Unable to Complete User Delegation to a Service/App Account

[mello3620]

Type of Connector

Custom Connector

Name of Connector

microsoft / PowerPlatformConnectors

Describe the bug

I have been working with the Snowflake vendor and also our Azure & Power Apps/Automate admin to be able to connect to the Snowflake REST API using a Service/App account from PowerApps.

Has the application account level been tested using this connector via powerapps? This is the feature that is not working for us and we cant implement in PROD at individual level.

After several troubleshooting sessions (and parallel testing), the Snowflake vendor recommended us to open issue on this project due to issues we are both seeing in our testing.

Both the Snowflake vendor and my company tested this individually and ran into the same issues below. Refer to notes and screenshots.

1. We are UNABLE to get PowerApps custom connector to allow us to utilize a service/app account executing the Snowflake REST API (we dont want the same single user to be passed to Snowflake so dont have to add every individual user in our organization on the Snowflake side in order to use the Snowflake REST API)

• ERROR: Need admin approval - needs permission to access resources in your organization that only an admin can grant. Please ask the admin to grant permission to this app before you can use it.
• Completed admin consent ** looked in azure client console and NO admin consent pending - same error ** had the azure admin complete the consent directly in the power apps prompts (using his azure admin account and provided ) - same error
• Refer to attached screenshots showing the issue
• asks for admin consent but there is nothing pending admin consent in Azure when look at the client

2. Also, it seems like the "security" items added into the "security" tab seem to get cleared out and PowerApps DOES NOT honor them. This may be part of the issue.

Is this a security bug?

Yes, this is a security bug

What is the severity of this bug?

Severity 2 - One or more important connector features are down

To Reproduce

Follow the existing documentation here in the custom connector BUT when it comes to setting up the permissions in Azure follow this Snowflake document linked. It uses app roles (added via manifest). https://community.snowflake.com/s/article/Create-External-OAuth-Token-Using-Azure-AD-For-The-OAuth-Client-Itself

In this projects custom connector documentation, within step 1 of the linked prereqs documentation (https://github.com/microsoft/PowerPlatformConnectors/tree/dev/custom-connectors/Snowflake#pre-requisites-for-using-the-connector) it has us stop at step 10 .. where step 11 is the step to setup an application account level.

Has the application account level been tested using this connector via powerapps? This is the feature that is not working for us and we cant implement in PROD at individual level.

Expected behavior

Be able to use an application account from PowerApps to Snowflake REST API instead of individual account

Environment summary

Install Method (e.g. pip, interactive script, apt-get, Docker, MSI, edge build) CLI version (paconn --version) OS version Shell Type (e.g. bash, cmd.exe, Bash on Windows)

Additional context

Contact me if need any additional details

Screenshots

.

[cpaschall31]

This would be very useful!

[charton11]

This would be great in order to access Snowflake through Power Apps.

[docusignuma]

This will be a great fix to ensure secure connectivity and to better utilize the Snowflake REST API feature.

[trl7391]

This is needed to ensure appropriate connectivity with non-standard instances of Snowflake.

[dereksdakota]

We are also looking to leverage connecting to Snowflake via their new REST API from the Power Platform utilizing an app account and would use this solution.