cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
NewcombR
Advocate III
Advocate III

DevOps Power Apps Build Tools - Service Principal and MFA

In attempting to automate source control / build / release tasks, our org recently looked into using DevOps with Power Apps Build Tools.

 

Wanted to share our experience here to see if anyone else had similar problems.

 

So far, we’ve only started with the Export/Unpack pipeline for migrating a solution from a dev environment into source control in DevOps.

 

We had a lot of trouble with the service connection to CDS. When I was attempting to connect with my credentials (sys admin in environment with dynamics service admin role in 365 center), the Export Solution task would always time-out in the pipeline.

 

Our org uses MFA by default on all office365 accounts as the rule; it takes a special exception (read; act of god) for non-MFA access. I suspect that the service connection was the issue because it was setup with my credentials (which would prompt MFA).

 

So, we attempted to change the service connection using a service principal.  We created a new app registration in azure and configured an application user in the target CDS environment that was connected to the app registration. The app user was granted system customized role.  We then reset the DevOps service connection to use the service principal.  No luck- still timeout.

 

Next, we ended up creating a new Office 365 user in exchange and our exchange admin set it to not require MFA. We gave the account a D365/PowerApps/Flow license and when the account synced to the CDS environment, assigned it the system customizer role.  I verified the user was set to Read\Write and then logged in as this new user to verify that I didn’t get MFA prompts.  Success.

 

Back in DevOps, we changed the service connection to use this new user account’s credentials and reran they build pipeline.  Success.

 

So, we are now in a space where the following is less than ideal because we had to create a user that consumes licenses.

 

Is there something that we’re missing on getting a service principal working correctly for the DevOps tasks?

2 REPLIES 2
alrez
Community Support
Community Support

Hi,

 

Looking through your post here, I am not certain myself. It seems like it should have worked fine before but MFA is tricky and not something that I work on often. This might be a better question for Microsoft Support. I will include a link below; on creating a ticket with them. Otherwise if any other communities members might know feel free to chime in.

 

If you would like to create a ticket with Microsoft Customer Support here is a link on how to do so: https://docs.microsoft.com/en-us/power-platform/admin/get-help-support

 

Regards,

 

Alex

 

-------

 

Community Support Team _ Alex Rezac
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Anonymous
Not applicable

I'm not sure if you're still having a problem with this, but I had to set up service principal connection for our devops to run yesterday. I was able to get it working, so I thought I would share with you what I did.

 

In the service connections for DevOps, there's now an option for Power Platform (previously we had to use the generic connection), and this is what I used. I set up the App registration in Azure, and the application user in CDS. It sounds like you had that part sorted, so that's good.

 

When I created the pipeline, I had to check the box for 'allows scripts to access the OAuth token', previously it just kept failing to export the solution. I'm not sure if you have checked that box, but it's worth checking.

 

I also had a small problem with finding my connection, because I didn't see the very greyed out looking radio buttons to switch between user name/password and service principal. 

 

The next issue I encountered was permissions. This is still a slight issue, I've ended up giving my app user system admin role because I couldn't figure out the right combination of permissions...it's not ideal, and actually what I was searching the forum for when I found your post. Have you checked the permissions for your application user?

 

I'm no expert in this, it's literally my first pipeline, but these are the things that I encountered and thought it might help you.

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

M365 768x460.jpg

Microsoft 365 Collaboration Conference | December 7–9, 2021

Join us, in-person, December 7–9 in Las Vegas, for the largest gathering of the Microsoft community in the world.

Users online (2,464)