Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Version 1 builds the federated identity credential (FIC) subject identifier from the certificate Common Name (CN).
Important
Version 2 is the recommended version and works with any certificate name. Use this article only to maintain an existing version 1 setup. For new plug-ins, see Set up Power Platform managed identity (version 2). To move an existing plug-in to version 2, see Upgrade to version 2.
Version 1 fails when the certificate CN contains non-ASCII characters (AADSTS70050) or commas (AADSTS700213). If you hit either error, move to version 2.
Prerequisites
Same as version 2. See Prerequisites.
Set up managed identity (version 1)
The steps are the same as version 2 except for the FIC subject identifier format (Step 3) and the managed identity record version (Step 4).
Step 1: Create an app registration or user-assigned managed identity
No change from version 2. See Step 1.
Step 2: Build, sign, and register the plug-in
No change from version 2. See Step 2.
Step 3: Configure the federated identity credential
In the Azure portal, open your app or user-assigned managed identity (UAMI), go to Certificates & secrets > Federated credentials > Add credential, and select Other issuer. Then enter:
Issuer —
https://login.microsoftonline.com/{tenantID}/v2.0Type — Explicit subject identifier
Subject identifier — use the format for your certificate type:
Trusted issuer certificate (production):
/eid1/c/pub/t/{encodedTenantId}/a/qzXoWDkuqUa3l6zM5mM0Rw/n/plugin/e/{environmentId}/i/{issuer}/s/{certificateSubject}Self-signed certificate (development only):
/eid1/c/pub/t/{encodedTenantId}/a/qzXoWDkuqUa3l6zM5mM0Rw/n/plugin/e/{environmentId}/h/{hash}
Step 4: Create the managed identity record in Dataverse
For version 1, set version to 1:
{
"applicationid": "<<appId>>",
"managedidentityid": "<<anyGuid>>",
"credentialsource": 2,
"subjectscope": 1,
"tenantid": "<<tenantId>>",
"version": 1
}
Step 5: Grant access to the Azure resource
Grant the application or user-assigned managed identity access to the Azure resource it needs, such as Azure Key Vault.
Step 6: Validate the integration
Trigger the plug-in and confirm it acquires a token and reaches the Azure resource without separate credentials.
Frequently asked questions
How do I resolve AADSTS700213?
If the CN contains commas, move to version 2.
How do I resolve AADSTS70050?
Move to version 2, which produces an ASCII-only subject identifier.