I've set up a Flow which is activated by a user from a Canvas app. The Flow takes in some parameters and reformats the values and prepares some inputs for the final activity in the Flow which is create a pipeline run in Azure Data Factory (ADF).
The Flow can be started from the Canvas app, without problems, however when the ADF activity runs, it gives a permission error. Originally, this was due to the user not having the required role to create a pipeline run. Since we don't want all users to have access to ADF and we don't want to have to add them to a role before they can run a pipeline, we set up a service principal for the connection. The connector I'm using is the built-in ADF-connector in Powerapps Flow.
With the connection now set up with the service principal, we ran the flow again, but still got an error saying: The client 'masked-email' with object id 'masked-object-id' does not have authorization to perform action 'Microsoft.DataFactory/factories/pipelines/CreateRun/action' over scope '/subscriptions/masked-subscription-id/resourcegroups/ERP_Integrations/providers/Microsoft.DataFactory/factories/ErpIntegrationDataFactory/pipelines/BC2AP-PowerApp_00_CallTrigger' or the scope is invalid. If access was recently granted, please refresh your credentials.
This is the activity that fails, showing the connection used.
What I don't understand here is why the permissions of the users are being checked when connection runs with a service principal. Does anyone know why the user has to have permission, even though I'm connecing using a service principal which has the correct permissions?
First I tried just changing the connection to the service principal connection. When that failed I tried recreating the activity to avoid any stored data, and adding the newly created connection.
In both these cases I thought the connection would use the credentials of the service principal, but the error I get suggests otherwise.