [authorization code flow with Proof Key for Code Exchange (PKCE)](/azure/active-directory/develop/v2-oauth2-auth-code-flow). Select the **Configure** button to save your changes. In case the application receives an error related to cross-origin requests, add the **Mobile and desktop applications** platform in the previous step with the same redirect URI.
 5.  Back to **Authentication**, scroll down to **Advanced Settings** and, under **Allow public client flows**, select **Yes** for *Enable the following mobile and desktop flows*.
@@ -140,7 +140,7 @@ In this example, we create a GraphQL API to expose sample Lakehouse data to clie
      * https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes
      */
     export const loginRequest = {
-        scopes: ["https://analysis.windows.net/powerbi/api/GraphQL.Execute.All"]
+        scopes: ["https://analysis.windows.net/powerbi/api/GraphQLApi.Execute.All"]
     };
 
     /**
@@ -152,7 +152,7 @@ In this example, we create a GraphQL API to expose sample Lakehouse data to clie
     };
    ```
 
-   As you can see in the code above, it's important to use the correct scope to access the application. In our case `https://analysis.windows.net/powerbi/api/GraphQL.Execute.All`.
+   As you can see in the code above, it's important to use the correct scope to access the application. In our case `https://analysis.windows.net/powerbi/api/GraphQLApi.Execute.All`.
 
 1. Replace the following values with the values from the Microsoft Entra admin center.
     - `clientId` - The identifier of the application, also referred to as the client. Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the overview page of the registered Microsoft Entra application.
@@ -325,7 +325,7 @@ In this example, we create a GraphQL API to expose sample Lakehouse data to clie
 
 While the steps in the previous section are required to provide access to user principals, it's also possible to access the GraphQL API with a service principal:
 
-1. Follow the steps in the previous section to create a second Microsoft Entra app with similar permissions (**GraphQL.Execute.All** scope for the **PowerBI Service**). In the new app, add a client secret under **Certificates and Secrets**, for more information see [Register a Microsoft Entra app and create a service principal](/entra/identity-platform/howto-create-service-principal-portal).
+1. Follow the steps in the previous section to create a second Microsoft Entra app, but keep in mind that scopes are not needed for Service Principals. In the new app, add a client secret under **Certificates and Secrets**, for more information see [Register a Microsoft Entra app and create a service principal](/entra/identity-platform/howto-create-service-principal-portal).
 2. Make sure Tenant Administrators enabled the usage of Service Principals in Fabric. In the Tenant Admin portal, go to **Tenant Settings**. Under **Developer Settings** enable **Service Principals can use Fabric APIs**. With this setting enabled, the application will be visible in the Fabric Portal for role or permissions assignment. You can find more information on [Identity support](/rest/api/fabric/articles/identity-support#service-principal-tenant-setting).
 3. The service principal will need access to both the GraphQL API and the data source, more specifically *Execute* permission to the GraphQL API and read or write access required in the data source of choice accordingly. In the Fabric Portal, open the workspace and select the ellipsis next to API. Select *Manage permissions* for the API then *Add user*. Add the application and select *Run Queries and Mutations*, which will provide the required *Execute* permissions to the service principal.  For testing purposes, the easiest way to implement the required permissions for both the API and data source is by adding the application as a workspace member with a contributor role where both the GraphQL API and data source items are located.
 

docs/data-engineering/get-started-api-graphql.md

@@ -51,7 +51,7 @@ At this point, the API is ready but it's not exposing any data. APIs for GraphQL
    Once selected these options are enforced for all data sources subsequently added to the API. It's not possible to mix single-sign on and saved credentials in the same API. Furthermore, while you can use User Principal Names (UPNs) or Service Principal Names (SPNs) to connect to your API, service principals only support single-sign on (SSO) currently. User principals can leverage either SSO or saved credentials, depending on your security requirements.
 
    > [!NOTE]
-   >API for GraphQL requires client applications to use Microsoft Entra ID for authentication. Your client application must be registered and configured adequately to execute API calls against Fabric. The app registered in Microsoft Entra ID requires *GraphQL.Execute.All* API permissions for the Power BI service. You can find an end-to-end tutorial with instructions and sample code for both user principals and service principals at [Connect Applications](connect-apps-api-graphql.md).
+   >API for GraphQL requires client applications to use Microsoft Entra ID for authentication. Your client application must be registered and configured adequately to execute API calls against Fabric. The app registered in Microsoft Entra ID requires *GraphQLApi.Execute.All* API permissions for the Power BI service. You can find an end-to-end tutorial with instructions and sample code for both user principals and service principals at [Connect Applications](connect-apps-api-graphql.md).
 
 3. The OneLake data hub appears; choose the data source you want to connect to. For the following example, we choose a AdventureWorks SQL analytics endpoint linked to a mirrored database. Select **Filter** to see only specific types of Fabric data sources, or search by a specific keyword. When you're ready, select **Connect**.
 
@@ -79,9 +79,9 @@ The table below summarizes the different supported permutations and minimum requ
 
 |API Caller        | Data source connectivity | Required GraphQL API permissions|Required Data Source permissions|Entra app scope|
 |------------------|--------------------------|---------------------------------|-------------------------------|-----------------|
-|User Principal (UPN)|Single sign-on (SSO)| *Run Queries and Mutations* at the API level|Appropriate Read/Write permissions granted to the UPN at the data source|*GraphQL.Execute.All*|
-|Service Principal (SPN)|Single sign-on (SSO)| *Run Queries and Mutations* at the API level|Appropriate Read/Write permissions granted to the SPN at the data source|*GraphQL.Execute.All*|
-|User Principal (UPN)|Saved credentials| *Run Queries and Mutations* at the API level|Appropriate Read/Write permissions granted to the saved credential (connection) at the data source|*GraphQL.Execute.All*|
+|User Principal (UPN)|Single sign-on (SSO)| *Run Queries and Mutations* at the API level|Appropriate Read/Write permissions granted to the UPN at the data source|*GraphQLApi.Execute.All*|
+|Service Principal (SPN)|Single sign-on (SSO)| *Run Queries and Mutations* at the API level|Appropriate Read/Write permissions granted to the SPN at the data source|Not Applicable|
+|User Principal (UPN)|Saved credentials| *Run Queries and Mutations* at the API level|Appropriate Read/Write permissions granted to the saved credential (connection) at the data source|*GraphQLApi.Execute.All*|
 |Service Principal (SPN)|Saved credentials| Currently not supported|Currently not supported|Currently not supported|
 
 

docs/data-engineering/graphql-faq.yml

@@ -6,7 +6,7 @@ metadata:
   ms.author: sngun
   ms.topic: faq
   ms.custom:
-  ms.date: 05/21/2024
+  ms.date: 05/21/2023
 title: Fabric API for GraphQL frequently asked questions
 summary: |
   Find answers to commonly asked Fabric API for GraphQL questions.
@@ -18,7 +18,7 @@ sections:
         answer: GraphQL is an open source query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API with a strongly typed system, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools. 
 
       - question: What is Microsoft Fabric API for GraphQL?
-        answer: Microsoft Fabric API for GraphQL is a managed service that enables you to create a GraphQL API in seconds to access data from your data sources such as Microsoft Fabric Data Warehouses, Microsoft Fabric Lakehouses, Microsoft Fabric Mirrored Databases, Microsoft Fabric SQL Databases, and Azure SQL Databases. It provides a unified API layer for querying and mutating data from these supported data sources. Fabric API for GraphQL is currently in preview.
+        answer: Microsoft Fabric API for GraphQL is a managed service that enables you to create a GraphQL API in seconds to access data from your data sources such as Microsoft Fabric Data Warehouses, Microsoft Fabric Lakehouses, Microsoft Fabric Mirrored Databases, Microsoft Fabric SQL Databases, and Azure SQL Databases. It provides a unified API layer for querying and mutating data from these supported data sources.
 
       - question: What GraphQL operations are supported in Fabric API for GraphQL?
         answer: Only GraphQL queries (read) and mutations (write) are supported currently. Data sources exposed via SQL Analytics Endpoints are read-only thus only supporting Queries. In case of Data Warehouses, a primary key needs to be defined for Mutations to be automatically generated.
@@ -27,13 +27,13 @@ sections:
         answer: Resolvers are GraphQL components that provide the business logic to resolve fields in the API and perform operations with data residing in the data sources. Fabric automatically generates resolvers whenever you attach a new data source or select new objects to be exposed from an existing data source. Currently, it's not possible to customize resolvers. For customized business logic in API for GraphQL, you can create a stored procedure in the data source and expose it in the GraphQL API.
 
       - question: Does the API for GraphQL client application require access to the data source in order to perform queries or mutations?
-        answer: API for GraphQL requires applications to use Microsoft Entra for authentication. Your client application must be registered and configured adequately to execute API calls against Fabric. The app registered in Microsoft Entra requires *Item.Execute.All* permissions for the Power BI service. For more information, see [Create a Microsoft Entra app in Azure](/rest/api/fabric/articles/get-started/create-entra-app). In addition to Microsoft Entra, if the API is configured to use single sign-on (SSO), the authenticated user or service principal in the app calling the GraphQL API requires access to both the GraphQL API and the data source. More specifically *Run Queries and Mutations* permission in the GraphQL API and read or write access required in the data source of choice accordingly. Another option is to have the user or service principal as a workspace member with a *contributor role* where both the API and data source items are located, which will provide the required access to both items from a single place. For more information, see [Give users access to workspaces](../fundamentals/give-access-workspaces.md). Alternatively, if the API is configured to use saved credentials, the authenticated user or service principal just needs to have access to the API (Select *Run Queries and Mutations* option when adding direct access permissions to the API). You can find an end-to-end example with sample code for both user principals and service principals at [Connect Applications](connect-apps-api-graphql.md).
+        answer: API for GraphQL requires applications to use Microsoft Entra ID for authentication. Your client application must be registered and configured adequately to execute API calls against Fabric. The app registered in Microsoft Entra requires *GraphQLApi.Execute.All* permissions for the Power BI service. For more information, see [Create a Microsoft Entra app in Azure](/rest/api/fabric/articles/get-started/create-entra-app). In addition to Microsoft Entra, if the API is configured to use single sign-on (SSO), the authenticated user or service principal in the app calling the GraphQL API requires access to both the GraphQL API and the data source. More specifically *Run Queries and Mutations* permission in the GraphQL API and read or write access required in the data source of choice accordingly. Another option is to have the user or service principal as a workspace member with a *contributor role* where both the API and data source items are located, which will provide the required access to both items from a single place. For more information, see [Give users access to workspaces](../fundamentals/give-access-workspaces.md). Alternatively, if the API is configured to use saved credentials, the authenticated user or service principal just needs to have access to the API (Select *Run Queries and Mutations* option when adding direct access permissions to the API). You can find an end-to-end example with sample code for both user principals and service principals at [Connect Applications](connect-apps-api-graphql.md).
 
       - question: How do I open a support ticket for API for GraphQL?
         answer: To get help from Microsoft Support on any issue related to Fabric API for GraphQL, visit our [Fabric Support site](https://support.fabric.microsoft.com/support/) and choose the **Data Engineering** option.
 
       - question: Which regions are not yet supported by the API for GraphQL?
-        answer: "API for GraphQL is currently not supported in the West US 3 region."
+        answer: API for GraphQL is currently not supported in the West US 3 region.
 
 additionalContent: |
     ## Related content