Nota
L-aċċess għal din il-paġna jeħtieġ l-awtorizzazzjoni. Tista’ tipprova tidħol jew tibdel id-direttorji.
L-aċċess għal din il-paġna jeħtieġ l-awtorizzazzjoni. Tista’ tipprova tibdel id-direttorji.
Power Platform managed identity allows Dataverse plug-ins or plug-in packages to connect with Azure resources to support managed identity without the need for credentials. This article helps you set up managed identity in your Power Platform environments.
Prerequisites
- An Azure subscription with access to provision user-assigned managed identity (UAMI) or application registration.
- Tools for plug-ins or plug-in packages:
- Integrated Development Environment (IDE), like Visual Studio, to build plug-in
- Plug-in registration tool
- SignTool.exe (Sign Tool) to sign the plug-in assembly
- Power Platform CLI
- A valid certificate to sign the plug-in assembly.
Set up managed identity
To configure Power Platform managed identity for Dataverse plug-ins or plug-in packages, complete the following steps.
- Create a new app registration or user-assigned managed identity.
- Configure federated identity credentials.
- Create and register Dataverse plug-ins or plug-in packages.
Be sure to build the plug-in assembly and register the plug-in or plug-in package. - Create a managed identity record in Dataverse.
- Grant access to the Azure resources to the application or user-assigned managed identity (UAMI).
- Validate the plug-in integration.
Create a new app registration or user-assigned managed identity
You can create either user-assigned managed identity or an application in Microsoft Entra ID based on the following scenarios.
- If you want an app identity associated with the plug-in that connects to Azure resources, such as Azure Key Vault, use application registration. With app identity, you can apply Azure policies on the plug-in accessing Azure resources.
- If you want a service principal to access Azure resources, such as Azure Key Vault, you can provision user-assigned managed identity.
Note
Be sure to capture the following IDs, as you use them in later steps.
- Application (client) ID
- Tenant ID
Configure federated identity credentials
To configure managed identity, open the user-assigned managed identity or Microsoft Entra ID application in the Azure portal that you created in the previous section.
- Go to the Azure portal.
- Navigate to Microsoft Entra ID.
- Select App registrations.
- Open the app you created in Set up managed identity.
- Navigate to Certificates & secrets.
- Select the Federated credentials tab and select Add credential.
- Select issuer as Other issuer.
- Enter the following information:
Issuer
Use the tenant's v2.0 issuer:
https://login.microsoftonline.com/{tenantID}/v2.0
Example
https://login.microsoftonline.com/5f8a1a9f-2e1a-415f-b10c-84c3736a21b9/v2.0
Type
Choose Explicit subject identifier.
Subject identifier
Choose the format that matches your certificate type:
Self-signed certificate (development only):
/eid1/c/pub/t/{encodedTenantId}/a/qzXoWDkuqUa3l6zM5mM0Rw/n/plugin/e/{environmentId}/h/{hash}Trusted issuer certificate (recommended for production):
/eid1/c/pub/t/{encodedTenantId}/a/qzXoWDkuqUa3l6zM5mM0Rw/n/plugin/e/{environmentId}/i/{issuer}/s/{certificateSubject}
Segment reference
| Segment | Description |
|---|---|
| eid1 | Identity format version |
| c/pub | Cloud code for public cloud, Government Community Cloud (GCC), and first release station in GCC. |
| t/{encodedTenantId} | Tenant ID |
| a/qzXoWDkuqUa3l6zM5mM0Rw/ | Internal use only. Don't modify. |
| n/plugin | Plug-in component |
| e/{environmentId} | Environment ID |
| h/{hash} | SHA‑256 of certificate (self-signed only) |
| i/{issuer} s/{certificateSubject} |
Trusted-issuer details |
Generate self-signed certificate
Every plug-in must have a verifiable identity, and the signing certificate acts as the plug-in’s unique fingerprint. The following code is a sample PowerShell snippet you can use to generate a self-signed certificate for development or testing scenarios. For reference, you can follow from example 3.
$params = @{
Type = 'Custom'
Subject = 'E=admin@contoso.com,CN=Contoso'
TextExtension = @(
'2.5.29.37={text}1.3.6.1.5.5.7.3.4',
'2.5.29.17={text}email=admin@contoso.com' )
KeyAlgorithm = 'RSA'
KeyLength = 2048
SmimeCapabilities = $true
CertStoreLocation = 'Cert:\CurrentUser\My'
}
New-SelfSignedCertificate @params
Note
Encoding for {encodedTenantId}
- Convert GUID → Hex.
- Convert Hex → Base64URL (not standard Base64).
Self-signed hash
- Compute SHA-256 over the .cer. If you have a .pfx, export a .cer first:
CertUtil -hashfile <CertificateFilePath> SHA256 $cert = Get-PfxCertificate -FilePath "path o\your.pfx" $cert.RawData | Set-Content -Encoding Byte -Path "extracted.cer"
Specialized Azure cloud environments
Set Audience, Issuer URL, and Subject prefix explicitly when deploying outside public cloud, GCC, and first release station in GCC:
| Cloud | Audience | Issuer URL | Subject prefix |
|---|---|---|---|
| GCC High & DoD | api://AzureADTokenExchangeUSGov |
https://login.microsoftonline.us |
/eid1/c/usg |
| Mooncake (China) | api://AzureADTokenExchangeChina |
https://login.partner.microsoftonline.cn |
/eid1/c/chn |
| US National (USNAT) | api://AzureADTokenExchangeUSNat |
https://login.microsoftonline.eaglex.ic.gov |
/eid1/c/uss |
| US Secure (USSec) | api://AzureADTokenExchangeUSSec |
https://login.microsoftonline.scloud |
/eid1/c/usn |
Note
The Audience value is case-sensitive and must match exactly.
For public cloud, GCC, and first release station in GCC (and other non‑listed clouds), defaults are:
Audience api://AzureADTokenExchange, Issuer https://login.microsoftonline.com, Subject prefix /eid1/c/pub.
Create and register Dataverse plug-ins or plug-in packages
Build plug-in assembly
Create a plug-in using Visual Studio. While building the plug-in, use the tenant ID from Create a new app registration or user-assigned managed identity and scopes as organization URL like
https://{OrgName}.crm*.dynamics.com/.defaultor even more granular scopes.Use IManagedIdentityService and acquire a token method to request a token with given scope.
Method signature:
string AcquireToken(IEnumerable<string> scopes);
Packaging and signing
Signing a plug-in package
If you're building a plug-in package, use the NuGet Sign CLI to generate a package from either a .nuspec or a .csproj file. After generating the package, sign it with your certificate.
nuget sign YourPlugin.nupkg `
-CertificatePath MyCert.pfx `
-CertificatePassword "MyPassword" `
-Timestamper http://timestamp.digicert.com
Signing a plug-in assembly
If you're registering a plug-in (assembly), sign the DLL with a certificate by using SignTool.exe (Sign Tool).
signtool sign /f MyCert.pfx /p MyPassword /t http://timestamp.digicert.com /fd SHA256 MyAssembly.dll
You can optionally add timestamping by providing the URL of an RFC 3161‑compliant timestamp server.
Note
Use a self‑signed certificate only for development or testing purposes. Don't use self‑signed certificates in production environments.
Register the plug-in
Install the plug-in registration tool if you don't already have it on your machine. For more information, see Dataverse development tools.
Register the plug-in. For more information, see Register plug-in.
Create managed identity record in Dataverse
To provision a managed identity record in Dataverse, complete the following steps.
Create a managed identity by sending an HTTP POST request with a REST client (such as Insomnia). Use a URL and request body in the following format.
POST https://<<orgURL>>/api/data/v9.0/managedidentitiesBe sure to replace orgURL with the URL of the organization.
Ensure that credentialsource is set to 2 in the payload, subjectscope is set to 1 for environment-specific scenarios, and version is set to 1 in the payload.
Sample payload
{ "applicationid": "<<appId>>", //Application Id, or ClientId, or User Managed Identity "managedidentityid": "<<anyGuid>>", "credentialsource": 2, // Managed client "subjectscope": 1, //Environment Scope "tenantid": "<<tenantId>>", //Entra Tenant Id "version": 1 }Update your plug‑in package or plug‑in assembly record by issuing an HTTP PATCH request to associate it with the managed identity created in step 1.
Plug-in assembly
PATCH https://<<orgURL>>/api/data/v9.0/pluginassemblies(<<PluginAssemblyId>>)Plug-in package
PATCH https://<<orgURL>>/api/data/v9.0/pluginpackages(<<PluginPackageId>>)Sample payload
{ "managedidentityid@odata.bind": "/managedidentities(<<ManagedIdentityGuid>>)" }Be sure to replace orgURL, PluginAssemblyId (or PluginPackageId), and ManagedIdentityGuid with your values.
Grant access to the Azure resources to application or user-assigned managed identity
If you need to give access to an application ID to access Azure resources, such as Azure Key Vault, grant access to the application or user-assigned managed identity to that resource.
Validate the plug-in integration
Verify that your plug-in can securely request access to Azure resources that support managed identity, eliminating the need for separate credentials.
Frequently asked questions (FAQs)
How do I resolve this error?
If you receive the following error:
Getting Error – A configuration issue is preventing authentication.
AADSTS700213: No matching federated identity record found
Complete the following steps to resolve the issue:
Ensure the FIC is correctly configured and saved.
Verify that the issuer/subject matches the format specified earlier.
You can also find the expected format in the error stack.
How do I resolve the "Unable to reach or connect to Power Platform" error?
Refer to Power Platform URLs and IP address ranges to ensure Power Platform endpoints are reachable and allowlisted.