Authenticate Dataverse connector using Service Principal in a Power Automate Flow

Many times, users/admins are not comfortable using their credentials being used as Connections. Some connectors do provide the ability to authenticate using Service Principal.

Let’s jump into this! 

Setting Up App Registration for Dynamics 365 CRM

Here’s how you setup an App Service to be used as a Service Principal for Dataverse connector in Power Automate –

1. Go to the Azure Portal (https://portal.azure.com/) and the look for Azure Active Directory.
   
   
2. In Azure Active Directory, look for App Registrations in the menu.
   
   
3. Now, create a + New registration record.
   
   
4. Now, give this App Registration a suitable name. And you can select your preferences on how the tenant type should be. I’ve left it to Single tenant or simplicity of the example.
   
   
5. Now, once this is created, go to the API Permissions section.
   
   
6. Now, look for a button to Add a permission.
   
   
7. Then, select Dynamics CRM and select it.
   
   
8. Once this is selected, you’ll get to select user_impersonation. Then, clicked Add permissions.
   
9. Once added, you’ll see that the Status column is blank. Then, click on Grant admin consent for <TenantName>.
   
   
10. Once you click on Grant admin consent button, you’ll be asked for confirmation. Confirm the same.
    
    
11. Once you confirm, you’ll see the status as Granted as shown below.
    
    
12. Then, go to Certificates and secrets. Once in that, click on + New client secret.
    
    
13. You’ll be asked the the Description, do so and Save it.
    
    
14. Now, you need to copy the value onto Notepad.
    
    
15. Now, let’s move to adding this App Registration to the Power Platform Admin Center so that you can then give appropriate permissions so that it can be used for Authentication into Dataverse.
    
    

Add Application User in Power Platform Admin Center

Go to the Power Platform Admin Center (https://admin.powerplatform.microsoft.com/) and the to the Environments section and select the correct Dataverse environment –

1. Select the environment which will have your Flow that will use the Dataverse connection in question.
   And click Settings.
   
   
2. Now, expand Users + permissions section and look for Application Users.
   
   
3. Now, in Application Users, you’ll need to add the App Registration as a User and give Roles. Now, click on + New app user.
   
   
4. Now, click on + Add an app.
   
   
5. Now, any App Registration that has not yet been created in the current environment as user will automatically appear. Select the one you created – “Dataverse Service Principal” in this case and click on Add.
   
   
6. Now, select the BU.
   
   
7. Next, click on Security Roles’ pencil to give roles.
   
   
8. I’m just giving System Administrator for simplicity of example.
   
   
9. Now, you should be good to create this user. Click on Create.
   
   
10. Finally, your Application Record will look like this –
    
    
11. Now that your Application User is set in Dynamics / Power Platform Admin Center, you are all set to add this to authenticate the Dataverse Connector in Power Automate. Let’s do that!
    

Advertisements

REPORT THIS AD

Authenticating using Service Principle in Dataverse action

Now, let’s say you are starting a Flow with the Dataverse connector –

1. Select the Dataverse trigger you want to use. I’ll pick a common one.
   
   
2. Now, click on the three dots and look to add a new Connection if it already authenticated using the logged in user which is the default behavior.
   
   
3. Now, you’ll see the option to select –
   
   
4. Now, you’ll see these fields to fill in.
   
   
5. Now, first give the connection itself a suitable name.
   
   
6. Now, for Client ID – Go to the App Registration in Azure and look for the Client ID in the information section. It’ll look like this –
   
   
   Paste it in the Client ID field and it’ll look like this –
   
   
7. Now, look for Client Secret – open the Notepad where you saved the Secret we copied while creating the Client Secret record in Azure.
   
   
8. Now, finally – Go to the App Registration record and you’ll find the Tenant ID here –
   
   
   And paste is where it says Tenant. Now, Create this connection!
   
9. Ensure that the Connection is selected.
   
   
10. I’ll just add an extra variable in order to save this simple Flow and then we’ll create an Account (simple example if you see the screenshot below) in order to Run this Flow.
    My Flow looks ready to be tested.
    
    
11. Now, I’ll create an Account in my Dynamics 365 CRM.
    
    
12. And the Flow would have Run already.
    
    

Validate

In order to ensure the connection is run by the Service Principal itself, you can do this –

1. In advanced options, you can choose to “Run as” as “Flow owner“
   
   
   
2. And when you check the details in the Flow Run, you can check the attribute in the trigger “RunAsSystemUserId“
   
   
3. And if you check this GUID, it belongs to the Dataverse Service Principal user we set up.
   
   
   And that’s how you can setup to run the Dataverse action to use Service Principal instead of user credentials!