cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Frequent Visitor

Azure AD App Permissions to use Microsoft.PowerApps.Administration.PowerShell module

Hi,

I have an Azure AD App registered in my tenant that uses certificate based authentication. I can connect to the PowerApps admin endpoint using Add-PowerAppsAccount but I need to delegate the app privileges to do anything meaningful in PowerApps. Where are the permission levels explained and how can these be set in the Azure AD App interface?

FYI - I already have the app successfully configured for SharePoint and MS Graph access 

MT 

 

Paul

5 REPLIES 5
Super User
Super User

I am noT aware of this being documented anywhere. Azure app accounts work wiTh power automate for service principals but I’m not aware of what you would need to do to have it administer power apps

Super User II
Super User II

Hi @PaulBendall,

If you're using model-driven apps or D365 and did you follow the steps from the following example to register the SPN? Also, you'll need to assign a security role to the app user after you create it in CDS to enable it to perform any meaningful actions

https://docs.microsoft.com/en-us/powerapps/developer/common-data-service/use-single-tenant-server-se...

Hope this helps...

@EricRegnier 

 

That page is looking very useful. I spent the best part of an afternoon trying to work out how PowerApps, CDS, Dynamics and Azure AD relate to one another and how they expose endpoints/API. The app is registered successfully in Azure AD and is already managing config for SharePoint and confirmations using MS Graph. I could see that I could delegate and consent permissions for Dynamics but they looked very limited. The missing element appears to be the non-interactive user creation in Dynamics to bind/bridge the Azure AD app.

 

I'll spend a bit more time on this in a bit and confirm if this is the solution I was hoping for when I posted.

Many thanks to you and @jlindstrom for responding (have to say under the hood Power Platform gets very confusing, very quickly because of CDS and Dyanimcs inheritance)

Paul

Spent several hours trying to get this to work, following your link and similar articles blogged by others. However, all result in failure. 

Add-PowerAppsAccount -TenantID TenantID -ApplicationID AppID -CertificateThumprint CertThumb

 

Doesn't return anything, which for PowerShell is normally good. Adding the verbose switch, unfortunately, doesn't give anything useful.


If I supply the wrong AppID then it errors, if I provide the Certificate Thumbprint to another certificate that isn't aligned with the AzureAD app it doesn't error either.

As I said previously this AzureAD App registration already works with SharePoint Online and MS Graph. If I run interactively using username and password for a standard O365 user I can pull back environment information with Get-PowerAppEnvironment. Doing the same with app auth and it gives null output.

I did find this potential caveat - https://docs.microsoft.com/en-us/power-platform/admin/powerapps-powershell
"A user with any of these roles, Global admins, Azure Active Directory Global admins, or Dynamics 365 Service administrator, can access the Power Apps admin PowerShell cmdlets. These roles no longer require a Power Apps plan for administrative access to the Power Apps admin PowerShell cmdlets. However, these administrators need to sign in to the Power Apps Admin Center at least once before using the PowerShell cmdlets. If this is not done, the cmdlets will fail with an authorization error"

An AzureAD app can't log in to the Portal. So whilst it appears that Add-PowerAppsAccount supports AzureAD App authentication with underlying certificate-based authentication something is missing in the licensing/access to allow this to work.

Unfortunately, as the PowerShell module is closed then it is impossible to raise an issue directly with the team to see if this is expected, unexpected or something that is planned but not working today.

If you know anyone in the module dev team it would be great to get a definitive answer

Paul

Model Driven Apps authenticate the user to Active Directory so there is always a relationship here as this defines access.

Additionally Model Driven Apps have "Role Based Entitlement Security" within the DB Instance so you need to assign an app security role to the user.  

 

The biggest reason for confusion is that many applications in the Microsoft stack do not offer the depth of Role Based Entitlement Configuration and Security. Additionally many apps do not align along the same full blow integration between the Model Driven App and Azure Active Directory so understanding that you have this integration authentication is helpful. 

 

You can also add even more layers with Azure Groups, preventing a subset of users from accessing a subset of environments, and the tools in the CoEStarterKit can help with visually being aware of who has what. 

Helpful resources

Announcements
New Badges

New Solution Badges!

Check out our new profile badges recognizing authored solutions!

New Power Super Users

Congratulations!

We are excited to announce the Power Apps Super Users!

Power Apps Community Call

Power Apps Community Call: February

Did you miss the call? Check out the Power Apps Community Call here.

Microsoft Ignite

Microsoft Ignite

Join digitally, March 2–4, 2021 to explore new tech that's ready to implement. Experience the keynote in mixed reality through AltspaceVR!

Users online (50,049)