[Bug] Service Principal with System Administrator Role Gets 403 Forbidden on `pac code push`

[megel]

Describe the bug

When using a service principal authenticated with pac auth create --accept-cleartext-caching, the pac code push command fails with a 403 Forbidden error. The service principal has System Administrator and System Customizer security roles in Dataverse, but still cannot access the BusinessAppPlatform checkAccess API.

Steps to Reproduce

1. Create service principal auth profile with cleartext caching:

   pac auth create --name DEV-US --environment <env-url> --accept-cleartext-caching

2. Verify the service principal has System Administrator and System Customizer roles in Dataverse
3. Select the service principal profile:

   pac auth select -n DEV-US

4. Navigate to a code-first Power Apps project directory
5. Run:

   pac code push

6. See 403 Forbidden error

Expected behavior

The pac code push command should work with service principals that have System Administrator role, as this role has full permissions in the environment.

Actual behavior

Command fails with 403 Forbidden when trying to access the BusinessAppPlatform checkAccess API:

Connected as [REDACTED-SERVICE-PRINCIPAL-ID]
Error: HTTP error status: 403 for POST https://[REDACTED].environment.api.powerplatform.com/powerapps/apps/[REDACTED-APP-ID]/startSession
{"error":{"code":"BusinessAppPlatformRequestFailed","message":"The service principal with id '[REDACTED-AAD-OBJECT-ID]' for application [REDACTED-SERVICE-PRINCIPAL-ID] does not have permission to access the path 'https://[INTERNAL-IP]/providers/Microsoft.BusinessAppPlatform/scopes/service/environments/[REDACTED-ENV-ID]/checkAccess?api-version=2016-11-01' in tenant [REDACTED-TENANT-ID]."}}

Screenshots or Error Messages

Full Error Output:

CliLogger: failed to initialize OneDS telemetry writer Error: HTTP error status: 403
Error during CLI execution: Error: HTTP error status: 403 for POST /powerapps/apps/{appId}/startSession
The service principal does not have permission to access the path:
'Microsoft.BusinessAppPlatform/scopes/service/environments/{envId}/checkAccess?api-version=2016-11-01'

Environment information

• Framework, build tool or relevant package used: PowerApps CLI (pac) 2.4.1+g3799f3e
• Any connection/components: Power Platform, Dataverse, Code-First Power Apps

Service Principal Configuration:

• Dataverse Security Roles: System Administrator, System Customizer
• Auth created with: --accept-cleartext-caching option
• Authentication: Succeeds, token acquired
• Profile Type: Application (Service Principal)

Additional context

• Authentication succeeds and token is acquired for https://api.powerplatform.com/.default
• Same service principal works with other pac commands (e.g., pac auth list)
• The 403 error occurs at the internal BusinessAppPlatform API level, not during authentication
• User authentication works fine with the same environment
• This blocks CI/CD automation scenarios where service principals are required

pac-log-sanitized-code-push.txt

[eschavez]

Thanks for the detailed report and the sanitized log. We're able to reproduce this - service principals with System Administrator role still encounter a 403 at the BusinessAppPlatform checkAccess path when running pac code push, even though authentication succeeds.

This appears to be a gap in how service principal permissions are evaluated for Code Apps specifically - the checkAccess endpoint requires an additional permission grant that isn't covered by the standard Dataverse security roles.

We're investigating what the correct permission setup is for service principals in CI/CD scenarios and will document it here once we have a confirmed solution. We'll also look at whether the error message can be improved to give clearer guidance in this case.