How to call the Power BI API with Azure Managed Identity
Last updated on July 28, 2025
These days, most Azure services that can be used to run custom logic (if not all) support Azure managed identities. Yet, many applications still use client secrets or certificates for authentication. It could be that the solution is old and has not yet been updated, or because “that’s how things have always been done”. However, certificates expire, secrets need to be rotated, and both introduce risks if they are ever leaked.
Managed identities solve these problems. They remove the need to manage secrets altogether, offering a safer and more seamless way to authenticate your app to Entra ID-protected APIs. And once you’ve used them, you’ll likely never want to go back (unless you absolutely have to, for one reason or another).
In this post, I’ll walk you through how I modernized an existing solution that provisions Power BI workspaces, replacing its client credential authentication with managed identity auth. By the end, you’ll know exactly how to do the same in your applications, making them more secure and easier to maintain.
Table of Contents
Do the required configurations
Enable the Azure resource managed identity
First, we need to enable the system-assigned managed identity for the Azure resource that executes the application logic. You could also use a user-assigned managed identity, but this post focuses on the simpler system-assigned option.
- Go to the Azure resource that runs your application logic.
- Look for the Identity blade in the navigation.
- Switch the system-assigned managed identity status to On and save. Copy the Object (principal) ID that appears upon saving. You’ll need this in the next step.
Grant the managed identity the required permissions
Before calling the Power BI API, you must grant your managed identity the necessary permissions to perform the operations it will execute, whether that involves reading or modifying Power BI resources.
Below is a PowerShell script you can use to assign the permissions. Before running the script, be sure to:
- Replace the managedIdentityId variable value with the object ID of your system-managed identity that you just copied.
- Replace the tenantId variable value with your tenant ID. You can find this, e.g., on the Microsoft Entra ID front page in Azure Portal.
- Adjust the permissions variable so that you only leave the read or write permission in place, based on whether your app needs read-only (Tenant.Read.All) or write access (Tenant.ReadWrite.All).
Please note that the user executing the script needs to have either Application administrator, Cloud application administrator or Global administrator role on Microsoft Entra ID.
Get a token for calling the API
Once permissions are granted, your app can now use the managed identity to acquire a token and authenticate to the Power BI API.
Logic Apps
When configuring a Logic App HTTP action to call the Power BI API, set the Audience to https://analysis.windows.net/powerbi/api.
App Service
If you’re calling the API from an App Service (e.g., a C# Azure Function App), set the scope to https://analysis.windows.net/powerbi/api/.default.
Here’s an example using the Azure.Identity NuGet package:
Afterword
Using managed identities in Azure is one of those features that not only improves security but also simplifies your code and operations. No more worrying about rotating or accidentally leaking secrets. It just works, and it’s safer.
I hope this post gave you clear and practical instructions for using managed identities when working with the Power BI API. If you ran into anything unexpected along the way or have thoughts to share, I’d be happy to hear from you in the comments.
And if you’d like to get notified whenever I publish new content, feel free to subscribe to my blog or follow me on LinkedIn. You can find buttons for both in the sidebar (or at the bottom for mobile).
Thanks for reading, and until next time!