Reputation: 41
Execute Azure Data Factory from Power Automate with Service Principal
In a Power Automate Flow I've configured a Create Pipeline Run step using a Service Principal. The Service Principal is a Contributor on the ADF object. It works fine when an Admin runs the Flow, but when a non-Admin runs the follow the Flow fails on the Create Pipeline Run step with the error:
The client '[email protected]' with object id '714b0320-ebaa-46a7-9896-4c146f64fad1' does not have authorization to perform action 'Microsoft.DataFactory/factories/pipelines/CreateRun/action' over scope '/subscriptions/4a1f6bbe-103b-4bc3-a38a-d0923a2bddff/resourcegroups/xx-xx-xxx/providers/Microsoft.DataFactory/factories/xx-xxx-xxxx/pipelines/pipelinename' or the scope is invalid.
The error message indicates the user ('[email protected]') is running the Flow, not the Service Principal. Any ideas how to resolve this?
Upvotes: 1
Views: 2751
Answers (3)
Reputation: 41
thanks for getting back to me.
So I can't use an embedded Service Principal in this situation?
When the user logs in they get this prompt:
As a test I added the User as a Contributor to ADF and it works. Here is a screenshot of the ADF Activity Log:
It's showing when I run the Flow it uses the Service Principal but when my test user runs the App is runs under it's name.
I actually moved away from using User based Service Accounts because the security experts recommend to use Service Principals. But now I'm having to wind back many of my changes back to Service Accounts.
Upvotes: 0
Reputation: 41
I reverted the connection back to a Service Account but I had the same issue. It's because Azure Data Factory doesn't support Implicit Connections (like SQL Server does). In the end I create a custom Azure Role which grants ADF Execute rights only, and granted this role to the users. I followed this guide: https://sqlkover.com/allow-a-user-to-only-trigger-pipelines-in-azure-data-factory/ Thank you to Koen Verbeeck for posting this, it saved me hours of time.
Upvotes: 0
Reputation: 1145
I have quite a bit of experience with Azure Logic Apps which are essentially Power Automate framework. When setting up the ADF connection initially it usually prompts you for a credentials that it will use when initiating the API call to ADF. My suggestion would be to use a Service Account that is on your Azure AD tenant. See illustration below:
I know when I tried Managed Identity over a year ago there were issues and roadblocks there. But using a Service Account worked well for us. When the API call goes to ADF to create a pipeline run, it will use whoever was authenticated in this initial API connection creation.
This documentation is helpful: ADF Connector
specifically this:
Upvotes: 0
Related Questions
- What is the Azure MSAL Scope for Authenticating Service Principal to Run a Data Factory pipeline?
- The client with object id does not have authorization to perform action 'Microsoft.DataFactory/datafactories/datapipelines/read' over scope
- Automatically navigated to the specific branch of Azure Data Factory
- Trigger Azure Data Factory Pipeline using Postman
- Azure data factory API
- Create Azure Data factory linked service or integration runtime directly in git mode wit rest api
- Azure Data Factory pipeline to start SSIS Integration Runtime authorization error
- Not able to run Azure Data Factory Pipeline using Visual Studio 2015