All Blog Posts

Thursday, November 21, 2024

Provisioning D365FO Unified Development Environment Using Service Principal

Posted by

AR

Arttu Talvio

Provisioning D365FO Unified Development Environment Using Service Principal

Introduction

Before the introduction of One Dynamics One Platform and the Unified Developer Experience, Dynamics 365 for Finance and Operations development environments were provisioned as Azure Virtual Machines from Lifecycle Services (LCS). In the future, LCS will be deprecated, and all development environments will be Unified Developer Environments (UDEs).

New UDEs are provisioned and administered from the Power Platform Admin Center instead of LCS. UDEs can also be provisioned using PowerShell scripts. In this guide, I will outline the steps for provisioning a UDE using service principal authentication. Interesting thing to consider is which user is assigned the System Administrator role in the FO app when provisioning the environment using a service principal.

Prerequisites for UDE Provisioning Using a Service Principal

  • Azure App Registration in Entra ID
  • Microsoft.PowerApps.Administration.PowerShell PowerShell Module
  • Power Platform Admin Account for registering the App registration with Power Platform

Steps for Provisioning the Environment

1

Create an Azure App Registration and Generate a Secret for It

2

Register the App with Power Platform

To register an app with Power Platform, you need to first authenticate using admin account with Add-PowerAppsAccount. After authenticating, register the App registration with following PowerShell script:

$appId = "CLIENT_ID_FROM_AZURE_APP"

# Login interactively with a tenant administrator for Power Platform
Add-PowerAppsAccount -Endpoint prod -TenantID $tenantId 

# Register a new application, this gives the SPN / client application
# same permissions as a tenant admin
New-PowerAppManagementApp -ApplicationId $appId
3

Authenticate Using the App Registration

After the app registration has been registered with Power Platform, authentication is now possible using the appId instead of admin user. Use the following script to authenticate with the app registration and test the connection:

$appId = "CLIENT_ID_FROM_AZURE_APP"
$secret = "SECRET_FROM_AZURE_APP"
$tenantId = "TENANT_ID_FROM_AZURE_APP"

Add-PowerAppsAccount `
    -Endpoint prod  `
    -TenantID $tenantId  `
    -ApplicationId $appId  `
    -ClientSecret $secret  `
    -Verbose
Get-AdminPowerAppEnvironment
4

Provision the UDE

Now that you have authenticated to Power Platform using the app registration, you can use the New-AdminPowerAppEnvironment cmdlet to provision your UDE with the parameters that suit your needs.

5

Provision a UDE with the Finance Template in the Europe Region

The following script provisions a UDE with the Finance template in the Europe region. To get a list of all available regions and templates, refer to the official Microsoft documentation provided at the end of this guide.

$environmentDisplayName = 'ENVIRONMENT_NAME_HERE'
$locationName = 'Europe'
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell
Add-PowerAppsAccount -Endpoint prod
$templateMetadata = @{
    PostProvisioningPackages = @(
        @{
            applicationUniqueName = "msdyn_FinanceAndOperationsProvisioningAppAnchor"
            parameters = "DevToolsEnabled=true|DemoDataEnabled=false"
        }
    )
}
New-AdminPowerAppEnvironment `
    -DisplayName "$environmentDisplayName" `
    -EnvironmentSku Sandbox `
    -Templates "D365_FinOps_Finance" `
    -TemplateMetadata $templateMetadata `
    -LocationName "$locationName" `
    -ProvisionDatabase `
    -WaitUntilFinished $false `
    -TimeoutInMinutes 360
6

Verify Provisioning

The new environment should now be provisioning in the Power Platform Admin Center with the name provided in the previous script.

Things to consider

The most interesting part when provisioning UDE using service principal is which user is assigned the System Administrator role in the FO app.When provisioning UDE and authenticating with Power Platform admin account, that admin account gets the System Administrator role in FO.

The App ID from the Azure App registration cannot be directly assigned roles in FO. In my case an admin account from our Entra ID got assigned the System Administrator role.

There is not yet official documentation for this scenario, but it is presumed that the admin account receives the System Administrator role in FO based on its Entra ID roles, such as Application Admin and Global Admin.

The "Created by" field in the Power Platform Admin Center (PPAC) displays an ID instead of a username, which corresponds to the app registration's Enterprise Application object ID in Azure.

D365FO UDE Details in PPAC

D365FO UDE Details in PPAC

You can check the Power Platform environment's system admin from the PPAC by navigating to the environment page and clicking the "Membership" button on the top bar.

The users listed under "Membership" likely have the System Administrator role in FO. To confirm the FO System Administrator, use the UDE's SQL Just-In-Time (JIT) feature and query the userinfo table.

Conclusion

Currently, it is not possible to change the FO admin of a UDE directly from the Power Platform Admin Center. This feature would be beneficial when provisioning UDEs with an app registration.

Although the Unified Development Environment is generally available (GA), some features and official documentation are still pending.

Useful Microsoft Documentation Regarding UDE