This guide explains how to set up a Service Principal (App Registration) to programmatically create security roles in Power Platform using the Create-DeveloperSecurityRole.ps1 script.
- Azure AD Global Administrator or Application Administrator role
- Power Platform Administrator role
- Access to Azure Portal and Power Platform Admin Center
-
Navigate to Azure Portal
- Go to Azure Portal
- Navigate to Azure Active Directory > App registrations
-
Create New Registration
- Click "New registration"
- Name:
PowerPlatform-SecurityRole-Creator - Supported account types:
Accounts in this organizational directory only - Redirect URI: Leave blank
- Click "Register"
-
Copy Important Values
- Copy the Application (client) ID
- Copy the Directory (tenant) ID
- You'll need these for the script
-
Navigate to Certificates & Secrets
- In your app registration, go to "Certificates & secrets"
- Click "New client secret"
-
Configure Secret
- Description:
Dataverse API Access - Expires: Choose appropriate duration (recommend 12-24 months)
- Click "Add"
- Description:
-
Copy Secret Value
- IMPORTANT: Copy the secret Value immediately
- You won't be able to see it again after leaving this page
- Store it securely (consider using Azure Key Vault)
-
Add Dynamics CRM Permission
- Go to "API permissions"
- Click "Add a permission"
- Select "Dynamics CRM"
- Choose "Delegated permissions"
- Check "user_impersonation"
- Click "Add permissions"
-
Grant Admin Consent
- Click "Grant admin consent for [Your Organization]"
- Click "Yes" to confirm
- Verify the status shows green checkmarks
-
Navigate to Power Platform Admin Center
- Go to Power Platform Admin Center
- Navigate to your target environment
-
Add Application User
- Go to Settings > Users + permissions > Application users
- Click "New app user"
-
Configure Application User
- App: Select your app registration (
PowerPlatform-SecurityRole-Creator) - Business unit: Select the root business unit
- Security roles: Assign "System Administrator" role
- Click "Create"
- App: Select your app registration (
Once setup is complete, run the script with Service Principal authentication:
.\Create-DeveloperSecurityRole.ps1 -UseServicePrincipal `
-TenantId "your-tenant-id" `
-ClientId "your-app-registration-client-id" `
-ClientSecret "your-client-secret" `
-EnvironmentId "your-environment-id"- TenantId: Directory (tenant) ID from Step 1
- ClientId: Application (client) ID from Step 1
- ClientSecret: Secret value from Step 2
- EnvironmentId: Power Platform environment ID
- Store secrets in Azure Key Vault or similar secure storage
- Use environment variables instead of hardcoding secrets
- Rotate secrets regularly based on your organization's policy
- The Service Principal gets System Administrator role for API access
- This is required for creating security roles via Dataverse API
- Consider creating a custom role with minimal required permissions
- Monitor the Service Principal usage in Azure AD audit logs
- Set up alerts for unusual activity
- Review and audit permissions regularly
401 Unauthorized
- Verify the Service Principal has System Administrator role in the environment
- Check that admin consent was granted for API permissions
- Ensure client secret hasn't expired
403 Forbidden
- Service Principal may not have sufficient privileges
- Verify the app user was created correctly in Power Platform
- Check that the correct security role is assigned
Token Acquisition Failed
- Verify TenantId, ClientId, and ClientSecret are correct
- Check that the app registration is in the correct Azure AD tenant
- Ensure client secret is not expired
-
Check App Registration
# Verify app exists Get-AzADApplication -DisplayName "PowerPlatform-SecurityRole-Creator"
-
Test Token Acquisition
# Test if token can be obtained $tokenEndpoint = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" # Use your actual values to test
-
Verify Environment Access
- Check that the environment ID is correct
- Ensure the Service Principal is listed in Application users
- Verify System Administrator role is assigned
If Service Principal setup is complex for your organization, consider:
- Manual Role Creation: Use the script's manual fallback instructions
- PowerShell with User Auth: Run script with interactive user authentication
- Azure DevOps Service Connections: For CI/CD scenarios
- The System Administrator role grants broad permissions
- Consider using this Service Principal only for role creation tasks
- Implement proper access controls and monitoring
- Follow your organization's identity governance policies
The script creates a role with these permissions:
- Canvas App creation and management
- Model-driven App creation and management
- Power Automate Flow creation and management
- Copilot Studio Agent and Chatbot creation
- AI Builder Model creation and usage
- Read/Write access to existing tables (Account, Contact, etc.)
- Solution packaging capabilities
The role explicitly excludes these permissions:
- Custom table creation
- Field/column creation
- Relationship modification
- System-level customizations
- Metadata modification
- Service Principal Authentication: For automation and CI/CD
- User Authentication: For interactive use
- Comprehensive error messages
- Fallback to manual creation steps
- Service Principal troubleshooting guidance
- Token acquisition error handling
Next Steps: After successful setup, you can programmatically create security roles using the enhanced script with Service Principal authentication.