Set up ALM accelerator for Microsoft Power Platform. Power Platform Admin requirements considerations.

The issue

My client’s ops team got a request from developers to support the ALM accelerator setup and configuration.
They follow the steps from the article below:
https://learn.microsoft.com/en-us/power-platform/guidance/coe/setup-almacceleratorpowerplatform-preview#give-power-app-management-permission-to-your-app

App registration is a part of the setup. The Power App Management Permission is required and according to the warning below it creates potential issues.

Currently, this cmdlet gives elevated permissions (for example, Power Platform Admin) to the app registration. Your organization’s security policies may not allow for these types of permissions. Ensure that these permissions are allowed before continuing. In the case that these elevated permissions are not allowed certain capabilities won’t work in the AA4PP pipelines.

What’s the Power Platform Admin role superpower?

Users with the Power Platform admin role can:

• Sign in to and manage multiple environments. Power Platform admins are not affected by security group membership and can manage environments even if not added to an environment’s security group.
• Perform admin functions in Microsoft Power Platform because they have the System Administrator role.

Power Platform Admin has got a System Admin role across all Power Platform environments in your M365 tenant.
Using the matrix below you could explore and compare service admin permissions:

https://learn.microsoft.com/en-us/power-platform/admin/use-service-admin-role-manage-tenant#service-administrator-permission-matrix

What’s the risk in giving the app elevated permissions?

One of the risks is that Client ID and Secret will be stolen and used to impersonate the Power Platform Admin.

Power Platform Admin impersonation – so what?

Power Platform Admin could manage apps and automation, and manage environments, including creation and deletion.

The desirable outcome

As a Power Platform Admin, I would like to limit the distribution of elevated permissions. Also, I am trying to understand the implications of not granting the app the requested permissions.

The available outcome

I reached out to the Microsoft team supporting the ALM preview. This is the response I’ve got from them:

This is currently a gap in functionality in the platform. Without these permissions, Canvas App Sharing will not succeed but the pipeline won’t fail during the deployment. We’re using the admin endpoints for sharing canvas apps in the platform as they are the only APIs available that support Service Principal currently. If you decide not to provide the permissions then you’ll need to manually share apps in the downstream environment. Not something we can work around at the moment based on the platform restrictions.

Here’s the list of functions in the pipelines that require this permission today:

• Sharing canvas apps in downstream environments.
• Updating canvas app owner on import of an unmanaged solution.
• Running canvas test automation, where applicable, to override connection consent.