Share via

How to assign roles / permissions to applications?

fms third 0 Reputation points
2025-09-12T04:05:19.85+00:00

I want to implement https://github.com/microsoft/powerbi-client-react to view reports.
I was able to request token using this endpoint https://login.microsoftonline.com/tenantId/oauth2/v2.0/token

but when I use this token to request view report I get 401 error and when I check the jwt token it only show two roles 

"roles":
    "Tenant.ReadWrite.All",
    "Tenant.Read.All"
]

when i check the permissions, I can see only those two are allowed to be added as application permission in the azure dashboard.

Please help how to enable delegated permission to application

I'm using this endpoint : GET https://api.powerbi.com/v1.0/myorg/reports/{reportId}

Azure Advisor
Azure Advisor

An Azure personalized recommendation engine that helps users follow best practices to optimize Azure deployments.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva shunmugam Nadessin 10,820 Reputation points Microsoft External Staff Moderator
    2025-09-12T10:54:12.7866667+00:00

    Hello fms third,

    Below are the steps to help you set up delegated permissions for your application:

    Go to the Azure Portal and find your app registration:

    Navigate to Microsoft Entra ID > App registrations.

    Select the application you're using.

    Add Delegated Permissions: Under the Manage section, click on API permissions.

    Click Add a permission > APIs my organization uses and search for Power BI Service.

    In the Power BI permissions, you might need to add delegated permissions such as Report.Read or Report.Read.All depending on your access needs.

    After adding the permissions, make sure to click Grant admin consent for your tenant. Authentication Flow: Ensure your authentication setup includes the right redirect URIs, especially if using OAuth 2.0.

    For delegated permissions, your app should authenticate with an interactive flow so a user can sign in.

    Token Inspection: Once you've added the necessary permissions, obtain a new token to check the scp (scope) claim for delegated permissions instead of the roles claim, which indicates app-only permissions.

    If the comment was helpful, please click "Upvote".

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Alex Burlachenko 21,715 Reputation points MVP Volunteer Moderator
    2025-09-12T09:28:23.72+00:00

    Hi,

    that 401 error is almost always a permissions issue, so you are on the right track.

    for your microsoft azure solution, the problem is likely the type of permission you are using. you are seeing application permissions, but for the power bi api, you might need delegated permissions for this specific scenario. application permissions are for app-only access without a user, while delegated permissions are for when your app acts on behalf of a signed-in user.

    first, go to your app registration in the azure portal. under 'manage', click on 'api permissions'. here, you need to add the right delegated permissions for power bi. click 'add a permission', then select 'apis my organization uses', and search for 'power bi service'. add the delegated permissions you need, like 'report.read' or 'report.read.all'. after adding, do not forget to click 'grant admin consent' for your tenant.

    also, check the authentication setup of your app registration. make sure you have configured the right redirect uris and that you are using the correct flow. for delegated permissions, you are usually using an interactive flow where a user signs in.

    here is the key documentation for power bi embedded that explains the required permissions https://learn.microsoft.com/power-bi/developer/embedded/embed-service-principal

    now, for a general tip that might help in other tools too. when you decode that jwt token, the 'roles' claim is for application permissions. for delegated permissions, you will see a 'scp' claim instead, which lists the delegated scopes that were granted. so if your token only shows 'roles', it means you are getting an app-only token, not a delegated user token.

    worth looking into the exact embedding scenario you are trying to achieve. the permissions differ slightly between embedding for your organization and embedding for customers.

    good luck. sorting out these permissions is a crucial step. once you get the right permissions consented, that 401 should disappear. let me know if this points you in the right direction.

    Best regards,

    Alex

    and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

    https://ctrlaltdel.blog/

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.