Dataverse permissions

Impliancy uses a service principal to read and manage Power Platform data.
The correct permissions ensure that inventory, compliance, and ownership changes work reliably.

Required Dataverse role

The service principal must have the System Administrator security role in every environment that will be indexed.

Why System Administrator?

Because Impliancy must:

• Read all artifacts (apps, flows, bots, desktop flows)
• Update owner information (Power Apps)
• Read solution and environment metadata
• Access sharing information for apps
• Validate activity and usage data
• Detect and read environment-level settings

Lower roles do not provide sufficient coverage for consistent governance.

Environment requirements

The role must be assigned in all environments and will happen automatically upon admin consent (see Installation for more details).

Environments where the service principal does not have System Administrator rights:

• Are marked as missing-permission
• Will not be inventoried
• Cannot participate in compliance or inactivity monitoring

Tenant-wide permissions

Impliancy also requires the ability to:

• Enumerate environments
• Read Power Apps definitions
• Read Power Automate Cloud Flows
• Read Power Automate Desktop Flows
• Read Copilot Studio Bots/Agents
• Detect app and flow connections
• Access activity metadata (last modified, last run, etc.)
• Read user data, such as email, name, and more

No impersonation

Impliancy does not impersonate users.

• All data retrieval is done directly by the service principal
• Ownership changes happen explicitly through the Impliancy service
• No operations require delegated permissions or user tokens