cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Frequent Visitor

Azure AD App Permissions to use Microsoft.PowerApps.Administration.PowerShell module

Hi,

I have an Azure AD App registered in my tenant that uses certificate based authentication. I can connect to the PowerApps admin endpoint using Add-PowerAppsAccount but I need to delegate the app privileges to do anything meaningful in PowerApps. Where are the permission levels explained and how can these be set in the Azure AD App interface?

FYI - I already have the app successfully configured for SharePoint and MS Graph access 

MT 

 

Paul

5 REPLIES 5
Highlighted
Super User
Super User

Re: Azure AD App Permissions to use Microsoft.PowerApps.Administration.PowerShell module

I am noT aware of this being documented anywhere. Azure app accounts work wiTh power automate for service principals but I’m not aware of what you would need to do to have it administer power apps

Highlighted
Memorable Member
Memorable Member

Re: Azure AD App Permissions to use Microsoft.PowerApps.Administration.PowerShell module

Hi @PaulBendall,

If you're using model-driven apps or D365 and did you follow the steps from the following example to register the SPN? Also, you'll need to assign a security role to the app user after you create it in CDS to enable it to perform any meaningful actions

https://docs.microsoft.com/en-us/powerapps/developer/common-data-service/use-single-tenant-server-se...

Hope this helps...

Highlighted
Frequent Visitor

Re: Azure AD App Permissions to use Microsoft.PowerApps.Administration.PowerShell module

@EricRegnier 

 

That page is looking very useful. I spent the best part of an afternoon trying to work out how PowerApps, CDS, Dynamics and Azure AD relate to one another and how they expose endpoints/API. The app is registered successfully in Azure AD and is already managing config for SharePoint and confirmations using MS Graph. I could see that I could delegate and consent permissions for Dynamics but they looked very limited. The missing element appears to be the non-interactive user creation in Dynamics to bind/bridge the Azure AD app.

 

I'll spend a bit more time on this in a bit and confirm if this is the solution I was hoping for when I posted.

Many thanks to you and @jlindstrom for responding (have to say under the hood Power Platform gets very confusing, very quickly because of CDS and Dyanimcs inheritance)

Paul

Highlighted
Frequent Visitor

Re: Azure AD App Permissions to use Microsoft.PowerApps.Administration.PowerShell module

Spent several hours trying to get this to work, following your link and similar articles blogged by others. However, all result in failure. 

Add-PowerAppsAccount -TenantID TenantID -ApplicationID AppID -CertificateThumprint CertThumb

 

Doesn't return anything, which for PowerShell is normally good. Adding the verbose switch, unfortunately, doesn't give anything useful.


If I supply the wrong AppID then it errors, if I provide the Certificate Thumbprint to another certificate that isn't aligned with the AzureAD app it doesn't error either.

As I said previously this AzureAD App registration already works with SharePoint Online and MS Graph. If I run interactively using username and password for a standard O365 user I can pull back environment information with Get-PowerAppEnvironment. Doing the same with app auth and it gives null output.

I did find this potential caveat - https://docs.microsoft.com/en-us/power-platform/admin/powerapps-powershell
"A user with any of these roles, Global admins, Azure Active Directory Global admins, or Dynamics 365 Service administrator, can access the Power Apps admin PowerShell cmdlets. These roles no longer require a Power Apps plan for administrative access to the Power Apps admin PowerShell cmdlets. However, these administrators need to sign in to the Power Apps Admin Center at least once before using the PowerShell cmdlets. If this is not done, the cmdlets will fail with an authorization error"

An AzureAD app can't log in to the Portal. So whilst it appears that Add-PowerAppsAccount supports AzureAD App authentication with underlying certificate-based authentication something is missing in the licensing/access to allow this to work.

Unfortunately, as the PowerShell module is closed then it is impossible to raise an issue directly with the team to see if this is expected, unexpected or something that is planned but not working today.

If you know anyone in the module dev team it would be great to get a definitive answer

Paul

Highlighted
Helper II
Helper II

Re: Azure AD App Permissions to use Microsoft.PowerApps.Administration.PowerShell module

Model Driven Apps authenticate the user to Active Directory so there is always a relationship here as this defines access.

Additionally Model Driven Apps have "Role Based Entitlement Security" within the DB Instance so you need to assign an app security role to the user.  

 

The biggest reason for confusion is that many applications in the Microsoft stack do not offer the depth of Role Based Entitlement Configuration and Security. Additionally many apps do not align along the same full blow integration between the Model Driven App and Azure Active Directory so understanding that you have this integration authentication is helpful. 

 

You can also add even more layers with Azure Groups, preventing a subset of users from accessing a subset of environments, and the tools in the CoEStarterKit can help with visually being aware of who has what. 

Helpful resources

Announcements
Ignite

Microsoft Ignite

This will be a conference that you do not want to miss!

secondImage

New Return to Workplace

Reopen responsibly, monitor intelligently, and protect continuously with solutions for a safer work environment.

August 2020 CYST Challenge

Check out the winners of the recent 'Can You Solve These?' community challenge!

Experience what’s next for Power Apps

Join us for an in-depth look at the new Power Apps features and capabilities at the free Microsoft Business Applications Launch Event.

Check this Out

Helpful information

Featuring samples like Return to the Workplace and Emergency Response Applications

secondImage

Power Platform 2020 release wave 2 plan

Features releasing from October 2020 through March 2021

Users online (4,609)