Connecting to Microsoft Dataverse

To complete the steps in this guide you must be able to log into both Entra ID and PowerApps as an administrator.

Entra ID

1. Log into the Microsoft Azure Portal as an administrator.
2. Open Microsoft Entra ID. If you have multiple tenants, switch to the appropriate tenant.
3. Click App Registrations and select New Registration.
4. Give the app registration a meaningful name, for example “CMA Dataverse”.
5. For account type select “Accounts in this organizational directory only (kolibrisoft.com only - Single tenant)”.
6. For redirect URI, select “Web” and enter a placeholder value “http://localhost” (excluding speech marks).
7. Under “Implicit grant” check the box for “Access tokens (used for implicit flows)”.
8. Click Register.
9. From the next screen copy the values for “Directory (tenant) ID” and “Application (client) ID”, you will need them later. On the same screen, next to “Client credentials”, click “Add a certificate or secret”.
10. In the next screen under “Client Secrets” click “New Client Secret”. Give the secret a meaningful name e.g. “CMA Dataverse Secret”. Select a period or date range under “Expires”. It’s up to you and your IT policy what to set, but bear in mind you must remember to generate a new secret prior to expiry. Failure to do so will prevent Canvas connecting to your Dataverse.
11. Click to create the secret and in the next screen copy the “Value”. You will need this later.
12. While still in the app registration you created, from the menu on the left select “API Permissions.”
13. Click “Add a permission”. Under “APIs my organization uses” search for “Dataverse” and select it. Ensure “Delegated Permissions” is selected and under “permissions” at the bottom check the box for “user_impersonation”. Click “Add Permissions”.
14. Back in the permissions screen click the button for “Grant admin consent for {your tenant}” and confirm they are granted.

PowerApps

1. Log into PowerApps as an admin user.
2. Click the settings icon on the top right of the main toolbar, next to your user icon. Select “Admin Center”.
3. Click on “Environments” and from the list, select the environment you wish to connect to.
4. From the next screen, copy the value for “Environment URL”, you will need this later. Under the “Access” section to the right, click “see all” under “Business Units”. Under “Active Business Units”, note the names of the units you wish to make available. You will need these in step 10 below.
5. Return to the “Environment” screen where you copied the URL, click the “Settings” button next to the “Backup + Restore” button.
6. In the settings menu click on “Users + Permissions”.
7. Click “Application Users”.
8. Click “New app user”.
9. In the pop-up screen, click “Add an app”. A list of your Entra ID app registrations should appear. Select the app registration you created in the first part of this guide.
10. Under “Business units” start type the first letters of the business units you wish to give access to, as noted in step 4. As you type the unit should appear and become selectable. Add all required units.
11. In the same screen click the pencil icon next to “Security Roles”. Add the roles “Service Reader”, “Service Writer” and “Service Deleter” roles. This will allow the app user to read, write and delete from all tables. Click “Save”.
12. Finally, click “Create” to create the app user.

Canvas

Return to Canvas. Go to “Applications” -> “Add new application”. Select “Microsoft Dataverse” from the list and click “Add”. In the text boxes below add the following:

• Client ID from “Entra ID guide - step 9”.

• Secret value from “Entra ID guide – step 11”.

• Tenant ID from “Entra ID guide - step 9”.

• Environment URL from “PowerApps guide – step 4”

Click “Save and Authenticate”. Your Dataverse app should then successfully be added to your list of registered applications.

This guide assumes that you wish to read, write or delete from all tables. If you wish to restrict access further, you can choose other roles or create your own custom role and assign it to the app user. Doing so is outside the scope of this guide.