Configure delegated deployment with a service principal

  • 3 minutes

If you decide to use a service principal for delegated deployments, you must configure an enterprise application for each environment that's involved in a pipeline before you can use the service principal in a pipeline deployment.

Add the enterprise application to environments

You need to add the enterprise application as a server-to-server (S2S) user in your pipeline’s host environment and to each target environment that it deploys to.

In the Power Platform admin center, follow these steps for the host and each target environment:

  1. Select the environment.

  2. Select S2S apps.

  3. Select New app user.

  4. Select Add an app.

  5. Select the enterprise application that you created.

  6. Select Add.

  7. Select the root business unit.

  8. Select the Deployment Pipeline Administrator security role for the host environment and the System Administrator security role for the target environment(s).

  9. Select Save.

  10. Select Save.

  11. Select Create.

    Screenshot of the server-to-server application.

The System Administrator role is required because security roles with lower permissions can't deploy plug-ins and other code components.

For more information about creating S2S application users, see Create users.

Delegate a service principal in a pipeline deployment stage

To delegate a deployment stage with a service principal, follow these steps.

  1. In the Power Apps maker portal, as the owner of the enterprise application, select the host environment and then play the Deployment Pipeline Configuration app.

  2. Select Environments and verify that the environments are added successfully.

    Screenshot of the Deployment environments area.

  3. Select Pipelines and then create a new pipeline or edit an existing pipeline. Ensure that the development environment is linked.

  4. Select the Deployment stages tab on the pipeline form. Create a new deployment stage or edit an existing deployment stage.

    Note that the Is Delegated Deployment column defaults to No (unselected).

  5. Select Is Delegated Deployment.

  6. Select Service Principal for Delegated Deployment Type and then enter the client ID of the service principal.

  7. Set Allow sharing requests to Yes so that deployment requestors can specify which security groups can access deployed objects in the target environment. Sharing requests are part of the deployment request and can be approved or rejected.

    Screenshot of a set delegated deployment.

  8. Select Save.

Repeat these steps if you have other stages in your pipeline.

Deployment approvers

Deployment approvers are responsible for carefully reviewing sharing and security role information. When a deployment is approved, pipelines automatically assign permissions by using the deploying service principal's identity.

Therefore, Power Automate cloud flows must connect by using the service principal in the UpdateApprovalStatus unbound action step.

Screenshot of the SPN connection.

For more information about deploying pipelines as a service principal, see Deploy pipelines as a service principal or pipeline owner.

Next steps

Now you learned about configuring delegated deployments by using the service principal. Next, you learn how to configure delegated deployments by using a pipeline stage owner.