Microsoft Planner Premium Integration - Authentication Methods

  • Updated

OneConnect supports multiple authentication options to connect to Microsoft Planner Premium.

Please review the options available and choose the best option for your company, before beginning the integration setup.

Please ensure the person enabling the integration permissions has the necessary administrative rights to do so. 

There must be an Entra Application available in order to connect to Microsoft Planner Planner. You can create your own or use the default one.

 

Service Account + Default OnePlan Application

You can use an Entra ID account to connect to Planner Premium. In this scenario, all communication with Planner is done via a central account. We call this user account a "Service Account".  The username and password for the service account must have access to Planner. 

The user account cannot not have Multi-Factor Authentication (MFA) enabled.

The default App ID: 7780b2e4-b4e2-4766-8d1c-3e8363a97409

Pros of using this option:

  • Individual users do not need Office 365 group management rights.

Cons using this option:

  • The account cannot have Multi-Factor Authentication (MFA).
  • A username and password must be configured in OneConnect. 
  • More involved process to set up (requires a Microsoft tenant administrator to approve permissions).

To create the default OnePlan application, a Microsoft tenant administrator must click the Authorize button within the Planner Premium connector. This will prompt a login screen where the tenant administrator will need to enter their credentials.

That will add an Entra Application named OneConnect for Dynamics to your tenant. The OneConnect for Dynamics application will have the following delegated permissions:

  • Microsoft Graph: User.Read
  • Dataverse: user_impersonation

Service Account + Custom Entra Application

You can also create your own Entra Application to connect to Planner Premium. In this scenario, all communication with Planner Premium is done via a central account. We call this user account a "Service Account".

To authenticate to Planner Premium, provide the username and password for an account that has access to Planner Premium, along with the Custom App credentials within the Client Id field. 

The user account cannot not have Multi-Factor Authentication (MFA) enabled. 

It is recommended to use a dedicated user account for this connection. Best practice dictates one user account per integration to avoid data throttling and potential strategy failures by Microsoft. 

If you choose this method, please follow the CDS (Common Data Service) / Dynamics Setup article to create the Entra App.

 

Pros of using this option:

  • Customer is in control of the Entra Application that is used to access Planner Premium.

Cons using this option:

  • The account cannot have Multi-Factor Authentication (MFA).
  • A username and password must be configured in OneConnect. 
  • More involved process to set up (requires a manual creation of an app)

Service Principal + Custom Entra Application

Connecting to Planner Premium using a Service Principal instead of a service account will align with modern security best practices. This eliminates the need for a service account that has multifactor authentication (MFA) disabled or to enter a username and password in OneConnect.

To authenticate to Planner Premium, provide the Power Apps environment URL, check the Use Service Principal beneath the Advanced Options section of the Planner Premium connector. The checkbox will authenticate the integration via the Service Principal credentials within the Client Id and Client Secret fields. 

Pros of using this option:

  • More secure than using service accounts.

Cons using this option:

  • More involved process to set up.
  • Customer responsible for maintaining the client secret for the Entra Application. (update it when expires)
  • This method do not support task updates in Planner Premium.

How It Works

The Service Principal is a registered application within your Entra ID that acts as a trusted identity for your integrations. This method requires:

  • Application (Client) ID: A unique identifier for the registered application.
  • Client Secret: A securely generated password used to authenticate the application.

If you want to use this method, please follow the steps below.

Register the Application

  1. While logged in as a tenant or application administrator for your tenant, log in to portal.azure.com.
  2. Navigate to Microsoft Entra Admin Center.
  3. Within the left navigation bar, click on App registrations.
  4. On the top left of the page, create a New registration.
    • Name: Enter a descriptive name.
    • Supported Account Types: Choose Accounts in this organizational directory only (Single Tenant).
    • Redirect URI (Optional)
      • Dropdown should be set to "Web".
      • URL: https://my.oneconnect.ai or https://eu.oneconnect.ai depending on which OneConnect site you are using. 
  5. Click Register. The App Registration page will load. Within the Essentials section, the Application (Client) ID can be found.

Configure API Permissions:

  1. On the Overview page of the App Registration, navigate to Manage > API Permissions.
  2. Confirm that Microsoft Graph: User.Read is already listed.
  3. Add additional permissions:
    • Click + Add a Permission.
    • Select Dynamics CRM.
    • Choose user_impersonation and click Add Permission.
    • Click + Add a Permission.
    • Select Microsoft Graph.
    • Choose Group.ReadWrite.all and click Add Permission.

Click Grant Admin Consent for your tenant. Confirm by selecting Yes.

Generate a Client Secret

  1. Go to Manage > Certificates and Secrets.
  2. Click + New Client Secret.
  3. Provide:
    • A description.
    • An Expiration period (up to 24 months).
  4. Click Add.
  5. Save the Client Secret Value displayed under the Value column. You’ll need this later.

Note: Please note that this value will only appear once, it is encouraged to save this value in a secure location should you need it a second time. Otherwise, best practice is to create a whole new client secret each time one is needed.

Add Service Principal to Dataverse

  1. Navigate to Power Platform Admin Center.
  2. Go to Manage > Environments, select the desired environment, and then click Settings.
  3. Expand Users + Permissions > Application Users.
  4. Click + New App User and complete the form:
    • App: Select the Service Principal created earlier.
    • Business Unit: Enter the appropriate value here for your business unit.
    • Security Role: Assign the following roles:
      • Project Common
      • Project System
      • Project User
  5. Click Create.

The new Service Principal will appear on the list with a # before its name.

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.