What is an Application User in Power Platform?
An Application User is a non-interactive user in Microsoft Dataverse that allows external applications to authenticate and access data securely via Azure Active Directory (Azure AD).
It is a best practice to use Application Users for CI/CD, Power Platform CLI, Power Automate custom connectors, and custom applications that integrate with Power Platform environments.
Step-by-Step: Setting Up Application Users for Deployment
Step 1: Register an App in Azure Active Directory
- Go to Azure Portal – https://portal.azure.com
- Navigate to Azure Active Directory > App registrations.
- Click “+ New registration”
- Enter:
- Name:
PowerPlatformDeploymentApp - Supported account types: Choose Accounts in this organizational directory only.
- Redirect URI: Leave blank or set later for specific use.
- Name:
- Click Register.
Step 2: Capture Application (Client) ID and Directory (Tenant) ID
After registration, go to the application overview screen and copy:
- Application (client) ID
- Directory (tenant) ID
You’ll use these in the CLI and when creating the Application User in Dataverse.
Step 3: Create a Client Secret
- In your registered app, go to Certificates & secrets.
- Click New client secret.
- Add a description and choose expiration (6 months, 12 months, or 24 months).
- Click Add.
- Copy the secret value immediately and store it securely. It will be used as the password for your CLI login.
Step 4: Add API Permissions (Dataverse)
- Go to API permissions > + Add a permission
- Choose Dynamics CRM
- Click Delegated permissions
- Select user_impersonation
- Click Add permissions
- Click Grant admin consent for the tenant
This allows your app to access Dataverse data.
Step 5: Create the Application User in Dataverse
- Go to Power Platform Admin Center – https://admin.powerplatform.microsoft.com
- Select your environment
- Click Settings > Users + Permissions > Application Users
- Click + New app user
- In the pane:
- Choose the Azure AD App (select the app you registered).
- Assign a Security Role (use a custom role with minimal necessary privileges or use built-in roles like
System Administrator,Environment Maker, etc. based on requirements).
- Click Create
It may take a few minutes for the application user to become active.
Step 6: Authenticate Using CLI with the Application User
Now that your Application User is set up, use the credentials with Power Platform CLI.
pac auth create --url https://yourorg.crm.dynamics.com `
--applicationId <client-id> `
--clientSecret <client-secret> `
--tenant <tenant-id>
This will authenticate without prompting for username/password, making it suitable for deployment scripts or automation.
Step 7: Use in CI/CD Pipelines
Now that CLI is authenticated via the Application User, you can automate:
pac solution importpac solution exportpac portal uploadpac portal download
…within CI/CD tools like Azure DevOps, GitHub Actions, or PowerShell scripts.
Example in a pipeline:
steps:
- script: |
pac auth create --url $(DataverseUrl) `
--applicationId $(AppId) `
--clientSecret $(AppSecret) `
--tenant $(TenantId)
pac solution import --path "solution.zip"
Best Practices
- Never use personal accounts for automation.
- Use minimal privilege roles for Application Users. Grant only what’s necessary.
- Rotate secrets regularly and use Azure Key Vault for secure storage.
- Monitor usage and logs in Azure and Power Platform Admin Center.
- Maintain separate Application Users for Dev, Test, and Prod.
Troubleshooting Tips
| Issue | Possible Cause | Resolution |
|---|---|---|
| App user doesn’t appear | Delay in sync between Azure AD and Power Platform | Wait 10–15 minutes, refresh |
| CLI login fails | Incorrect client secret or permissions | Recreate secret, verify roles |
| Permission denied | Role doesn’t have access to object | Assign appropriate security role |
user_impersonation missing | API permissions not set | Add it in Azure portal under API permissions |