Skip to content
CSA Loom — the Microsoft Fabric experience for Azure tenants where Fabric isn't yet available: lakehouses, warehouses, notebooks, semantic models, Activator rules, Data Agents, across Commercial, GCC, GCC-High, and DoD IL5

CSA Loom — full E2E results (2026-05-24 end)

v2.1 image live at https://loom-console-fvbbctd4eehqbkcs.b02.azurefd.net

Direct BFF tests using a locally-minted session cookie (temp/uat-pw/mint-session.mjs mirrors lib/auth/session.ts).

PASS — fully working end-to-end

Test Result
Sign-in (/auth/sign-in → AAD → /auth/callback) ✅ Fixed mid-session — was broken by env var rename, restored via AZURE_CLIENT_SECRET alias + code fix committed
/api/me {authenticated:true, user:{...}} — session decode chain works
/api/workspaces GET (list) ✅ Real Cosmos query, returns 1 workspace
/api/workspaces POST (create) ✅ Created 92c9dd06-... with name/desc/capacity/domain — persisted to Cosmos workspaces container
/api/workspaces/[id]/items GET ✅ Real Cosmos partition-scoped query
/api/workspaces/[id]/items POST ✅ Created da01966e-... of type synapse-serverless-sql-pool
/api/items/[type]/[id] GET ✅ Item read back with all fields
/api/items/synapse-serverless-sql-pool/[id]/schema ✅ BFF → AAD token via UAMI → TDS over PE to *.ondemand.sql.azuresynapse.net → returns lake URLs + sample queries
/api/items/synapse-dedicated-sql-pool/[id]/state ✅ ARM REST → returns {state:"Paused", sku:"DW100c", pool:"loompool"}
/api/lakehouse/containers ✅ ADLS Gen2 listing — bronze/silver/gold (landing not present in storage)
/api/lakehouse/paths?container=bronze ✅ Real listPaths call — empty (no data uploaded yet)
/workspaces page render ✅ 200 HTML

BLOCKED — needs one-time human admin action

Test Blocker Fix
Synapse Serverless SELECT 1 query Login failed for token-identified principal. UAMI is workspace AAD admin but Synapse SQL needs ALSO data-plane Synapse Administrator role. My signed-in user lacks Synapse RBAC permission to grant. Current Synapse admin (b9c3cc65-522e-49c9-ad02-914676aa5a6b) must run az synapse role assignment create --workspace-name syn-loom-default-eastus2 --role "Synapse Administrator" --assignee-object-id e61f3eb3-c646-4183-8198-4c4a34cd9a01 --assignee-principal-type ServicePrincipal — requires temporarily enabling public network access on Synapse first.
Databricks SQL Warehouse list listWarehouses failed 403: User not authorized. UAMI has ARM Contributor on workspace but not SCIM-registered as workspace user. First workspace admin login bootstraps SCIM, then POST /api/2.0/preview/scim/v2/ServicePrincipals with UAMI applicationId: c6272de5-3c4e-4b72-8b57-71b2e950209b. Curl in docs/fiab/v2.1-live-state.md.
APIM editors list/create APIM apim-csa-loom-eastus2 not yet provisioned. Wait ~30-45 min for apim-r2-* direct deploy (running). After Succeeded, run bash scripts/csa-loom/grant-apim-rbac.sh.
AI Foundry editor Foundry hub not yet provisioned. Wait ~5-10 min for ai-foundry-r2-* direct deploy (running).

INFRA / SECURITY ACTIONS THIS SESSION

  • Cosmos DB Built-in Data Contributor → UAMI principalId — granted ✅
  • Storage Blob Data Contributor → UAMI on saloomdefaultmwfaiy3truk — granted ✅
  • Synapse workspace AAD admin = UAMI (uami-loom-console-eastus2) — already set ✅
  • Synapse workspace ARM Contributor → UAMI — granted ✅ (used for ARM pause/resume)
  • Databricks workspace ARM Contributor → UAMI — granted ✅
  • Cosmos database loom + containers workspaces (PK /tenantId) + items (PK /workspaceId) — pre-created ✅
  • Live mid-session fix: AZURE_CLIENT_SECRET=secretref:azure-client-secret aliased to MSAL secret value so callback gate passes ✅
  • Synapse public-network temporarily enabled + IP whitelist attempted; reverted to Disabled at end of session ✅

Final commits

6aa041cf fix: sign-in regression — AZURE_CLIENT_SECRET back-compat
49f778ee fix: callback prefers LOOM_MSAL_* env vars
cb65f876 docs: final session note — firewall policy workaround
df13cd5a fix: default image tags to v2.1
c24c7f2d fix: APIM v2 subnet delegation + Foundry storage ref
dc2071f2 fix: 3 push-button blockers (NSG, Foundry storage, AI Search)
... 12 earlier commits this session

Branch access-patterns-vpn-agw-fd pushed.

Next session resume

Read docs/fiab/v2.1-e2e-results.md
1. Ask current Synapse admin to grant UAMI "Synapse Administrator" role (one curl/az command)
2. Bootstrap Databricks SCIM (workspace admin login + curl)
3. Verify apim-r2-* and ai-foundry-r2-* deploys Succeeded; run grant-apim-rbac.sh
4. Re-run full E2E sweep — should be 100% pass after the 3 manual bootstraps
5. Next slice: wire one more editor family (recommend Notebook → Databricks Jobs API)