These settings are configured in the tenant settings section of the Admin portal. For information about how to get to and use tenant settings, see About tenant settings.
Service principals can access read-only admin APIs
Web apps registered in Microsoft Entra ID use an assigned service principal to access read-only admin APIs without a signed-in user. To allow an app to use service principal authentication, its service principal must be included in an allowed security group. By including the service principal in the allowed security group, you're giving the service principal read-only access to all the information available through admin APIs (current and future). For example, user names and emails, semantic model, and report detailed metadata.
Enhance admin APIs responses with detailed metadata
Users and service principals allowed to call Power BI admin APIs might get detailed metadata about Power BI items. For example, responses from GetScanResult APIs contain the names of semantic model tables and columns.
For this setting to apply to service principals, make sure the tenant setting Allow service principals to use read-only admin APIs is enabled. To learn more, see Set up metadata scanning.
Enhance admin APIs responses with DAX and mashup expressions
Users and service principals eligible to call Power BI admin APIs get detailed metadata about queries and expressions comprising Power BI items. For example, responses from GetScanResult API contain DAX and mashup expressions.
For this setting to apply to service principals, make sure the tenant setting Allow service principals to use read-only admin APIs is enabled. To learn more, see Set up metadata scanning.