Power Platform CLI – Simplifying authentication profiles

Marcel Ferreira

Good day developers!

Power Platform CLI is a one stop command line interface to interact with Power Platform – aka PAC CLI.

We have 3 different kinds of authentication profiles. In the version 1.16 of PAC CLI, we started to deprecate the parameter --kind and since then, UNIVERSAL is the default profile kind.

In this post, I will explain why we have different authentication profile kind, what is the intention of each type and what kind of profile you should use.

💡 What is an authentication profile?

Before you can create environments on Power Platform admin center, or create apps on Power Apps, you need to authenticate. PAC CLI is not different. By using 'pac auth' command you can store, update and delete authentication profiles in your computer.

If you don’t have an authentication profile, the first time you run any pac command that requires one, if you are using windows and logged using an AAD account associated to Power Platform, a new Universal authentication profile will be create for you.

If you are using it anywhere else, or if you want to use a different account, you can use 'pac auth create'. A browser will open, so you can select your account to login. If you are using GitHub Codespaces, you will get the equivalent of --deviceCode parameter. Yes, there are quite a few parameters you can use.

To see all parameter available, you can use pac auth create help

Image pac auth help
‘pac auth create’ parameters.

Let’s dig deeper on the --kind parameter, and why we are deprecating it.

💡 Why we have authentication profile kind?

The short answer is, for historical reasons.

With pac cli, you can run commands that will perform ‘ADMIN’ operations. List environments, create environments, list tenant settings. In this scenario, it is irrelevant what is my active environment (I might not have one). This is where an ‘ADMIN’ kind of profile is used.

Creation of an authentication profile of the kind "ADMIN"
Creating an “ADMIN” kind authentication profile.

There are some commands that will require an active environment. If I only have one ‘ADMIN’ profile and try to run the command 'pac org who', I will get the error bellow:

Error: No auth profiles were found on this computer. Please run 'pac auth create' to create one.
Error: No auth profiles were found on this computer. Please run ‘pac auth create’ to create one.

That’s where I would need to create an authentication profile with an active environment. This is the ‘DATAVERSE’ kind.

Dataverse authentication profile
Creating a “Dataverse” kind authentication profile

Now I have two profiles – one to perform admin operations, and another to perform actions in a specific Dataverse environment.

👩‍💻 The UNIVERSAL profile

To simplify, we created the UNIVERSAL profile. We can infer what kind of profile you need to use based on the context.

When you use 'pac auth create', the active environment will be your default environment. You can use the parameter --environment to specify the active environment.

To change the active environment of your current UNIVERSAL profile, use 'pac env select'.

Creating universal authentication profile and changing active environment.
Creating universal authentication profile and changing active environment.

In the current pac cli version, you still can use –kind parameter to create ADMIN and DATAVERSE profiles. The parameter –url still creates a Dataverse profile by default. This will change. Moving forward, we will ALWAYS use UNIVERSAL profiles. Other profiles will still work (we don’t want to break any current usage), but we will make it harder to create any other type than UNIVERSAL.

The guidance is: Always use UNIVERSAL profiles. There’s no reason to use any other kind. Another important consideration is, avoid using different kinds of authentication profile in the same environment.  If you mix different profile types, you can have 3 active profiles at the same time, like the example bellow.

Image pac mixed authentication profiles
Authentication profiles

In this scenario, you can have unexpected results because you have a DATAVERSE profile connected to the “Test” environment, and a UNIVERSAL profile connected to the “Personal Productivity” environment. It is hard to tell which profile a given command will use if you don’t explicitly specify an environment.

🔦 Summary

  • Always use UNIVERSAL kind for authentication profiles.
  • Avoid having different authentication kinds in the same environment.
  • Use ‘pac auth clear’ if you want to clear all authentication profiles from your computer.

1 comment

Comments are closed. Login to edit/delete your existing comments

  • Joseph MartinezMicrosoft employee 1

    This was a nice post to find and update my auth profiles to the expected UNIVERSAL profile, thank you!

Feedback usabilla icon