Backup fails when using AppId/ClientSecret against UsGov cloud instance

[sanjeev40084]

pac cli command to backup fails when applicationId and clientSecret is used for authentication against UsGov instance.

Steps to reproduce:

1. Create new app registration in azure and generate new client-secret. Keep applicationId, client-secret and tenant values handy
2. Go to Api permissions and add 'Dynamics CRM/user_impersonation' permission in newly created application registration
3. Open power platform instance which you want to backup from pac cli and add the newly created applicationId as Application users and assign 'System Administrator' security role.
4. Run pac cli command to create authentication profile using the applicationId created from Step# 1.
   pac auth create -ci usgov -id '[application-Id-value]' -cs '[client-secret-value]' -t '[tenant-id-value]'
5. Run pac cli command to backup instance
   pac admin backup -env 'https://[instance].crm9.dynamics.com' --label 'backup-test'
6. This results in following error message:
   Error: The service principal with id '[object-id-of-application-Id]' for application [application-id-value] does not have permission to access the path 'https://10.0.1.7:20036/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?`$expand=permissions&api-version=2020-08-01' in tenant [tenant-id-value].

[sanjeev40084]

i think i got this finally figured out and it was mainly of 2 reasons. first missing settings on applicationId on AppRegistration and second applicationId not being registered using New-PowerAppsManagementApp.

Here is how the appregistration need to be setup:

• register new application in app registration and note application-Id-value and tenant-Id-value
• In 'Authentication' blade
  • Platform configurations > Mobile and desktop applications (you need add this by clicking on Add a platform button)
  • Add 'urn:ietf:wg:oauth:2.0:oob' URI
  • Implicit grant and hybrid flows > ID tokens (user for implicit and hybrid flows) should be checked
  • Allow public client flows > set to 'Yes'
• In Certificates & secrets, create client secret, you will need this to create auth profile
• In API Permissions
  • Microsoft Graph > User.Read (Delegated)
  • PowerApps Runtime Service > user_impersonation (Delegated) ['to add this search for 'common data service' on 'Add a permission > APIs my organization uses']
  • PowerApps-Advisor > Analysis.All (Delegated) [search for this under 'APIs my organization uses' like previous step]

Note: if you don't want to do this manually, you can run this PowerShell script from MSFT: https://pabuildtools.blob.core.windows.net/spn-docs-4133a3fe/New-CrmServicePrincipal.ps1 found here: https://learn.microsoft.com/en-us/power-platform/alm/devops-build-tools. The big catch with this script is, it doesn't ask for application name so it ends up with super long application name and also it gives you client secret at the end, which when checked in azure, the application didn't had that value so i had to recreate that.)

• In your power platform environment, add 'application-id-value' as application user and give 'system-administrator' role.
• Register application-id-value running this command: (you will need to install AzureAD and Microsoft.PowerApps.Administration.PowerShell modules if you have not installed previously, and you will need to use WindowsPowershell. Also make sure to run this as someone who has PowerPlatform Adminstrator role)
  Add-PowerAppsAccount -Endpoint "usgov"
New-PowerAppManagementApp -ApplicationId [application-id-value]
• Setup auth profile, running this command:
  pac auth create -ci usgov -id '[application-Id-value]' -cs '[client-secret-value]' -t '[tenant-id-value]'
pac admin backup -env 'https://[instance].crm9.dynamics.com' --label 'backup-test'
• you should be able to backup now.

Note: i can't explain why, but this didn't work the first time when i tried but worked the next day. i had re-register app, clear existing auth profile, create new auth profile with same info and run the backup command and it worked. i was able to replicate this behavior when i tried to do same thing with new application that is registered in app-registration.