OneConnect supports multiple authentication options to connect to Power Apps.

Please review the options available and choose the best option for your company, before beginning the integration setup.

Please ensure the person enabling the integration permissions has the necessary administrative rights to do so. 

An Entra Application must be available to connect to Power Apps. Clients can choose the default OnePlan app, or can create their own.

Service Account + Default OnePlan Application

To authenticate to Power Apps, provide Power Apps environment URL along with a username and password for an account that has access to the Dataverse and the default OnePlan Entra Application.

The user account cannot not have Multi-Factor Authentication (MFA) enabled.

It is recommended to use a dedicated user account for this connection. Best practice dictates one user account per integration to avoid data throttling and potential strategy failures by Microsoft. 

Pros of using an account to connect:

• Quick to set up.

Cons of using an account to connect:

• The user/service account cannot have Multi-Factor Authentication (MFA).
• A username and password must be configured in OneConnect. 

To create the default OnePlan application, a Microsoft tenant administrator must click the Authorize button within the Power Apps connector. This will prompt a login screen where the tenant administrator will need to enter their credentials. 

That will add an Entra Application named OneConnect for Dynamics to your tenant. The OneConnect for Dynamics application will have the following delegated permissions:

• Dataverse: user_impersonation
• Microsoft Graph: User.Read

Service Account + Custom Entra Application

You can also create your own Entra Application to connect to Power Apps. This is similar to the previous option, but instead of using our default application, you create your own.

To authenticate to Power Apps, provide the Power Apps environment URL, along with a username and password for an account that has access to the Dataverse and the Custom Entra Application, and the Client Id.

The user account cannot not have Multi-Factor Authentication (MFA) enabled.

It is recommended to use a dedicated user account for this connection. Best practice dictates one user account per integration to avoid data throttling and potential strategy failures by Microsoft. 

Pros of using this option:

• Customer is in control of the Entra Application that is used to access Power Apps.

Cons using this option:

• The account cannot have Multi-Factor Authentication (MFA).
• A username and password must be configured in OneConnect. 

For detailed steps on generating an Entra Application, refer to the Complete the Power Apps Setup Actions page.

Note: When registering your application, do not create a Client Secret.

Service Principal (New)

Connecting to Power Apps using a Service Principal instead of a service account will align with modern security best practices. This eliminates the need for a service account that has multifactor authentication (MFA) disabled or to enter a username and password in OneConnect.

To authenticate to Power Apps, provide the Power Apps environment URL, check the Use a Service Principal to connect to Power Apps beneath the Advanced Options section of the Power Apps connector. The checkbox will authenticate the integration via the Service Principal credentials within the  Client Id and Client Secret fields. 

Pros of Service Principal:

• More secure than using service accounts

Cons of Service Principal:

• More involved process to set up.
• Customer responsible for maintaining the client secret for the Entra Application. (update it when expires)

How It Works

The Service Principal is an  registered application within your Azure Active Directory (AAD) that acts as a trusted identity for your integrations. This method requires:

• Application (Client) ID: A unique identifier for the registered application.
• Client Secret: A securely generated password used to authenticate the application.

If you want to use this method, please follow the steps below.

Register the Application

1. While logged in as a tenant or application administrator for your tenant, log in to portal.azure.com.
2. Navigate to Microsoft Entra Admin Center.
3. Within the left navigation bar, click on App registrations.
4. On the top left of the page, create a New registration.
   • Name: Enter a descriptive name.
   • Supported Account Types: Choose Accounts in this organizational directory only (Single Tenant).
   • Redirect URI (Optional): 
     • Dropdown should be set to "Web".
     • URL: https://my.oneconnect.ai or https://eu.oneconnect.ai depending on which OneConnect site you are using. 
5. Click Register. The App Registration page will load. Within the Essentials section, the Application (Client) ID can be found.

Configure API Permissions

1. On the Overview page of the App Registration, navigate to Manage > API Permissions.
2. Confirm that Microsoft Graph: User.Read is already listed.
3. Add additional permissions:
   • Click + Add a Permission.
   • Select Dynamics CRM.
   • Choose user_impersonation and click Add Permission.
4. Click Grant Admin Consent for your tenant. Confirm by selecting Yes.

Generate a Client Secret

1. Go to Manage > Certificates and Secrets.
2. Click + New Client Secret.
3. Provide:
   • A description.
   • An Expiration period (up to 24 months).
4. Click Add.
5. Save the Client Secret Value displayed under the Value column. You’ll need this later.

Note: Please note that this value will only appear once, it is encouraged to save this value in a secure location should you need it a second time. Otherwise, best practice is to create a whole new client secret each time one is needed.

Add Service Principal to Dataverse

1. Navigate to Power Platform Admin Center.
2. Go to Environments, select the desired environment, and then click Settings.
3. Expand Users + Permissions > Application Users.
4. Click + New App User and complete the form:
   • App: Select the Service Principal created earlier.
   • Business Unit: Enter the appropriate value here for your business unit.
   • Security Role: Assign the System Administrator role.
5. Click Create.

The new Service Principal will appear on the list with a # before its name.