Authenticating to Power Platform services
Power Platform authentication involves a sequence of requests, responses, and redirects between the user's browser and Power Platform or Azure services. The sequence follows the Microsoft Entra auth code grant flow. For more information about user authentication models, see Choosing a sign-in model for Microsoft 365.
Power Platform authentication sequence
The authentication sequence is illustrated in the diagram that follows.
- The user initiates a connection to a Power Platform service from a browser. The user may enter the service address in the address bar or select Sign in on a Power Platform service page. The connection is established using TLS 1.2 and HTTPS. All subsequent communication between the browser and the Power Platform service uses HTTPS.
- The Azure Traffic Manager checks the browser's DNS record to determine the most appropriate (usually nearest) datacenter where the Power Platform service is deployed. The traffic manager returns the IP address of the web front-end cluster to which the user should be sent.
- The web front-end cluster redirects the user to the Microsoft Online Services sign-in page for authentication.
- The sign-in page redirects the authenticated user back to the web front-end cluster with a Microsoft Entra auth code.
- The web front-end cluster uses the auth code to obtain a security token from the Microsoft Entra service.
- The web front-end cluster consults the Power Platform global back-end service to determine which back-end service cluster contains the user's tenant.
- The web front-end cluster returns an application page to the user's browser with required session, access, and routing information.
- The browser sends customer data requests to the back-end cluster with the Microsoft Entra access token included in the authorization header. The back-end cluster reads the access token and validates the signature to make sure the identity for the request is valid. The access token has a default lifetime of one hour. To maintain the session, the browser makes periodic requests to renew the access token before it expires.
When a Power Platform service is embedded in SharePoint, Power BI, or Teams, the authentication sequence is slightly different. That's because these services perform some of the steps themselves.
Note
Authentication to external data sources is a separate step from authentication to the service. For more information, see Connect to data sources.
Related articles
Security in Microsoft Power Platform
Connecting and authenticating to data sources
Data storage in Power Platform
Power Platform security FAQs