Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Power Platform managed identity allows Dataverse plug-ins or plug-in packages to connect with Azure resources to support managed identity without the need for credentials. This article helps you set up managed identity in your Power Platform environments.
Prerequisites
- An Azure subscription with access to provision user-assigned managed identity (UAMI) or application registration.
- Tools for plug-ins or plug-in packages:
- Integrated Development Environment (IDE), like Visual Studio, to build plug-in
- Plug-in registration tool
- SignTool.exe (Sign Tool) to sign the plug-in assembly
- Power Platform CLI
- A valid certificate to sign the plug-in assembly.
Set up managed identity
To configure Power Platform managed identity for Dataverse plug-ins or plug-in packages, complete the following steps.
- Create a new app registration or user-assigned managed identity.
- Configure federated identity credentials.
- Create and register Dataverse plug-ins or plug-in packages.
Be sure to build the plug-in assembly and register the plug-in or plug-in package. - Create a managed identity record in Dataverse.
- Grant access to the Azure resources to the application or user-assigned managed identity (UAMI).
- Validate the plug-in integration.
Create a new app registration or user-assigned managed identity
You can create either user-assigned managed identity or an application in Microsoft Entra ID based on the following scenarios.
- If you want an app identity associated with the plug-in that connects to Azure resources, such as Azure Key Vault, use application registration. With app identity, you can apply Azure policies on the plug-in accessing Azure resources.
- If you want a service principal to access Azure resources, such as Azure Key Vault, you can provision user-assigned managed identity.
Note
Be sure to capture the following IDs, as you use them in later steps.
- Application (client) ID
- Tenant ID
Configure federated identity credentials
To configure managed identity, open the user-assigned managed identity or Microsoft Entra ID application in the Azure portal that you created in the previous section.
- Go to the Azure portal.
- Navigate to Microsoft Entra ID.
- Select App registrations.
- Open the app you created in Set up managed identity.
- Navigate to Certificates & secrets.
- Select the Federated credentials tab and select Add credential.
- Select issuer as Other issuer.
- Enter the following information:
Issuer
Use the tenant's v2.0 issuer:
https://login.microsoftonline.com/{tenantID}/v2.0
Example
https://login.microsoftonline.com/5f8a1a9f-2e1a-415f-b10c-84c3736a21b9/v2.0
Type
Choose Explicit subject identifier.
Subject identifier
Choose the format that matches your certificate type:
Self-signed certificate (development only):
/eid1/c/pub/t/{encodedTenantId}/a/qzXoWDkuqUa3l6zM5mM0Rw/n/plugin/e/{environmentId}/h/{hash}Trusted issuer certificate (recommended for production):
/eid1/c/pub/t/{encodedTenantId}/a/qzXoWDkuqUa3l6zM5mM0Rw/n/plugin/e/{environmentId}/i/{issuer}/s/{certificateSubject}
Segment reference
| Segment | Description |
|---|---|
| eid1 | Identity format version |
| c/pub | Cloud code for public cloud, Government Community Cloud (GCC), and first release station in GCC. |
| t/{encodedTenantId} | Tenant ID |
| a/qzXoWDkuqUa3l6zM5mM0Rw/ | Internal use only. Don't modify. |
| n/plugin | Plug-in component |
| e/{environmentId} | Environment ID |
| h/{hash} | SHA‑256 of certificate (self-signed only) |
| i/{issuer} s/{certificateSubject} |
Trusted-issuer details |
Generate self-signed certificate
Every plug-in must have a verifiable identity, and the signing certificate acts as the plug-in’s unique fingerprint. The following code is a sample PowerShell snippet you can use to generate a self-signed certificate for development or testing scenarios. For reference, you can follow from example 3.
$params = @{
Type = 'Custom'
Subject = 'E=admin@contoso.com,CN=Contoso'
TextExtension = @(
'2.5.29.37={text}1.3.6.1.5.5.7.3.4',
'2.5.29.17={text}email=admin@contoso.com' )
KeyAlgorithm = 'RSA'
KeyLength = 2048
SmimeCapabilities = $true
CertStoreLocation = 'Cert:\CurrentUser\My'
}
New-SelfSignedCertificate @params
Note
Encoding for {encodedTenantId}
- Convert GUID → Hex.
- Convert Hex → Base64URL (not standard Base64).
Self-signed hash
- Compute SHA-256 over the .cer. If you have a .pfx, export a .cer first:
CertUtil -hashfile <CertificateFilePath> SHA256 $cert = Get-PfxCertificate -FilePath "path o\your.pfx" $cert.RawData | Set-Content -Encoding Byte -Path "extracted.cer"
Specialized Azure cloud environments
Set Audience, Issuer URL, and Subject prefix explicitly when deploying outside public cloud, GCC, and first release station in GCC:
| Cloud | Audience | Issuer URL | Subject prefix |
|---|---|---|---|
| GCC High & DoD | api://AzureADTokenExchangeUSGov |
https://login.microsoftonline.us |
/eid1/c/usg |
| Mooncake (China) | api://AzureADTokenExchangeChina |
https://login.partner.microsoftonline.cn |
/eid1/c/chn |
| US National (USNAT) | api://AzureADTokenExchangeUSNat |
https://login.microsoftonline.eaglex.ic.gov |
/eid1/c/uss |
| US Secure (USSec) | api://AzureADTokenExchangeUSSec |
https://login.microsoftonline.scloud |
/eid1/c/usn |
Note
The Audience value is case-sensitive and must match exactly.
For public cloud, GCC, and first release station in GCC (and other non‑listed clouds), defaults are:
Audience api://AzureADTokenExchange, Issuer https://login.microsoftonline.com, Subject prefix /eid1/c/pub.
Create and register Dataverse plug-ins or plug-in packages
Build plug-in assembly
Create a plug-in using Visual Studio. While building the plug-in, use the tenant ID from Create a new app registration or user-assigned managed identity and scopes as organization URL like
https://{OrgName}.crm*.dynamics.com/.defaultor even more granular scopes.Use IManagedIdentityService and acquire a token method to request a token with given scope.
Method signature:
string AcquireToken(IEnumerable<string> scopes);
Packaging and signing
Signing a plug-in package
If you're building a plug-in package, use the NuGet Sign CLI to generate a package from either a .nuspec or a .csproj file. After generating the package, sign it with your certificate.
nuget sign YourPlugin.nupkg `
-CertificatePath MyCert.pfx `
-CertificatePassword "MyPassword" `
-Timestamper http://timestamp.digicert.com
Signing a plug-in assembly
If you're registering a plug-in (assembly), sign the DLL with a certificate by using SignTool.exe (Sign Tool).
signtool sign /f MyCert.pfx /p MyPassword /t http://timestamp.digicert.com /fd SHA256 MyAssembly.dll
You can optionally add timestamping by providing the URL of an RFC 3161‑compliant timestamp server.
Note
Use a self‑signed certificate only for development or testing purposes. Don't use self‑signed certificates in production environments.
Register the plug-in
Install the plug-in registration tool if you don't already have it on your machine. For more information, see Dataverse development tools.
Register the plug-in. For more information, see Register plug-in.
Create managed identity record in Dataverse
To provision a managed identity record in Dataverse, complete the following steps.
Create a managed identity by sending an HTTP POST request with a REST client (such as Insomnia). Use a URL and request body in the following format.
POST https://<<orgURL>>/api/data/v9.0/managedidentitiesBe sure to replace orgURL with the URL of the organization.
Ensure that credentialsource is set to 2 in the payload, subjectscope is set to 1 for environment-specific scenarios, and version is set to 1 in the payload.
Sample payload
{ "applicationid": "<<appId>>", //Application Id, or ClientId, or User Managed Identity "managedidentityid": "<<anyGuid>>", "credentialsource": 2, // Managed client "subjectscope": 1, //Environment Scope "tenantid": "<<tenantId>>", //Entra Tenant Id "version": 1 }Update your plug‑in package or plug‑in assembly record by issuing an HTTP PATCH request to associate it with the managed identity created in step 1.
Plug-in assembly
PATCH https://<<orgURL>>/api/data/v9.0/pluginassemblies(<<PluginAssemblyId>>)Plug-in package
PATCH https://<<orgURL>>/api/data/v9.0/pluginpackages(<<PluginPackageId>>)Sample payload
{ "managedidentityid@odata.bind": "/managedidentities(<<ManagedIdentityGuid>>)" }Be sure to replace orgURL, PluginAssemblyId (or PluginPackageId), and ManagedIdentityGuid with your values.
Grant access to the Azure resources to application or user-assigned managed identity
If you need to give access to an application ID to access Azure resources, such as Azure Key Vault, grant access to the application or user-assigned managed identity to that resource.
Validate the plug-in integration
Verify that your plug-in can securely request access to Azure resources that support managed identity, eliminating the need for separate credentials.
Frequently asked questions (FAQs)
How do I resolve this error?
If you receive the following error:
Getting Error – A configuration issue is preventing authentication.
AADSTS700213: No matching federated identity record found
Complete the following steps to resolve the issue:
Ensure the FIC is correctly configured and saved.
Verify that the issuer/subject matches the format specified earlier.
You can also find the expected format in the error stack.
How do I resolve the "Unable to reach or connect to Power Platform" error?
Refer to Power Platform URLs and IP address ranges to ensure Power Platform endpoints are reachable and allowlisted.