[CoE Starter Kit - QUESTION] Identity Requirements and Instructions

[cameron-interactive]

Does this question already exist in our backlog?

• I have checked and confirm this is a new question.

What is your question?

Resubmitting this, as the previous one was closed without any response.

We are reading through the documentation now to set up a new CoE starter kit, and have some concerns about what is listed for the identity requirements, and the limitations documented.

https://learn.microsoft.com/en-us/power-platform/guidance/coe/setup#which-identity-should-i-use-to-install-the-coe-starter-kit

https://learn.microsoft.com/en-us/power-platform/guidance/coe/limitations#service-principles
https://learn.microsoft.com/en-us/power-platform/guidance/coe/limitations#multifactor-authentication
https://learn.microsoft.com/en-us/power-platform/guidance/coe/limitations#pim-privileged-identity-management

Reading through this, we need a privileged account, with permanent permissions for at least Power Platform Admin (or Global Admin!!!), without MFA, that can be interactively logged in with. Service Principals cannot be used...

This raises some pretty major red flags from our cyber security team. Is there any documentation to support this, and guidance on how we should configure such an account so it doesn't have such a dangerous access and possibility of being misused?

What solution are you experiencing the issue with?

None

What solution version are you using?

No response

What app or flow are you having the issue with?

No response

What method are you using to get inventory and telemetry?

None

[harini-2-y]

Hi @cameron-interactive ,
Thanks for raising this question!
Yes, this requirement is documented in the official CoE Starter Kit setup and limitations guides:
https://learn.microsoft.com/power-platform/guidance/coe/setup
https://learn.microsoft.com/power-platform/guidance/coe/limitations
The reason is technical: certain flows require interactive OAuth authentication and tenant-wide access, which Service Principals and MFA cannot currently support for unattended automation.
Guidance to Configure Securely
To avoid creating a “dangerous” account, implement these controls:

1. Dedicated Service Account:
   Create an account only for CoE automation (not a personal admin account).
   Assign Power Platform Admin role first; use Global Admin only if absolutely necessary.
2. Conditional Access Policies:
   Restrict sign-ins by IP, device compliance, and location.
   Block high-risk sign-ins and enforce network-based security.
3. Monitoring & Auditing:
   Enable Azure AD sign-in and audit logs.
   Configure alerts for unusual activity (e.g., unexpected locations, failed attempts).
4. Credential Protection:
   Store credentials in a secure vault (e.g., Azure Key Vault).
   Rotate passwords regularly and limit access to 2–3 people.
5. Environment Isolation:
   Deploy CoE Starter Kit in a dedicated environment with DLP policies.

[cameron-interactive]

What IP addresses/locations will be needed for the CoE to run?

How do we configure the CoE to use Keyvault for the credentials for this service account?

[harini-2-y]

Hi @cameron-interactive ,
Thanks for your questions!

1. What IP addresses or locations are required for the CoE Starter Kit to run?
   The CoE Starter Kit does not require you to allowlist any Microsoft IP addresses. All CoE components run fully inside your Microsoft 365 tenant and communicate with core Microsoft cloud services such as Power Apps, Power Automate, Dataverse, Azure AD, and Microsoft Graph.
   Microsoft does not provide static IPs for these platform services, as they use globally-distributed, frequently updated cloud ranges.

2. How do we configure the CoE to use Keyvault for the credentials for this service account?
   Azure Key Vault can be used as a secure storage location for the CoE service account credentials, but it cannot directly authenticate Power Automate or CoE connections. Power Platform requires an interactive OAuth login, so the credentials must still be entered once during setup.
   Key Vault’s role is to store, protect, and govern access to those credentials.
   Below is the correct way to use Key Vault with the CoE Starter Kit:

• Store the Service Account Credentials in Azure Key Vault
  Create a Key Vault in your Azure subscription and save:
  the username
  the password
  as secrets.
  This keeps the credentials protected, audited, and centrally managed instead of being stored in unsecured files or shared manually.

• Restrict Access to Only CoE Administrators
  Grant “Get” access only to the small set of administrators who will set up or maintain the CoE connections.
  This ensures:
  least‑privilege access
  full audit tracking
  prevention of credential misuse

• Retrieve the Credentials from Key Vault During Setup
  When setting up the CoE connections in Power Automate and Power Apps:
  An approved admin retrieves the username/password from Key Vault
  They enter the credentials into each required CoE connection once
  Power Platform creates a secure connection reference and stores the OAuth token internally
  After this step, Power Platform handles authentication automatically.