What causes AADSTS700229?

The token used as the FIC client assertion was acquired via an interactive or on-behalf-of (user-delegated) flow instead of client credentials. The calling workload (e.g. Azure DevOps service connection, GitHub Actions, ADF managed identity exchange) is configured with a user account or delegated permissions instead of a service principal / managed identity. A multi-tenant federation chain passes the original user token forward instead of minting a new app-only token at the federating tenant. Workload Identity Federation subject/audience is correct, but the source identity provider issued an `aud`/`scp` token (delegated) rather than `roles` (app-only). Custom code calls `AcquireTokenInteractive` / `AcquireTokenOnBehalfOf` and uses the resulting JWT as the `client_assertion` parameter

How do I fix AADSTS700229?

Switch the token acquisition to the OAuth 2.0 client credentials grant (e.g. MSAL `AcquireTokenForClient`, `az login --service-principal`, or a managed identity) so the JWT contains the `roles` claim and no `scp`/`upn`. In the federated source (GitHub Actions, Azure DevOps, Kubernetes, another Entra tenant), ensure the workflow runs under a service principal / workload identity — not a user account — before exchanging the token at `login.microsoftonline.com/ /oauth2/v2.0/token`. Decode the offending assertion at jwt.ms and verify `idtyp=app` (or absence of `upn`/`unique_name`) and that `aud` matches the FIC's configured audience (`api://AzureADTokenExchange`). Re-check the Federated Identity Credential on the target App Registration: subject identifier and issuer must match the app-only caller, then retry the token exchange. If the failure originates from ADF, Fabric, or a Power BI gateway connector, reconfigure the linked service / connection to use a System-Assigned or User-Assigned Managed Identity instead of a service account login

High severityauthentication

Power BI Error:
AADSTS700229, App-Only Token Required for Federated Identity Credentials

What does this error mean?

Federated Identity Credential exchange rejected: a user-delegated token was sent where Entra ID requires an app-only token.

Common causes

1The token used as the FIC client assertion was acquired via an interactive or on-behalf-of (user-delegated) flow instead of client credentials
2The calling workload (e.g. Azure DevOps service connection, GitHub Actions, ADF managed identity exchange) is configured with a user account or delegated permissions instead of a service principal / managed identity
3A multi-tenant federation chain passes the original user token forward instead of minting a new app-only token at the federating tenant
4Workload Identity Federation subject/audience is correct, but the source identity provider issued an `aud`/`scp` token (delegated) rather than `roles` (app-only)
5Custom code calls `AcquireTokenInteractive` / `AcquireTokenOnBehalfOf` and uses the resulting JWT as the `client_assertion` parameter

How to fix it

1Switch the token acquisition to the OAuth 2.0 client credentials grant (e.g. MSAL `AcquireTokenForClient`, `az login --service-principal`, or a managed identity) so the JWT contains the `roles` claim and no `scp`/`upn`
2In the federated source (GitHub Actions, Azure DevOps, Kubernetes, another Entra tenant), ensure the workflow runs under a service principal / workload identity — not a user account — before exchanging the token at `login.microsoftonline.com/<tenant>/oauth2/v2.0/token`
3Decode the offending assertion at jwt.ms and verify `idtyp=app` (or absence of `upn`/`unique_name`) and that `aud` matches the FIC's configured audience (`api://AzureADTokenExchange`)
4Re-check the Federated Identity Credential on the target App Registration: subject identifier and issuer must match the app-only caller, then retry the token exchange
5If the failure originates from ADF, Fabric, or a Power BI gateway connector, reconfigure the linked service / connection to use a System-Assigned or User-Assigned Managed Identity instead of a service account login

Frequently asked questions

What does AADSTS700229 mean?

ForbiddenTokenType- Only app-only tokens can be used as Federated Identity Credentials for Microsoft Entra issuer. Use an app-only access token (generated during a client credentials flow) instead of

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes