Power Pages Fundamentals #5: How Power Pages Connects to Dataverse : Quick Read Series

On By venkatasubbaraopolisettyIn Power Pages, Power Platform

Microsoft Dataverse is a key component for any Power Pages website. It acts as both a metadata store for the website, storing all website configuration like webpages, content snippets, site settings, user metadata, and the data store for business data. This document describes how the application server hosting the website connects to a Power Platform environment with Dataverse.

Server to Server Connection

Power Pages connects to Dataverse utilizing a server to server (S2S) connection. This S2S connection is established utilizing a Microsoft Entra application that is created in the customer’s Microsoft Entra when a website is created.

Each website has its own application that follows the following naming convention (Portals – {{portalid}}). Different naming conventions have been used previously and may still be reflected in your Microsoft Entra. The ID of this application can also be found in the Set up workspace for that website and can be used to find this application in Microsoft Entra (in the application registration tab).

Note:

This application should not be modified or deleted as doing that may break the S2S connection between the website and Dataverse which can lead to website functionality being affected. This application is also used for the default Microsoft Entra Login provider on the website.

During the website creation process, an authentication key (X509 certificate) is also generated automatically and added to the Microsoft Entra application and application server. This key allows the application server to get the required access token to authenticate to Dataverse.

Note:

This authentication key has an expiry of two years and should be updated every two years to ensure that the website can connect to Dataverse. In order to update the key, refer to the following documentation: Manage website authentication key.

The following diagram describes how the end-to-end connection happens between the website and Dataverse.

Integration with Dataverse

In order to establish the S2S connection, the Microsoft Entra application created during site creation is also integrated with the Dataverse organization.

Depending on when the site was created, the connection is established using the Dataverse SYSTEM user or a Dataverse application user.

For more information on the SYSTEM user, see System and application users. All the records created, updated, and deleted by a website user appear as being done by the SYSTEM user in Dataverse.

Going forward, sites will be utilizing the Dataverse Application user to connect to Dataverse. You’ll be able to view the application user by going to the Power Platform admin center, selecting the environment, and in the Access section, selecting the S2S apps. The application user will be in the format # Portals-<<site name>>.

The application user would be created during creation of the website and will have the following permissions:

  • Dataverse security roles
    • Portal Application User
    • Service Deleter
    • Service Writer
  • Column Security profile
    • System Administrator

Warning:

Security roles and column security profiles should not be modified as that can lead to functional issues in your website.

Migration to application user

Migration from SYSTEM user to application user for existing websites is ongoing and will continue in 2023. Customers will be notified through the Microsoft 365 message center and emails to the system admin of an organization about the specific migration window for their existing website.

In order to prepare for this migration, customers should review their customizations and ensure that no dependency on SYSTEM user is taken.

While there are several types of these customizations that can exist, the following are most common:

  • Using the fetchxml Liquid tag in the website where a specific filter is added to filter records owned by SYSTEM user.
  • This type of fetchxml should be rewritten to remove the filter by the SYSTEM user and rather proper table permissions and webroles should be used to secure the records.
  • Dataverse processes such as Dataverse real-time workflows which are owned by the SYSTEM user. The workflows should be modified to be owned by the application user.

Summary :

  • End users of Power Pages websites are not Dataverse users. Their access is controlled through separate web roles.
  • Connection uses a server-to-server (S2S) approach with a dedicated Microsoft Entra application and authentication key.
  • Dataverse connection initially used the SYSTEM user, but is transitioning to application users. Existing sites will be migrated automatically.
  • Security roles and profiles for the application user are predefined and shouldn’t be modified.
  • Review and update any customizations that rely on the SYSTEM user before migration.

Overall, understanding this connection is crucial for managing and securing Power Pages websites that interact with Dataverse.

Discover more from Common Man Tips for Power Platform, Dynamics CRM,Azure

Subscribe to get the latest posts sent to your email.

Leave a comment