// Automatically invoke this skill whenever the user asks about Fabric tenant settings or Power BI tenant settings or auditing tenant settings. You can use this skill if the user mentions "Fabric administration".
Direct TMDL file authoring and BIM-to-TMDL conversion for semantic models in PBIP projects. Automatically invoke when the user asks to "edit TMDL", "add a measure in TMDL", "TMDL syntax", "fix formatString", "fix summarizeBy", "TMDL indentation", "convert BIM to TMDL", "add a column description", "create a calculated column in TMDL", or mentions .tmdl file editing or BIM-to-TMDL migration.
Expert guidance for using the Fabric CLI (`fab`) to fully interact with Fabric workspaces, items, and configuration. Automatically invoke this skill whenever the user mentions "Fabric" or "Power BI Service" or a "Fabric/Power BI workspace".
Expert guidance for the Power BI Project (PBIP) file format; project structure, cross-cutting operations (renames, forking), and PBIX extraction/conversion. Automatically invoke when the user mentions PBIP, PBIX, .pbip/.pbism/.platform files, or asks about "PBIP project structure", "PBIP vs PBIX", "thin report vs thick report", "rename a table", "cascade rename", "fork a PBIP project", "convert pbix to pbip", "extract pbix", "what files are in a PBIP", "PBIP encoding", "definition.pbir", or discusses project-level file structure and post-rename verification.
TOM and ADOMD.NET guidance via PowerShell for connecting to Power BI Desktop's local Analysis Services instance. Covers model enumeration, DAX queries, metadata modification, annotations, calendar definitions, field parameters, query tracing, and DAX library package management (daxlib.org). Automatically invoke when the user mentions "Power BI Desktop", "Analysis Services port", "TOM", "ADOMD", "daxlib", "DAX library", "DAX UDF package", or asks to "connect to PBI Desktop", "query PBI Desktop with DAX", "modify PBI Desktop model", "add a measure to PBI", "capture visual queries", "create a field parameter", "validate DAX", "intercept DAX queries", "install daxlib", "add DAX SVG", "add IBCS".
Format reference for Power BI Enhanced Report (PBIR) JSON schemas and patterns. Automatically invoke when the user asks about PBIR JSON structure, visual.json properties, PBIR expressions, objects vs visualContainerObjects, theme inheritance, conditional formatting patterns, extension measures, bookmarks, field references, filter formatting, query roles, PBIR page structure, report wallpaper, or any PBIR metadata format question.
Step-by-step workflow for creating complete Power BI reports from scratch using pbir CLI. Covers model discovery, report creation, page layout, theme setup, visual placement, field binding, filtering, formatting, validation, and publishing. Automatically invoke when the user asks to "create a new report", "build a report from scratch", "make a dashboard", "set up a report with KPIs", "create an executive dashboard", "add pages and visuals to a new report".
| name | audit-tenant-settings |
| version | 26.2 |
| description | Automatically invoke this skill whenever the user asks about Fabric tenant settings or Power BI tenant settings or auditing tenant settings. You can use this skill if the user mentions "Fabric administration". |
Audit Fabric / Power BI tenant settings against a curated baseline, surface drift, enumerate delegated overrides at capacity / domain / workspace scope, investigate the Entra security groups those settings reference, and turn findings into a grounded discussion about what to do next. Always invoke the fabric-cli skill alongside this skill; it provides the fab CLI guidance, admin API references, and the microsoft-learn MCP server that this skill depends on.
This plugin is an add-on to the fabric-cli plugin. It requires:
fab CLI guidance, the microsoft-learn MCP server, and admin API reference docs.ms-fabric-cli) authenticated with a Fabric / Power BI admin account.Group.Read.All, User.Read.All, Directory.Read.All, RoleManagement.Read.Directory) when investigating security groups.Per-project configuration via .claude/fabric-admin.local.md:
---
enabled: true
tenant_label: "Contoso"
snapshot_path: "~/.cache/fabric-admin-audit/last-snapshot.json"
drift_threshold_high: 5
drift_threshold_medium: 15
notification_level: "info"
schedule: "weekly"
---
# Fabric Admin Configuration
Additional context or tenant-specific notes.
| Field | Type | Default | Purpose |
|---|---|---|---|
enabled | bool | true | Toggle the plugin on/off |
tenant_label | string | none | Label for PDF masthead and audit reports |
snapshot_path | string | ~/.cache/fabric-admin-audit/last-snapshot.json | Where to store/read the last-run snapshot JSON |
drift_threshold_high | int | 5 | Alert when high-risk drift count exceeds this |
drift_threshold_medium | int | 15 | Alert when total drift count exceeds this |
notification_level | string | info | Verbosity: quiet, info, verbose |
schedule | string | weekly | Preferred audit cadence: daily, weekly, monthly, ad-hoc |
Invoke for any tenant-, delegation-, or SG-scoped governance question that needs an interpreted answer rather than a raw API call. Typical asks:
AskUserQuestion skill to regularly interview the user about their tenant, user behavior, and adoption. Use the fabric-cli skill and fab to understand an inventory of what's in the tenant, how it's structured, and the activity log / events to understand user adoption and activity. Flag key patterns, anomalies, and high-risk operations or scenarios (like publish-to-web, exports, and sharing with external users, full-org, or C-level employees)recommended field reflects subjective and community defaults, not the user's scenario. Always present the nuance and let the user decide.references/tenant-settings-metadata.yaml. Holds human_name, description, preview, source_url, recommended, risk, and recommendation_nuance for every known setting. Check this first for any tenant-settings question.fab api and az:
fab api "admin/tenantsettings"fab api "admin/capacities/delegatedTenantSettingOverrides", admin/domains/..., admin/workspaces/...az ad group, az rest --method get --uri https://graph.microsoft.com/v1.0/...microsoft-learn MCP server (microsoft_docs_search, microsoft_docs_fetch, microsoft_code_sample_search) or the pbi-search CLI as an alternative. Use when metadata is stale, the setting is brand new, or the user asks a feature question the baseline cannot answer.Follow these steps in order. Skip a step only with a clear reason; never silently drop one.
fab --version is current; run uv tool upgrade ms-fabric-cli if stale.fab auth status confirms a live session; ask the user to run fab auth login if not.fab api "admin/capacities" 2>&1 | head -5. A 401 / 403 means the account is not a Fabric / Power BI admin; stop and ask the user how to proceed (ask an admin to run it, or pivot to the non-admin scripts).az account show should resolve a session with at least Group.Read.All, User.Read.All, Directory.Read.All, and RoleManagement.Read.Directory. Ask for az login rather than auto-authenticating.uv run ${CLAUDE_PLUGIN_ROOT}/skills/audit-tenant-settings/scripts/audit-tenant-settings.py -o /tmp/tenant-audit.md
Common variants:
--drift-only shortens the report to non-compliant settings only.--snapshot /path/to/snap.json keeps per-tenant isolation when auditing more than one tenant.--no-snapshot skips change detection (first runs, or when a clean slate is wanted).The script merges live state with the curated metadata and computes drift, preview features, SG scoping, and changes since the last snapshot in one pass. Admin write endpoints are rate-limited to 25 requests / minute; honor Retry-After on 429.
For a shareable one-to-two-page briefing, run the PDF generator against the same snapshot:
uv run ${CLAUDE_PLUGIN_ROOT}/skills/audit-tenant-settings/scripts/generate_audit_pdf.py -o /tmp/tenant-audit.pdf
The PDF focuses on headline counts, changes since the last snapshot, the drift table, and a delegated-overrides summary. It reuses the same audit logic as the markdown script (via import) and reads the same snapshot path, so change detection stays in lockstep. Use --no-overrides to skip override enumeration when not running as admin, or --tenant-label "Contoso" to add a tenant name to the masthead. Pair the PDF with the markdown audit; the PDF is for stakeholders, the markdown is for the working walk-through.
Read the generated markdown once end-to-end, then surface findings in this order:
risk: high in the drift table.on:sg / off:sg) that are currently org-wide, plus any heuristically-flagged individual UPNs.Keep the summary concise (under 400 words). Use portal titles, not API names, in user-facing prose; annotate with (settingName) only where precision matters.
Tenant-wide state is half the picture. Any setting whose parent has delegateToCapacity / delegateToDomain / delegateToWorkspace set to true can be replaced by a local override at that scope. Skipping this step is the most common way governance reports go wrong.
Pull all three scopes and tag each override as drift-vs-tenant, drift-vs-recommended, high-risk (parent has risk: high), or orphan (parent does not delegate; override is vestigial). Never silently omit an override, even a compliant one. Render overrides above tenant defaults whenever the user asks about a specific workspace, capacity, or domain, so the effective posture is visible.
Full enumeration patterns, filtering, and change mechanics: references/delegated-overrides.md.
Any setting scoped to a security group is only as strong as the group's membership, ownership, and governance. A recommended scoping that points to an empty or stale SG is effectively no scoping at all. Conversely, a setting restricted to a sprawling, dynamically-populated SG can be less restrictive than leaving it org-wide under a tenant with clean RLS.
Enumerate every graphId referenced by the live tenant settings, resolve each via az ad group, classify members by @odata.type, cross-check against Fabric / Power BI / Global admin role assignments, and feed each finding back onto the corresponding tenant-setting row. Red-flag categories (empty groups, guest members, stale owners, dynamic membership, nested SPs) and the exact Graph queries are in references/security-groups.md.
When the SG strategy itself looks wrong (e.g. one SG reused for unrelated postures, individual users added directly to role-style groups, ownership sitting on departed employees), point it out plainly without alarmist framing. The goal is to help the user rethink the model, not scare them.
For each setting where drift matters, ground the discussion in authoritative sources before opining:
grep -i -A6 '<keyword>' ${CLAUDE_PLUGIN_ROOT}/skills/audit-tenant-settings/references/tenant-settings-metadata.yaml
fab api "admin/tenantsettings" -q "text.tenantSettings[?settingName=='<API name>']"
microsoft-learn MCP server:
microsoft_docs_search using the portal title or API namemicrosoft_docs_fetch on the metadata's source_url or the top search hitmicrosoft_code_sample_search when the user wants to see code implicationsIf metadata and docs disagree, trust the docs and surface the drift to the user so the baseline can be updated.
Present results objectively. Avoid alarmist language. A setting that drifts from the baseline is not automatically wrong; baselines are general, the user's scenario may differ. Equally, a setting that matches the baseline may still be wrong for the user's particular organization.
For every area of drift, pair two halves of the conversation:
PublishToWeb enabled selectively, or a regulated tenant that needs ServicePrincipalsUseReadAdminAPIs tighter than the general recommendation).Ask short, targeted questions about the user's scenario when it matters for the recommendation: licensing model (Pro, PPU, Premium, Fabric), content lifecycle (self-service vs enterprise), regulatory posture, existing SG strategy, in-flight adoption goals. Do not interview the user about things that do not affect the recommendation.
Co-develop a plan rather than handing one down. Candidates include:
fab api -X post command; never auto-applied from this skill.cron, a scheduled GitHub Action, a Fabric notebook on a schedule, or an Azure DevOps pipeline) that refreshes the snapshot and ships the resulting diff somewhere visible. From there, change-detection output can feed an alerting surface; Fabric Activator is one option, but Teams or email via Power Automate, a pager via webhook, or a simple inbox rule all work. Use this to catch new settings Microsoft adds, posture drift, and SG membership changes without having to rerun the audit manually. Scope and wire-up are the user's call; the skill can help design the flow but should not stand anything up without explicit approval.Close every plan with the disclaimer: "These recommendations are based on the curated baseline and the live API state at the time of this audit. The agent may not present fully accurate or scenario-appropriate information; the user is responsible for due diligence, piloting changes, and confirming with their own security, compliance, and Fabric administration teams before applying anything in production."
human_name from metadata) in user-facing text; annotate with (settingName) only when precision matters or the API name is more recognizable.recommended field is review, explicitly say the baseline has no hard position and present the nuance.tenant-settings-metadata.yaml.fab auth session: ask the user to run fab auth login before proceeding. Do not auto-authenticate.az login when an SG question comes up: ask for az login. Offer to fall back to the script's heuristic UPN flag for a first-pass smoke test.Retry-After. When resuming, resume from the failed setting rather than restarting.continuationUri / continuationToken and stream; do not try to materialize everything into a single response.references/tenant-settings-metadata.yaml ; curated baseline for every known Fabric / Power BI tenant setting (portal title, description, preview, recommendation, risk, nuance, docs link).references/delegated-overrides.md ; enumerate, classify, and (for capacity only) change delegated overrides.references/security-groups.md ; resolve graphIds, classify members, detect red flags, cross-check admin role assignments.scripts/audit-tenant-settings.py ; audit + change-detection script. Consumes the metadata yaml via its sibling references/ path.scripts/generate_audit_pdf.py ; renders a clean one-to-two-page PDF briefing of the same audit. Reuses the audit logic by importing the sibling script, optionally enumerates delegated overrides, and emits a compact editorial-style summary with headline counts, changes since last audit, a drift table, and a delegated-overrides section. Run with uv run scripts/generate_audit_pdf.py -o /tmp/tenant-audit.pdf after (or instead of) the markdown audit; share the PDF with stakeholders, keep the markdown for the working walk-through.plugins/fabric-cli/skills/fabric-cli/references/admin.md ; raw admin API mechanics for settings updates, paging, and activity events.plugins/fabric-cli/skills/fabric-cli/references/permissions.md ; workspace and item ACL workflows for the cross-domain half of a governance audit.plugins/fabric-cli/skills/fabric-cli/SKILL.md ; entry point and command reference for the fab CLI.