October 28th, 2024

Automate Power Platform Environment Creation & Solution Imports with GitHub Actions (Federated Auth Setup)

Anuj Goyal
Principal Software Engineer

Automate Power Platform Environment Creation & Solution Imports with GitHub Actions (Federated Auth Setup)

Automating your CI/CD pipeline for Power Platform solutions streamlines development and reduces manual tasks. Integrating GitHub Actions with federated authentication provides secure and scalable access for creating environments, importing solutions, and even cleaning up temporary environments. This post guides you through automating these tasks with a federated authentication setup.


Introduction

This guide details how to automate Power Platform environment creation and solution import using GitHub Actions with federated authentication. Federated authentication removes the need for direct application credentials by leveraging single sign-on (SSO) capabilities with identity providers. This approach ensures that deployments are secure, compliant, and less reliant on sensitive credentials.

Prerequisites

Ensure you have the following:

  • Power Platform Environment: Admin access is required to manage environments.
  • Federated Authentication Setup: Configure a federated identity provider, like Azure Active Directory (AAD), with necessary permissions to access Power Platform resources.
  • GitHub Repository: This is where workflows and solutions are stored.
  • Power Platform CLI: Install and make available the Power Platform CLI in your GitHub environment.

Setting Up Federated Authentication with GitHub Actions

Using federated authentication in GitHub Actions involves configuring an OpenID Connect (OIDC) trust relationship between GitHub and your identity provider (e.g., Azure AD). This setup ensures secure, token-based authentication without storing client secrets.

Configuring OIDC in Azure AD

  1. Create an App Registration in Azure AD:

    • Go to Azure AD > App Registrations > New Registration.
    • Set redirect URI to GitHub Actions: https://github.com/<organization>/<repository>.
  2. Enable Federated Credentials for the app registration:

    • Under Certificates & Secrets, select Federated Credentials > Add Credential.
    • Choose GitHub as the identity provider and set the repository access.
    • Define permissions to allow GitHub Actions access to Power Platform resources.
  3. Assign Required API Permissions:

    • Add necessary Power Platform permissions (e.g., Environment.Create, Solution.Import) to the app registration in Azure AD.

GitHub Secrets

To enable federated authentication, you will only need:

  • AZURE_CLIENT_ID: Client ID of your Azure AD app.
  • AZURE_TENANT_ID: Azure tenant ID.

No client secrets are needed because authentication is handled by OIDC and federated credentials.

GitHub Actions Workflow

The following GitHub Actions workflow automates environment creation and solution import with federated authentication:

name: Power Platform CI/CD with Federated Auth

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3

      - name: Set Environment Name
        run: echo "ENV_NAME=${{ github.ref_name }}-${{ github.run_id }}" >> $GITHUB_ENV

      - name: Authenticate with Azure via Federated Auth
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          federated-credentials: true

      - name: Create Power Platform Environment
        run: pac environment create --name $ENV_NAME --region unitedstates --type Production

      - name: Import Solution to Power Platform
        run: pac solution import --path ./solution.zip --environment $ENV_NAME

      - name: Cleanup Power Platform Environment on Failure
        if: failure()
        run: pac environment delete --name $ENV_NAME

Workflow Breakdown

  • Authenticate with Azure via Federated Auth: GitHub authenticates with Azure AD using federated OIDC credentials, making authentication secure and secret-free.
  • Create Power Platform Environment: A unique environment name is generated to avoid conflicts in parallel runs.
  • Import Solution: The solution in your repository is imported to the new environment.
  • Cleanup on Failure: Deletes the environment if import fails, ensuring a clean tenant.

Verifying the Workflow

To test:

  1. Commit and Push: Push the workflow file to your repository.
  2. Check GitHub Actions: Monitor the “Actions” tab for the workflow run.
  3. Verify in Power Platform Admin Center: Ensure an environment is created, and check for cleanup if there was an import failure.

Conclusion

Implementing federated authentication with GitHub Actions for Power Platform enhances security by avoiding client secrets and using OIDC. This setup automates CI/CD tasks efficiently and keeps your Power Platform tenant clean.


Additional Links

Author

Anuj Goyal
Principal Software Engineer

1 comment

  • James

    Thanks for the quick turnaround on the auth change – Secretless FTW!