Introduction

In this self-paced module, you learn how to use service principals with pipelines in Microsoft Power Platform.

Authentication

Authentication is the process or action of verifying the identity of a user or process. Microsoft's solution to this verification process is Microsoft Entra ID, a service that supports multiple options for verifying the identity of a user or process. Separating yourself from your identity provider reduces concerns because managing usernames and passwords can be a difficult (and risky) process.

Delegated deployments

When a maker creates a pipeline, the system deploys the pipeline as the requesting maker. You can configure the pipeline to deploy as a delegate in place of the maker.

You can run delegated deployments as one of the following:

• Service principal - This security object in Microsoft Entra ID defines the access policy and permissions for the application in the Microsoft Entra tenant.

• Pipeline stage owner - Regular users, including those that you use as service accounts, can also serve as delegates.

When turned on, the pipeline stage deploys as the delegate (service principal or pipeline stage owner) instead of the requesting maker. This identity ensures that makers can request deployments without elevated (or any) access in target environments.

For more information, see Apps & service principals in Microsoft Entra ID.

Register apps with Microsoft Entra ID

To successfully connect to Microsoft Power Platform, you must first register an enterprise app with Microsoft Entra ID.

To define what an app is allowed to do in a Microsoft Entra tenant, you can create a security object known as a service principal. The system automatically adds the service principal when you configure a new enterprise or application registration in Microsoft Entra ID.

The definition of the access policy and permissions for the user and application are in the Microsoft Entra tenant. Therefore, the service principal carries core features, such as user and application authentication during sign-in and authorization during resource access.

After you register an application in Entra ID, the system creates two types of objects:

• Application Object

• Service Principal Object

The Application Object is what shows under the App registrations area in Entra ID. This object acts as the template where you can configure various API permissions, client secrets, branding, app roles, and so on. The system writes these customizations to your app to the app manifest file.

The Application Object describes three aspects of an application:

• How the service can issue tokens to access the application

• Resources that the application might need to access

• Actions that the application can take

The Service Principal Object displays under the Enterprise Registration blade in Entra ID. Every Application Object would create a corresponding Service Principal Object in the Enterprise Registration blade. A service principal is a concrete instance that the Application Object creates, and it inherits certain properties from that Application Object. The system creates a service principal in each tenant where the application is used, and the service principal references the globally unique app object. The Service Principal Object defines what the app can do in the specific tenant, who can access the app, and which resources the app can access.

After you create the service principal, copy the client ID. You need this ID when you configure the deployment stage.

Next steps

Now you learned about Microsoft Entra ID service principals. Next, you learn about the required steps for setting up an enterprise registration in Microsoft Entra ID.