Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
[This article is prerelease documentation and is subject to change.]
Role-based access control (RBAC) in Power Platform lets administrators assign built-in roles to users, groups, and service principals at the tenant, environment group, or environment scope. This tutorial walks through a common automation scenario: assigning the Contributor role to a service principal at the tenant scope using the Authorization API.
To learn more about RBAC concepts, built-in roles, and scope inheritance, see Role-based access control for Power Platform admin center.
Important
- This is a preview feature.
- Preview features aren’t meant for production use and might have restricted functionality. These features are subject to supplemental terms of use, and are available before an official release so that customers can get early access and provide feedback.
In this tutorial, you'll learn to:
- Authenticate with the Power Platform API.
- List available role definitions.
- Create a role assignment for a service principal at the tenant scope.
- Verify the role assignment.
Prerequisites
- A Microsoft Entra app registration configured for the Power Platform API, with a certificate or client secret for service principal authentication. For guidance, see Authentication.
- The Enterprise Application Object ID for the service principal (found in Microsoft Entra ID > Enterprise applications).
- The calling identity must have the Power Platform Administrator or Power Platform role-based access control administrator role.
Built-in role definitions
Power Platform provides four built-in roles that can be assigned via RBAC. Each role has a fixed set of permissions and can be assigned at the tenant, environment group, or environment scope.
| Role name | Role ID | Permissions |
|---|---|---|
| Power Platform owner | 0cb07c69-1631-4725-ab35-e59e001c51ea |
All permissions |
| Power Platform contributor | ff954d61-a89a-4fbe-ace9-01c367b89f87 |
Manage and read all resources, but can't make or change role assignments |
| Power Platform reader | c886ad2e-27f7-4874-8381-5849b8d8a090 |
Read-only access to all resources |
| Power Platform role-based access control administrator | 95e94555-018c-447b-8691-bdac8e12211e |
Read all resources + manage role assignments |
Step 1. List available role definitions
First, authenticate and retrieve the available role definitions to confirm the contributor role ID.
# Install the Az.Accounts module if not already installed
Install-Module -Name Az.Accounts
# Set your tenant ID
$TenantId = "YOUR_TENANT_ID"
# Authenticate and obtain an access token
Connect-AzAccount
$AccessToken = Get-AzAccessToken -TenantId $TenantId -ResourceUrl "https://api.powerplatform.com/"
$headers = @{ 'Authorization' = 'Bearer ' + $AccessToken.Token }
$headers.Add('Content-Type', 'application/json')
# List all role definitions
$roleDefinitions = Invoke-RestMethod -Method Get -Uri "https://api.powerplatform.com/authorization/roleDefinitions?api-version=2024-10-01" -Headers $headers
$roleDefinitions.value | Format-Table roleDefinitionName, roleDefinitionId
Expected output:
roleDefinitionName roleDefinitionId
------------------ ----------------
Power Platform owner 0cb07c69-1631-4725-ab35-e59e001c51ea
Power Platform contributor ff954d61-a89a-4fbe-ace9-01c367b89f87
Power Platform reader c886ad2e-27f7-4874-8381-5849b8d8a090
Power Platform role-based access control administrator 95e94555-018c-447b-8691-bdac8e12211e
Power Platform API reference: Role-Based Access Control - List Role Definitions
Step 2. Assign the Contributor role to a service principal
Create a role assignment that grants the Power Platform contributor role to a service principal at the tenant scope. Replace YOUR_TENANT_ID with your tenant GUID and YOUR_ENTERPRISE_APP_OBJECT_ID with the enterprise application object ID from Microsoft Entra ID.
$TenantId = "YOUR_TENANT_ID"
$EnterpriseAppObjectId = "YOUR_ENTERPRISE_APP_OBJECT_ID"
$body = @{
roleDefinitionId = "ff954d61-a89a-4fbe-ace9-01c367b89f87"
principalObjectId = $EnterpriseAppObjectId
principalType = "ApplicationUser"
scope = "/tenants/$TenantId"
} | ConvertTo-Json
$roleAssignment = Invoke-RestMethod -Method Post -Uri "https://api.powerplatform.com/authorization/roleAssignments?api-version=2024-10-01" -Headers $headers -Body $body
$roleAssignment
Expected output:
roleAssignmentId : a1b2c3d4-e5f6-7890-abcd-ef1234567890
principalObjectId : <your-enterprise-app-object-id>
roleDefinitionId : ff954d61-a89a-4fbe-ace9-01c367b89f87
scope : /tenants/<your-tenant-id>
principalType : ApplicationUser
createdOn : 2026-03-02T12:00:00.0000000+00:00
Power Platform API reference: Role-Based Access Control - Create Role Assignment
Step 3. Verify the role assignment
Retrieve all role assignments to confirm the new assignment exists.
$roleAssignments = Invoke-RestMethod -Method Get -Uri "https://api.powerplatform.com/authorization/roleAssignments?api-version=2024-10-01" -Headers $headers
# Filter for the service principal's assignments
$roleAssignments.value | Where-Object { $_.principalObjectId -eq $EnterpriseAppObjectId } | Format-Table roleAssignmentId, roleDefinitionId, scope, principalType
Expected output:
roleAssignmentId roleDefinitionId scope principalType
---------------- ---------------- ----- -------------
a1b2c3d4-e5f6-7890-abcd-ef1234567890 ff954d61-a89a-4fbe-ace9-01c367b89f87 /tenants/<your-tenant-id> ApplicationUser
Power Platform API reference: Role Based Access Control - List Role Assignments