Part 3: Prerequisites and Entra ID App Registration

This article walks you through setting up the service principal that powers automated CI/CD for Dynamics 365 Finance and Operations using PPAC APIs and Azure DevOps.

By the end of this article, you’ll have a service principal that can manage Power Platform environments and deploy packages – the foundation everything else builds on. For this article, we can think of the SPN as a robot account—this process builds its ID card (app registration), password (secret), and workspace permissions (F&O access). Also, when working with secret, never commit them to source control of any sort. This is a mistake you will make, if you haven’t already, but once its stored in plane text somewhere, you’ll have to rotate the secret to a new value. Additionally, automatic rotation of secrets is highly advised. We won’t have the in our solution, but it’s worth learning more on how to do that.

What You Need Before Starting

• Azure DevOps organization and project (any tier/type)
• D365 F&O environments managed in Power Platform Admin Center (PPAC) – licensing for F&O (Finance, Supply Chain, Commerce, or HR) is the absolute minimum to create environments)
• Entra ID – permission to register applications (Application Developer role or higher)
• Power Platform – admin access (Power Platform Administrator or Global Administrator)

Step 1: Register an Entra ID Application

1. Log into the Azure Portal: https://portal.azure.com/
2. Go to Entra ID > App registrations
3. Click New registration
4. Fill in:
   • Name: D365-FO-Pipeline-SPN (or your preferred name)
   • Supported account types: Single tenant
   • Redirect URI: Leave blank
5. Click Register
6. On the overview page, note for later:
   • Application (client) ID – you’ll need this repeatedly
   • Directory (tenant) ID – same

Step 2: Create a Client Secret

1. In your app registration, go to Certificates & secrets
2. Click New client secret
3. Set:
   • Description: Pipeline auth
   • Expiration: 12 months (or per your rotation policy)
4. Click Add
5. Copy the secret value immediately – it disappears after you leave this page

You now have three values. Keep them secure:

Step 3: Register as a Power Platform Management Application

This is the step Microsoft doesn’t make obvious. Entra directory roles like  “Power Platform Administrator” do not grant access to the PPAC admin APIs. You must explicitly register your app as a management application. If you don’t do this, you will get a lot of “access denied” errors as though authorization has failed when it has not. 

Option A: PowerShell (Recommended)

An admin must run this interactively – the SPN cannot register itself:

Install-Module Microsoft.PowerApps.Administration.PowerShell -Force
Add-PowerAppsAccount   # interactive login as a Power Platform admin
New-PowerAppManagementApp -ApplicationId "<your-application-id>"

Option B: REST API

PUT https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/adminApplications/{CLIENT_ID}?api-version=2020-10-01
Authorization: Bearer <admin-user-token>

The bearer token must come from an admin user’s interactive login – client credentials flow will not work for this call.

Important: This registration is a one-time operation per tenant. Once registered, the SPN can manage all environments in the tenant.

Step 4: Register as an F&O Application User

For pipelines that call F&O APIs directly (DMF entity refresh, OData smoke tests),
the SPN must also be registered inside each F&O environment.

1. Open the target F&O environment (e.g., https://myenv.operations.dynamics.com)
2. Navigate to System administration > Setup > Microsoft Entra applications
3. Click New
4. Fill in:
   • Client ID: Paste the Application (client) ID from Step 1
   • Name: Pipeline SPN
   • User ID: Select or create a service account user with appropriate security roles. I recommend creating a management user in FO in FO for automations so we can extend automations further in the future, such as data imports, feature state management, configuring dual write, etc, via automation.
5. Save

Repeat this for each F&O environment where the SPN needs OData access (typically all of them).

What You’ve Accomplished

• Registered an Entra ID application
• Created a client secret for pipeline authentication
• Registered the app with Power Platform (PPAC admin API access)
• Registered the app as an F&O application user (OData API access)