Hi @jaineshp , @rohit1991 , @Poojara_D12  and @v-dineshya 
Thanks for your assistance.
Allow me for some time. I will check and confirm you here.
Thanks.

Hi Team,
I got reply form my IT team saying they did not find respective role.
Please help me

Hey @Koteswara,

Let me clarify the same.

1. Power BI Service Administrator Role

This is not an Azure AD role but a Power BI-specific admin role. Your IT team needs to:

• Go to Microsoft 365 Admin Center → Roles → Role assignments
• Look for Power BI Administrator (not "Power BI Service Administrator")
• Or assign Global Administrator which includes Power BI admin rights

2. Tenant Setting Location

The setting "Allow service principals to use Power BI APIs" is found at:

• Power BI Admin Portal → Tenant settings → Developer settings
• Look for "Allow service principals to use Power BI APIs"
• This must be enabled and the UAMI should be added to the security group allowed to use this setting

3. Alternative Approach - API Permissions

Instead of Power BI admin role, you can assign Microsoft Graph API permissions to the UAMI:

Required API Permissions:

• Tenant.Read.All (for reading tenant info)
• Dataset.ReadWrite.All (for dataset operations)
• Dashboard.ReadWrite.All (for dashboard operations)
• Report.ReadWrite.All (for report operations)
  

Did it work? ✔ Give a Kudo • Mark as Solution – help others too!

Best regards,
Jainesh Poojara / Power BI Developer

Hey @Koteswara,

Sounds great!

Mark as Solution – help others too!

Best Regards,
Jainesh Poojara | Power BI Developer

Hi @jaineshp 
Alternative Approach that you provided using Graph API permission,
if i'm correct are you looking for the Azure - app registration service  with Microsoft Graph  api access ?

Our UAMI will not display in this app registration list right

Hey @Koteswara,

You're absolutely correct!

User-Assigned Managed Identities (UAMI) do NOT appear in App Registrations - this is a key distinction that many people get confused about.

Here's the clarification:

UAMI vs App Registration

• UAMI = Azure resource, appears in Azure Portal → Managed Identities
• App Registration = Azure AD application, appears in Azure Portal → App Registrations

For Power BI API Access with UAMI, you have 2 options:

Option 1: Power BI Admin Portal (Recommended)

• Enable "Allow service principals to use Power BI APIs" in Power BI Admin Portal
• Add your UAMI to the security group that's allowed to use this setting
• This is the native Power BI way and doesn't require Graph API permissions

Option 2: If you need Graph API approach

You would need to:

1. Create an App Registration (separate from UAMI)
2. Grant Microsoft Graph API permissions to this App Registration
3. Use client credentials flow with this App Registration

Bottom Line

For your UAMI to work with Power BI APIs, stick with Option 1 - the Power BI Admin Portal tenant setting.

The Graph API permissions I mentioned earlier would only apply if you were using an App Registration instead of a UAMI.

Thanks for catching that important distinction! 👍

Did it work? ✔ Give a Kudo • Mark as Solution – help others too!

Best regards,
Jainesh Poojara / Power BI Developer

Hi @jaineshp Thank you for your prompt response.

Hi @Koteswara , In addition to @jaineshp  response, I am adding Microsoft official document.

Use a managed identity in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Lear...

Please do let us know if you have any further queries.

Regards,

Dinesh

Hi Jainesh Poojara,

Thanks for your reply.
Yes. Workload identity configured to in AKS cluster. I am using UAMI already for azure storage APIs.

For Azure storage I am passing scope as https://storage.azure.com/.default

What value we should pass here? Will it accept my old one (Which I am using with SP)  https://analysis.windows.net/powerbi/api/.default ?

Hi @Koteswara,

Yes, you're absolutely on the right track!

Since you're already using a User Assigned Managed Identity (UAMI) for Azure Storage in your AKS cluster, integrating the same identity for accessing Power BI REST APIs is entirely possible — and the scope you're referring to is correct.

Required Scope for Power BI REST API

When authenticating using a Managed Identity, you should continue to use the following scope:

https://analysis.windows.net/powerbi/api/.default

This scope is consistent across all types of Azure AD identities (Service Principals, Managed Identities, etc.) when accessing the Power BI API.

Summary of What You Need

1. Correct Scope:

   • https://analysis.windows.net/powerbi/api/.default
     
     

2. Tenant Settings:

   • Make sure the Power BI tenant has enabled:

     • Admin Portal → Tenant Settings → "Allow service principals to use Power BI APIs" (must be enabled for your UAMI or its security group).

3. Azure Role Assignments:

   • Assign your UAMI one of the following roles via Azure AD:

     • Power BI Service Administrator (for full control)

     • Or assign specific dataset/workspace access via Power BI workspace permissions (e.g., Admin, Member).

4. AKS Workload Identity Setup:

   • Since workload identity is already working with Azure Storage, you can use the same mechanism.

   • Use DefaultAzureCredential from the Azure SDK (Java) to acquire tokens:

     
     TokenCredential credential = new DefaultAzureCredentialBuilder().build();

5. Token Acquisition Example (Optional):
   If you're manually acquiring tokens via HTTP for debug/testing:

   • Make a request to:
     
     http://169.254.169.254/metadata/identity/oauth2/token
     
     

   • With query parameters:
     
     

     resource=https://analysis.windows.net/powerbi/api
     &api-version=2018-02-01

   • Add Header:

     
     Metadata: true

Let me know if you need a working Java code snippet or role assignment script.

Glad to help!

Best regards,
Jainesh Poojara
Power BI Developer

Please note that useful documentation links are not opening. Please do needful