powerplatform-vscode icon indicating copy to clipboard operation
powerplatform-vscode copied to clipboard
verified publisher icon microsoft

Unable to backup environment using applicationId

Open sanjeev40084 opened this issue 3 years ago • 1 comments

It is really confusing to run pac cli using applicationId to perform the backup task, unless i am not using the command correctly.

  1. i created new app registration and granted these api permission:

    • Dynamics CRM - user_impersonation (Delegated)
    • Microsoft Graph - User.Read (Delegated)
    • Common Data Service - user_impersonation (Delegated)
    • PowerApps-Advisor - Analysis.All (Delegated)

  2. The applicationId was then added to my environment and SA role was assigned.

  3. I created new authentication profile using this command: pac auth create -n 'backup-tst-sp' -u 'environment-url-value' -id 'application-id-value' -cs 'secrets-value' -t 'tenant-value' -ci 'UsGov' -k 'ADMIN''UsGov' -k 'ADMIN'

This is the first part of the confusion. If we run 'pac auth create help', it mentions '-k (kind)' attribute is deprecated however we need to have ADMIN profile or Universal profile to run 'pac backup' command and there is no alternative when you use applicationId to create ADMIN profile and run backup command

  1. Once profile is created, then ran this command to backup the environment without label argument pac admin backup -env 'environment-url-value'

This is the second part of confusion. This command will throw error message saying 'A required argument --label is missing' with the usage information showing '--label' argument is deprecated.

  1. If you run the command to backup the environment with label argument, it errors out and also shows warning for using '--label' argument pac admin backup -env 'environment-url-value' --label 'test'

Error message:

Backing up your environment with label : test
Microsoft PowerPlatform CLI
Version: 1.17.4+g2bdb4f2

Error: The service principal with id '00bd17c1-16dd-4706-83d9-434c38ee5eb3' for application 'application-id-value' does not have permission to access the path 'https://10.0.1.24:20340/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?`$expand=permissions&api-version=2020-08-01' in tenant 'tenant-id-value'.


Warning: Argument --label is deprecated and will be ignored.

Usage: pac admin backup [--environment] [--url] --label [--environment-id] [--notes]

  --environment               Environment URL or ID of the Environment that requires backup. (alias: -env)
  --url                       (deprecated) Url of the environment that requires backup. (alias: -u)
  --label                     (deprecated) Sets the backup label as provided. (alias: -l)
  --environment-id            (deprecated) Id of the environment that requires backup. (alias: -id)
  --notes                     (deprecated) **ignored**: Additional notes for this backup. (alias: -n)

This is the same error message i get when i try to run backup task through the Azure DevOps pipeline with Service Principal authentication.

Thanks, Sanjeev

sanjeev40084 avatar Aug 12 '22 20:08 sanjeev40084

@sanjeev40084 there are multiple questions to address here:

  1. pac auth create --kind: the new UNIVERSAL is the implied default that can now handle both ADMIN and DATAVERSE scenarios, assuming the user has the necessary privileges in Dataverse/PowerPlatform. We did deprecate the --kind, but pac CLI will continue to accept e.g. --kind ADMIN. Deprecation means, we want to encourage users to switch to the simpler model of a single kind (UNIVERSAL). We have no intention to remove that parameter, as that would be a breaking change NOT compatible with pac CLI v 1.x (and we have no plan or need yet to do a v2 of pac CLI)
  2. Unless you want to validate your appId/secret for later use in your AzDevOps tasks or GH Actions, using appIDs for authN via CLI are way more cumbersome than direct interactive login with username/password (the underlying MSAL lib does any ConditionalAccess like MFA as part of the OAuth flow). I see that you're using the CLI to debug your access issues in the pipeline.
  3. pac backup --label required: that is indeed a bug and oversight. The EnvManagment API no longer accepts a label, so we no longer send it to the API endpoint. Since the current release of pac CLI does insist on having a --label, please do set one. It will NOT be sent to the API, i.e. it is indeed ignored. Tracking on our end with AB#2873256
  4. Note that the error message you get is NOT related to the --label, but actually is a permission issue that is returned from the EnvMgmt endpoint, as witnessed by this error message: The service principal with id '00bd17c1-16dd-4706-83d9-434c38ee5eb3' for application 'application-id-value' does not have permission to access Was the appID a) created in the Azure AD instance related to your sovereign cloud (USGov) and b) is the appID registered with the Power Platform tenants as ApplicationUser? To further investigate this permission issue with the EnvMgmt team, please file a support ticket via MSFT CSS.

I assume the creation of the appID in Azure AD and AppUser in the PP tenant was done similar to what is documented: https://docs.microsoft.com/en-us/power-platform/admin/manage-application-users#create-an-application-user

davidjenni avatar Aug 13 '22 00:08 davidjenni

the pac admin backup --label parameter has been properly marked as deprecated (but is still accepted, but ignored), see item 3 in my above post. Closing this issue for now

davidjenni avatar Sep 27 '22 16:09 davidjenni