cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
NoudFrints
Frequent Visitor

PowerApps Admin Role assignment using service principal is not working

Hi all,

I am deployinh a PowerApps application using a DevOps pipeline, which is all working great.
However, after deployment, the service principal becomes the owner of the application, which means nobody can access it.
When trying to update the permissions using a powershell Set-AdminPowerAppRoleAssignment using my own email and password, this works just fine, but when trying it using a service principal, I get the following error: 

'The service principal with id 'xxx-xxx-xxx' for application xxx-xxx-xxx does not have permission to access the path 'https://europe.api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/service/environm...' in tenant xxxx-xxx-xxx-xxx.'

I have granted the service principal basic user and system administrator rights in the environment settings, I have added the Dynamics CRM user impersonation and PowerApps runtime user impersonation rights in Azure, but it still does not work.

 

Am I missing something? If someone could help me out, that would be much appreciated 😄

1 REPLY 1
byrnep
Helper III
Helper III

I'm in the same boat.


My thinking is that only AD users which can be licensed, SP's cannot be licensed, is the issue.

 

I'm trying to find out how to assign an AD user when the pipeline imports the solutions so the flows/apps are owner by a real AD account.  The service principal approach is fine to authenticate between ADO and Power Platform however Power Platform Apps/Flows don't run unless the users calling it are licensed.  Specifically, Power Apps.  Flows don't seem affected, but they run independently.  This is my understanding anyways...

 

The other option might be to create an AD "service Account" license it, no MFA, no password policy and use it as the connector authentication.  Odds are this AD account will then be assigned as the owner and with it being a full AD licensed account I would think that access would be the same as if a 'regular' person created the app.


Note SP's are the recommended approach for Pipelines, and yet... they are the road that leads to nowhereville...

https://docs.microsoft.com/en-us/power-platform/alm/devops-build-tools#configure-service-connections...

Closest thing I can find, and haven't tried yet is from this fellow.  Dylan Berry where are you now! 🙂

https://github.com/dylanberry/PowerPlatformDevops/tree/main/scripts

Helpful resources

Announcements
Power Apps Africa Challenge 2022

Power Apps Africa Challenge

Your chance to join an engaging competition of Power Platform enthusiasts.

Super User 2 - 2022 Congratulations

Welcome Super Users

The Super User program for 2022 - Season 2 has kicked off!

September Events 2022

Check out all of these events

Attend in person or online, there are incredible conferences and events happening all throughout the month of September.

Government Carousel

New forum: GCC, GCCH, DoD - Federal App Makers (FAM)

In response to the unique and evolving requirements of the United States public sector, Microsoft has created Power Apps US Government.

Top Solution Authors
Top Kudoed Authors
Users online (2,200)