Service Principal cannot create Developer environment

[irminagorecka]

As a Power Platform Administrator I have successfully registered an App Registration [New-PowerAppManagementApp]. I use App registration Service Connection in Azure DevOps to create Developer environment via Pipeline. Although an error "You are not licensed for the creation of developer environments." appears. There is no problem with creating for example Sandbox environment, but the Developer one fails. Do you have any ideas how to solve it?

[ramontebar]

Hi @irminagorecka, I'm getting the same error and I have been able to reproduce it using PAC CLI directly like this:

 pac admin create `
--name "rtb-240723-dev" `
--type 'Developer' `
--domain 'rtb-240723-dev' `
--currency 'USD' `
--language 'English' `
--region 'unitedstates' `
--async false `
--user 'd51871fa-f21d-4d81-[sample]-ae44f8c0abf3'

The interesting part is that the error does NOT always happens. If I change the --user, it works for some users. I have raised a ticket with Microsoft support (#2407230040002910) to carry on the investigation.

[petrochuk]

This might help to explain licensing: Which kind of license do I need to get Developer Environment?

[ramontebar]

Hi @petrochuk, if that was the cause, it would always fail. However, it works sometimes. When a Developer environment is created, the license 'Microsoft Power Apps for Developer' is assigned. I've tried assigning this license in advance to the user that I'm creating the environment on behalf of (based on parameter --user). However, it doesn't always work inmediately and it seems to take around 1-30 hours to work, which is not useful and very unpredictable.

When you create a Developer environment in the Power Platform Admin Center on behalf of other user, this error doesn't happen and the license 'Microsoft Power Apps for Developer' is assigned 'on the fly' automatically without issues. I would expect a similar experience when running pac admin create

[Zerajima]

I have encountered a similar issue, however, when I authenticate with application id/secret and attempt to create a new developer environment using a --user parameter, I get the "Insufficient privileges to complete the operation." error. I get this error on several other commands as well: ("pac admin assign-user", "pac admin list-service-principal"). Are these limitations expected for service principals? Is this documented anywhere?

I only get the "You are not licensed for the creation of developer environments." when I attempt to create an environment without --user parameter, which is understandable, since service principal can not receive the developer licence.

[nghiemdoan-msft]

@ramontebar @Zerajima have you found a workaround for this? How did you end up automate the process of creating developer environment for other users?

I am global admin on a tenant, and I already gave all the users 'Microsoft Power Apps for Developer' 24 hours ago. I saw the same behavior the create a developer environment in Power Platform Admin Center on behalf of other works without any issue. When I built and ran PowerShell Script with PAC CLI after 24 hours or assigned license, I still got error "You are not licensed for the creation of developer environments."

I also verified that I have both Internal and Viral when running Get-AllowedConsentPlans. Which kind of license do I need to get Developer Environment?

[Zerajima]

No, I haven't found any workaround. As far as I can tell, it is not possible to use service principal to automate the creation of new environments.

It would be great if we could get some guidance from the build tools development team on this issue. I have attempted to set up a following pipeline:

1. Create new developer or sandbox environment
2. Configure several settings (languages, max upload size, etc.)
3. Assign team members to that environment
4. Import all solutions
5. Run automated tests
6. If all tests pass, delete the environment, otherwise leave it, so one of the team members can review the issue.

If I attempt to create a developer environment, the pipeline fails on the first step. If I create a sandbox environment, it fails on the third step, with the same error.

This is actually a major problem for us. We want to automate testing of our project, and we want to execute tests on a clean environment. But if we can't create a new environment for each execution, we will have to use a permanent environment and write a script, that will delete all data created by tests. This substantially complicates our entire setup.

[ramontebar]

Hi @nghiemdoan-msft,

I'm still investigating the issue with Microsoft support (#2407230040002910). It is still inconsistent.

Hi @Zerajima, it is definitelly possible to create environments programatically using a service principal. Have you used the command New-PowerAppManagementApp to register your management application?

[Zerajima]

Hi @ramontebar,

I was not aware of this API earlier. We have attempted to do it today, but we are still getting the same error. I have not invoked it through PowerShell though, because it seems it is also implemented in pac tool: https://github.com/microsoft/powerplatform-build-tools/discussions/479.

Here are all operations we have done with this service account:

1. Created it with pac admin create-service-principal
2. Added it to several environments, with administrator role, so we can use it in pipelines, to deploy solutions
3. Tried to create developer environment with --user parameter, which failed with "Insufficient privileges to complete the operation."
4. Tried to assign users to sandbox environment, which also failed with same error
5. Invoked pac admin application register command for this service principal, it is now visible in pac admin application list output
6. Tried to create developer environment with --user parameter again, but we are still getting "Insufficient privileges to complete the operation."

Here is a sample output of pac (with redacted identifiers).

C:\Users\username>pac admin application list
Connected as {ServicePrincipalId}
Listing Entra ID applications registered under your tenant...
{ServicePrincipalId}

C:\Users\username>pac admin create --name DeleteMe --type developer --user {username@domain.com}
Connected as {ServicePrincipalId}
Microsoft PowerPlatform CLI
Version: 1.34.4+gbc3320d
Online documentation: https://aka.ms/PowerPlatformCLI
Feedback, Suggestions, Issues: https://github.com/microsoft/powerplatform-build-tools/discussions

Error: Insufficient privileges to complete the operation.

[ramontebar]

Hi @Zerajima, could you try to run the command New-PowerAppManagementApp as a Power Platform and Dynamics 365 service administrator? If it still didn't work after this, I would raise it with Microsoft support.

[Zerajima]

We have executed the powershell command, but we are still getting the same Insufficient privileges error. I will try contacting support.

[stas-sultanov]

@Zerajima, I face Error: Insufficient privileges to complete the operation.

If the ServicePrincipal does not have Power Platform Administrator role assignment within the Entra tenant.

Maybe this is your case.

Adding Power Platform Administrator role assignment solves the issue.

[Zerajima]

Sorry for late response, I was waiting for MS support, to confirm it. Assigning Power Platform Administrator role does solve my issue and support confirmed there is no other way to do it. I'm guessing this is required for any PAC command, that requires access to resources outside of Power Platform, like information about users and their licenses, if you execute it with a service principal account.

[ramontebar]

Hi @nghiemdoan-msft,

I'm still investigating the issue with Microsoft support (#2407230040002910). It is still inconsistent.

Hi @Zerajima, it is definitelly possible to create environments programatically using a service principal. Have you used the command New-PowerAppManagementApp to register your management application?

An update from my side. Following the ticket #2407230040002910 with Microsoft support, their Microsoft DEV team has confirmed that there is delay happening in License assignment while using CLI command for Developer environments and it is not happening in Power Platform Admin Center (PPAC) when the user is trying to create a Developer environment. They have created a work item in their backlog to fix this issue, but right now they don't have an ETA.