Automatically Adding an App User to a Power Platform Environment
With the rise of Power Platform Managed Environments and Power Platform Pipelines, one task I kept forgetting was adding the service principal (S2S app) to newly created environments. This step is essential to ensure the app has System Administrator privileges and can perform delegated deployments across environments.
Our tenant uses Default Environment Routing to Developer Environments – a Microsoft feature designed to reduce clutter in the Default environment by assigning each user their own Developer environment when they first access Power Platform.
The challenge? New Developer environments can be created at any time. Manually adding the S2S app to each one just isn’t sustainable. Enter Power Automate.
Objective
Automatically detect new Developer environments created within the last 24 hours and add our service principal (Power Platform Pipelines Entra App) as an app user with System Administrator rights.
Step-by-Step Breakdown
Trigger
Use the Recurrence trigger to run the flow daily. This ensures that any newly created Developer environments from the last 24 hours are captured.
1. List Environments
Use the List Environments as Admin action to retrieve all environments in the tenant.
2. Filter for Developer Environments
Use a Filter array action to isolate environments with a Developer SKU.
| From | outputs('List_Environments_as_Admin_-_Get_all_environments')?['body/value'] |
| Value | item()?['properties/environmentSku'] is equal to Developer |
3. Filter for Recent Creations
Add a second Filter array to target only environments created in the past day. You can adjust the timeframe by modifying the addDays value. For example, if you want it from the last week, you can change the -1 in the addDays formula to -7.
| From | body('Filter_array_-_Only_get_Developer_Environments') |
| Value | item()?['properties/createdTime'] is greater than formatDateTime(addDays(utcNow(), -1), 'yyyy-MM-dd') |
4. Loop Through Filtered Environments
Use an Apply to each loop on the results from the previous filter to add the S2S app to each environment.
| From | body('Filter_array_-_Get_environments_created_in_last_day') |
5. Add the App User via HTTP Request
Within the loop, use the Invoke an HTTP request (preauthorized) action to call the Microsoft BusinessAppPlatform (BAP) API. This action is extremely useful—it allows you to call Entra-protected APIs as a user with delegated rights, without needing to register a separate app or assign explicit API permissions.
This part took a bit of digging – buried in the Microsoft documentation is an endpoint that allows you to programmatically add an application user to an environment. Best of all, it assigns the System Administrator role by default, which is exactly what’s needed.
https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentIdGuid}/addAppUser?api-version=2020-10-01When adding the Invoke an HTTP request (preauthorized) action, you’ll be prompted to provide a Base URL. Since we are calling https://api.bap.microsoft.com/ API, that will be our Base URL.
After authenticating (using a user account with sufficient permissions—e.g., a Power Platform Admin), you can configure the request. The Environment ID can be found in the ID field of our filtered array. The servicePrincipalAppId is the GUID of your Power Platform Pipelines Entra App, which you would have configured when setting up Power Platform Pipelines.
🔐 Note: This preauthorized HTTP action only operates within the permissions of the signed-in user. It won’t grant access to anything beyond what that user is already allowed to do in the Power Platform admin center.
| Method | POST |
| Url of the request | items('Apply_to_each_-_Go_through_each_environment')?['id']/addAppUser?api-version=2020-10-01 |
| Body of the request | { |
And That’s It!
With this setup, your flow will now run daily and automatically add the Power Platform Pipelines Entra app as a System Administrator to any new Developer environment. You’ll still need to handle additional configuration in the Power Platform Pipelines Host, but at least one repetitive step is now fully automated.
