Granting Azure Application User access to PowerApps API
I have created a single tenant application and assigned it as application user with System Administrator permissions to access one of my Dynamics environments, however I would also like to grant this application permissions to access PowerApps API (https://api.bap.microsoft.com), I couldn't find any informative article to answer what I'm trying to achieve here, and couldn't find a way to add the application user as admin for the PowerApps panel
To be specific I'm trying to perform the following API call using application user OAuth2 token
https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/lifecycleOperations?api-version=2021-04-01.
Response I get:
{ "error": { "code": "Forbidden", "message": "The service principal with id 'bd0000a6-2600-4e10-8d71-6d35e900000c' for application 5a00de00-79af-4400-b003-a3a136b94db9 does not have permission to access the path 'https://10.0.5.63:20062/providers/Microsoft.BusinessAppPlatform/lifecycleOperations?api-version=2021-04-01' in tenant e6000e48-bd54-413e-b005-df000000bd2c." } }
Azure AD application permissions didn't have anything for PowerApps API access (application user) to help me gain this access.
How can I provide access to my application user?
EDIT: I obtained the access token using MSAL Python library, which the very same auth method works fine with my dynamics env URL..
AUTHORITY = f'https://login.microsoftonline.com/{TENANT_ID}'
SCOPES = ['https://api.bap.microsoft.com/.default']
app = ConfidentialClientApplication(
client_id=CLIENT_ID,
authority=AUTHORITY,
client_credential=CLIENT_SECRET,
)
token_response = app.acquire_token_for_client(scopes=SCOPES)
Permissions(I didn't find anything for application permissions for PA):
As I do not have any lifecycle Operations, I tried the sample query to access PowerApps API and got the same error as you:
https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/myenv?api-version=2020-10-01&$select=properties/lifecycleOperationsEnforcement
The service principal with id 'xxx' for application xxx does not have permission to access the path 'https://10.0.5.63:20062/providers/Microsoft.BusinessAppPlatform/lifecycleOperations?api-version=2021-04-01' in tenant xxx
The error usually occurs if the Azure AD application doesn't have sufficient permissions to perform the action.
To resolve the error, you have to register the client application ID with Microsoft Power Platform to access the PowerApps using Client Credential flow.
Register an admin management application(Using PowerPlatform admin user):
PUT https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/adminApplications/ClientID?api-version=2020-10-01
Now I generated the access token using below parameters via Postman:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://api.bap.microsoft.com/.default
grant_type:client_credentials
Now when for sample I tried to access the PowerApps API and its successful like below:
https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/myenv?api-version=2020-10-01&$select=properties/lifecycleOperationsEnforcement
You can generate the access token after registering the application as admin management application and pass https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/lifecycleOperations?api-version=2021-04-01 to access the PowerApps API.
References:
https://learn.microsoft.com/en-us/power-platform/admin/powerplatform-api-create-service-principal
Programmability and Extensibility - Authentication - Power Platform | Microsoft
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs