Fabric Cost Attribution: Why You Can't Identify Which Pipeline Run Cost You Money

Q: What is the Activity Events API and how does it help with Fabric attribution?

The Activity Events API (Power BI admin REST API, getActivityEvents endpoint) returns audit log entries — who ran what, on which item, when — for up to approximately 30 days of history, one day per request. By joining its output to capacity-metrics telemetry on item name and overlapping timestamps, you can reconstruct plausible run-to-cost mappings that the native monitoring tools won't produce on their own.

An F64 capacity costs $8,409.60 per month at PAYG rates (as of June 2026), and at any moment your pipeline monitoring tells you it's burning faster than expected. You open the Capacity Metrics app. You can see which item is consuming CUs. What you cannot see — what the platform structurally prevents you from seeing — is which run of that item caused the spike, triggered by whom, fired from which scheduler. That is the attribution void.

Fabric cost attribution is item-level only. The Capacity Metrics app assigns CU consumption to a named item — a pipeline, a notebook, a semantic model — not to a specific execution of that item. The OperationID field visible in the metrics app is not linked back to individual pipeline runs. The Chargeback app shows utilization by workspace, item, or domain/subdomain (select the tab), but its underlying data refreshes daily — making it a lagging, not real-time, view. The Activity Events admin API holds the run-level audit trail, but it takes a maximum of one day of data per request and sits in a separate system you have to join manually (Microsoft Learn, Track user activities in Power BI, checked June 2026). No native tool performs that join for you. The gap between "the pipeline item spiked" and "the 2 a.m. run triggered by the ETL scheduler spiked" is the attribution void — and it has a real cost when you're trying to manage a $8,400/month capacity down to a $4,200/month one.

This article is part of the Microsoft Fabric capacity monitoring guide, which maps the full native monitoring stack. Here we go one layer deeper: exactly where attribution breaks down, the mechanism behind each break, and the heuristic you can build today to close most of the gap without waiting for the platform to fix it.

Why attribution stops at the item boundary

The Capacity Metrics app is built around a 30-second timepoint model. Every 30 seconds, Fabric emits a snapshot of CU consumption attributed to each active item. Those timepoints roll up into the Compute page's utilization view and into the item-drill-down visuals. The attribution grain is the Fabric item — a specific pipeline in a specific workspace.

What the timepoints do not carry is a link to the run that was active during that 30-second window. A pipeline item that fires 40 times a day across four schedulers — nightly, hourly, ad-hoc, and triggered by another pipeline — appears as a single item in the metrics app. All 40 runs pool into its CU total. An OperationID appears in some drill-down views, but Microsoft's documentation confirms it correlates to query executions in specific surfaces (such as SQL analytics endpoints), not to pipeline-run identifiers (Microsoft Learn, Evaluate and optimize your Microsoft Fabric capacity, checked June 2026). There is no native join from a metrics-app OperationID back to a Data Factory pipeline run ID.

This isn't an oversight — it's an architectural consequence of building a shared-pool compute model. CU accounting happens at the capacity level across all items; the item-level rollup is already a derived attribution. Run-level attribution would require tracking execution provenance through the capacity layer, which the platform does not currently expose end-to-end.

What the Chargeback app does and doesn't do

The Chargeback app shows utilization by workspace, item, or domain/subdomain (select the tab), but its underlying data refreshes daily — making it a lagging, not real-time, view. It answers "which workspace (or item, or domain) consumed what share of the capacity?" — a genuine showback capability. The item-level tab does narrow attribution below the workspace grain, but it still shows per-item aggregates by day, not per-run resolution. It introduces two additional attribution gaps beyond grain.

Daily aggregation. The Chargeback app does not reflect usage in real time; its data refreshes daily (What is Microsoft Fabric Chargeback app?, Microsoft Learn, checked June 2026). A cost spike that happens Tuesday at 2 a.m. appears in your Chargeback view Wednesday morning, already rolled into the day's total alongside every other workload that ran that day.

User masking. When the "Show user data in the Fabric Capacity Metrics app and reports" admin setting is disabled, the Chargeback app replaces user emails with "Masked user" and counts all masked users as a single user (What is Microsoft Fabric Chargeback app?, Microsoft Learn, checked June 2026). Service-principal-driven workloads — the kind that run most scheduled pipelines — appear as "Power BI Service" with no human owner attached. In practice, this means the majority of automated pipeline activity in a mature Fabric deployment is either masked or attributed to a service principal that nobody in the Chargeback view owns.

The Chargeback app is the right tool for departmental showback: "Marketing's workspace consumed 18% of the F64, which is ~$1,514/month at PAYG rates." It is the wrong tool for incident investigation. A deeper look at what the Chargeback app can and can't do is in the Chargeback app vs. attribution deep-dive.

The Activity Events gap

The closest thing Fabric has to a run-level audit trail is the Power BI Activity Events admin API (getActivityEvents endpoint). It records tenant-wide audit events — pipeline runs, dataset refreshes, report views — with a timestamp, a user identity, and an item reference (Track user activities in Power BI, Microsoft Learn, checked June 2026).

Three constraints make it a gap rather than a solution:

One day per request. The API requires a start date and end date and currently returns only up to one day of data per request. Pulling 30 days requires 30 sequential calls with pagination handled via continuation tokens.
~30-day window. Activity events are available for approximately 30 days (Track user activities in Power BI, Microsoft Learn, checked June 2026). History beyond that window is gone unless you've been extracting it to your own store.
No join to CU. The Activity Events API doesn't emit CU consumed per event. It tells you a pipeline ran; it doesn't tell you how much capacity that run burned. You have to build the join yourself.

The Activity Events API is nonetheless the only native source of run-level information. Used correctly — joined to capacity telemetry on item name, workspace, and overlapping time windows — it closes most of the attribution void. That's what the heuristic below does.

The OperationID heuristic: joining telemetry to activity events

What follows is a worked heuristic for reconstructing pipeline-run-to-CU-cost mappings from the two data sources you can pull.

The two tables you need:

Source	How to pull	Key fields
Capacity Metrics semantic model	SemPy `evaluate_dax` or Power BI `executeQueries` REST API	`ItemName`, `WorkspaceName`, `StartTime`, `EndTime`, `TotalCUSeconds`
Activity Events API	`GET /v1.0/myorg/admin/activityevents?startDateTime=...&endDateTime=...`	`Activity` (e.g. `RunPipeline`), `ItemName`, `WorkSpaceName`, `CreationTime`, `UserId`

The join logic:

The capacity metrics timepoints are 30-second snapshots; a single pipeline run may span many timepoints. The Activity Events entry is a single event at run start. The heuristic:

Pull Activity Events for the day in question — one API call per day, paginate if >5,000–10,000 entries.
Pull capacity telemetry for the same item and workspace from the Capacity Metrics semantic model, filtered to the date range.
For each RunPipeline activity event, find all capacity timepoints where StartTime falls within the window [CreationTime - 15 minutes, CreationTime + item_avg_runtime + 15 minutes]. The 15-minute buffer on each side accounts for the full reporting lag: Microsoft Learn states that usage data becomes available within 10 to 15 minutes (Evaluate and optimize your Microsoft Fabric capacity, checked June 2026). A 5-minute offset would understate that lag by 50–67% and cause the heuristic to miss early timepoints for runs whose telemetry arrived at the slower end of that window.
Sum TotalCUSeconds across matched timepoints. Divide by 3,600 to get CU-hours; multiply by $0.18 to get the estimated dollar cost of that run.
Where multiple runs overlap in time (parallel executions), divide the CU total proportionally by concurrent run count — you cannot isolate per-run spend exactly, but you can bound it.

Worked example:

Suppose a pipeline named ingest_sales_daily in workspace Analytics-Prod ran 3 times on June 19, 2026:

Run	`CreationTime` (Activity Events)	Duration (from pipeline run logs)
Run A	02:01	~8 min
Run B	06:00	~8 min
Run C	14:30	~8 min

You pull capacity telemetry for ingest_sales_daily in Analytics-Prod and find three distinct CU clusters:

Cluster	Window	Sum CU-seconds
Cluster 1	02:00–02:10	4,320 CU-s
Cluster 2	06:00–06:09	3,960 CU-s
Cluster 3	14:29–14:38	5,040 CU-s

Matching Run A → Cluster 1: 4,320 CU-s = 1.2 CU-h → $0.216. Run B → Cluster 2: 3,960 CU-s = 1.1 CU-h → $0.198. Run C → Cluster 3: 5,040 CU-s = 1.4 CU-h → $0.252.

Run C cost 27% more than Run B despite identical nominal duration — most likely because an afternoon semantic model refresh was also running, competing for CUs, and the pipeline's sub-activities were throttle-delayed. This is signal you cannot get from either data source alone.

The limits of the heuristic:

It cannot isolate runs that truly overlap (two parallel executions of the same pipeline at the same time share a CU pool you can't split perfectly).
It requires you to persist both data sources — the metrics telemetry window is 14 days for 30-second compute detail (the Item History page preview extends item-level trends to 30 days, but without sub-hour granularity), and Activity Events run approximately 30 days (Track user activities in Power BI, Microsoft Learn, checked June 2026) — so you need extracts running before those windows close.
Service-principal-run pipelines may show only "Power BI Service" in Activity Events, giving you the when but not the who.

That said, this heuristic correctly identifies the culprit run in the majority of incident investigations because most pipelines run at staggered intervals, not truly in parallel. For a full extraction pattern including DAX against the Capacity Metrics semantic model, see the Capacity Metrics app deep-dive.

Pipeline billing mechanics: why per-run cost matters

The attribution void would matter less if pipeline runs were cheap and predictable. They aren't. Fabric pipeline billing charges 1.5 CU-hours per copy-activity intelligent-optimization-throughput unit, and 0.0056 CU-hours per orchestration activity run (Pricing for pipelines, Microsoft Learn, checked June 2026). For sub-minute copy activities, practitioners report that billing rounds up to the nearest whole minute — community-observed behavior, not explicitly stated in the Microsoft Learn pricing reference (Pricing for pipelines, Microsoft Learn, checked June 2026). If accurate, a 14-second copy activity billed as 1.0 minute would represent a 328% increase for that single run. Scale that across a metadata-driven architecture with 250+ table loads running sequentially, and the compounding effect becomes a dominant cost driver, not the actual data moved. Treat the 328% figure as a practical observation rather than a guaranteed billing mechanic — and validate it against your own Capacity Metrics telemetry for sub-minute runs in your tenant.

On an F64 capacity ($8,409.60/month PAYG), a poorly-structured pipeline running 40 times a day is invisible in the Chargeback app until the next morning, and invisible per-run forever in the native stack. The attribution void directly prevents you from finding the 2 a.m. run that inflated last Tuesday's bill.

What to do

Step 1: Accept item-level as the native floor. The Capacity Metrics app's item-level view is genuinely useful — it tells you which items are your top consumers, which is enough to prioritize optimization work. Use it as the starting triage layer, not the final answer.

Step 2: Enable "Show user data" in the admin portal. If it's off, you're flying blind on user identity for every non-service-principal trigger. Enabling it restores user emails to the metrics app and Chargeback app surfaces (Audit and usage admin settings, Microsoft Learn, checked June 2026).

Step 3: Extract Activity Events daily. Pull one day at a time, store in a lakehouse or Eventhouse you control. Don't wait for an incident — the 30-day window means if you start pulling today, you have 30 days of run-level history by next month.

Step 4: Extract capacity telemetry before day 15. The Capacity Metrics compute window is 14 days. Schedule a SemPy notebook or executeQueries pull against the Capacity Metrics semantic model and append daily to your store.

Step 5: Apply the heuristic join. For any cost spike or anomaly investigation, join the two extracts on ItemName + WorkspaceName + overlapping time window to reconstruct per-run cost estimates. Flag runs with zero matching Activity Events entries — those are service-principal jobs you'll need to trace through pipeline run logs separately.

Step 6: Build a per-run cost table. Once the join is running, materialize a daily table of (run_id_heuristic, item, workspace, trigger_user_or_sp, estimated_cu_h, estimated_cost_usd). This is the attribution layer the native stack doesn't provide, and it's the foundation for meaningful chargeback at run granularity rather than workspace-day granularity.

The named enemy

The attribution void is the enemy this article exists to name and defeat. Its mechanism: item-level CU accounting at the capacity layer, no OperationID-to-run link, daily Chargeback aggregation, and user masking on service principals — all combining to leave you knowing that a workload cost money without knowing which run or whose decision caused it.

The cost of the void isn't just aesthetic. On a shared F64 capacity with 20 teams and 400+ daily pipeline runs, the inability to attribute a cost spike to a specific run means you fix the wrong thing, cut the wrong pipeline, and miss the actual offender — which runs again tomorrow. The FinOps discipline for Fabric requires the heuristic join because the platform does not provide the straight line.

For the broader monitoring context — all five native surfaces and where each one stops — return to the full native monitoring stack guide. For the Chargeback app's specific limits as a showback tool, see Chargeback app vs. attribution.

Frequently asked questions

Why can't I see which pipeline run caused a capacity spike in Fabric? Because the Capacity Metrics app tracks compute usage at the item level — it can show you that a specific pipeline item consumed CUs during a window, but the OperationID surface in the metrics app is not linked back to the individual pipeline run that produced it. You can correlate by time and item name manually, but no native tool makes that join for you automatically.

What does 'item-level attribution' mean in Microsoft Fabric? It means the Capacity Metrics app assigns CU usage to the Fabric item (the pipeline, notebook, or semantic model) rather than to a specific run of that item, a specific user trigger, or a specific schedule invocation. So you can see the item responsible, but not which of its many daily executions caused a cost spike.

How do I find out who triggered an expensive Fabric workload? You have to join two data sources you pull yourself: capacity telemetry (from the Capacity Metrics semantic model) and the Power BI Activity Events admin API. The Activity Events API returns one day per request and covers approximately 30 days of history. Match on item name, workspace, and overlapping time windows to narrow the candidate runs. There is no native UI that performs this join.

Does the Chargeback app show per-user cost attribution in Fabric? Only partially. The Chargeback app shows usage by workspace, item, or domain/subdomain (three tabs), but all tabs aggregate by day — there is no real-time or per-run view. The item tab narrows the grain below workspace, but still shows daily totals per item, not per execution. It can also mask user identities entirely when the "Show user data in the Fabric Capacity Metrics app and reports" admin setting is disabled — in that case, usernames appear as "Masked user" and all masked users count as one. Service-principal-driven workloads appear as "Power BI Service" with no human owner.

What is the Activity Events API and how does it help with Fabric attribution? The Activity Events API (Power BI admin REST API, getActivityEvents endpoint) returns audit log entries — who ran what, on which item, when — for up to approximately 30 days of history, one day per request. By joining its output to capacity-metrics telemetry on item name and overlapping timestamps, you can reconstruct plausible run-to-cost mappings that the native monitoring tools won't produce on their own.

Researched with AI assistance, written and fact-checked by Jonathan Flach, verified against Microsoft Learn.