Skip to content

Azure and Power Platform — application registration

This guide explains how to register an application in Microsoft Entra ID, create a client secret, and link the app to Power Platform with appropriate roles so integrations can use secure, read-only API access to your Microsoft cloud and Dataverse environments.

1. Register an application in Azure

Follow Microsoft’s guide: Register an application in Microsoft Entra ID.

Summary of steps:

  1. Open the Azure Portal.
  2. Search for App registrations.
  3. Click New registration.
  4. Provide:
    • Name — e.g., Trust3-Integration (choose a name that matches your organization’s naming policy)
    • Supported account typesSingle tenant (recommended for most organizations)
  5. Click Register.

Record the Application (client) ID and Directory (tenant) ID from the app overview. You will map them to configuration such as AZURE_CLIENT_ID and AZURE_TENANT_ID in your environment or secret store.

2. Create a client secret

  1. Open the registered application.
  2. Go to Manage -> Certificates & secrets.
  3. Click New client secret.
  4. Add a description and expiry, then create the secret.
  5. Copy and store the secret value immediately; it is shown only once.

Typical mapping:

Portal label Typical configuration name
Application (client) ID AZURE_CLIENT_ID
Directory (tenant) ID AZURE_TENANT_ID
Client secret value AZURE_CLIENT_SECRET

Protect secrets

Store AZURE_CLIENT_SECRET in a secret manager or restricted configuration. Do not commit secrets to source control.

3. Add the app as a user in Power Platform

  1. Open the Power Platform admin center.
  2. Go to Manage -> Environments and select your target environment.
  3. Navigate to SettingsUsers + permissionsApplication users.
  4. Click + New app user.
  5. Click on + Add an app
  6. Select the registered application from step 1 -> Click on Add.
  7. Select Business unit same as your environment name.
  8. Edit Security roles, Select Service Reader
  9. Click on Add and Create

This links the Entra ID application to the environment so APIs can act in a controlled, non-interactive way.

Avoid assigning System Administrator when Service Reader (or a narrower custom role) is enough — it is over-privileged for typical read-only use.

5. Troubleshooting access issues

Ensure environment membership

If you see permission or “access denied” style errors:

  1. In the same environment, go to SettingsUsers + permissionsUsers.
  2. Use Add user so the relevant human operator or service principal context matches your organization’s policies.
  3. Confirm the application user from step 3 is still present and licensed according to your tenant rules.

Wait for permission propagation

After role or membership changes, allow 5–10 minutes before retrying API calls or integration steps.

Summary

Do Don’t
Use Service Reader (or similar least-privilege reader) when it meets your integration needs Use System Administrator unless you have a clear requirement
Store secrets securely and rotate on schedule Commit secrets to Git
Wait for IAM and Power Platform propagation after changes Assume permissions apply instantly