service principal authentication

[AshaHolla]

Currently, when authenticating a Fabric Data Agent via code, only BrowserCredential and DefaultAzureCredential (CLI-based) flows work reliably.

While this is fine for local development, it becomes a major blocker for containerization and production deployments, where:

• Interactive browser auth is not possible unless VMs are provisioned
• Azure CLI is not available or recommended inside containers
• Headless / non-interactive auth is required

This makes it difficult to deploy Data Agents in:

• Docker containers
• Kubernetes
• CI/CD pipelines
• Cloud-hosted services (App Service, Container Apps, etc.)

---

Expected behavior
The SDK should support non-interactive, production-grade authentication mechanisms, such as:

• Client Secret–based Service Principal authentication
• Managed Identity (system-assigned / user-assigned)
• Explicit TokenCredential injection without requiring browser or CLI dependencies

These are standard patterns across Azure SDKs and are essential for real-world deployments.

---

Actual behavior

• BrowserCredential works only locally and requires user interaction

• DefaultAzureCredential falls back to Azure CLI, which:

  • Is unavailable in containers by default
  • Is not a recommended auth mechanism for production workloads

As a result, agents cannot be reliably productionized today.

---

Why this matters
Without headless authentication support:

• Data Agents remain effectively dev-only
• Teams cannot adopt them in enterprise environments
• CI/CD, automation, and scalable deployments are blocked

This significantly limits real-world adoption.

---

Request
Please add support and documentation for:

• Service Principal–based authentication
• Managed Identity authentication
• Explicit TokenCredential configuration patterns suitable for containers

---

Environment

• SDK: Fabric Data Agent (Python)
• Deployment target: Docker / Cloud-hosted services
• OS: Linux containers