[Bug] Service principal auth fails on Code App update (PUT /powerapps/apps/{appId} returns 500) #244
Description
I ran into this while setting up CI/CD for Code Apps, and after a lot of trial and error I was able to narrow it down pretty hard.
Creating a brand new Code App under service principal auth works for me. Updating that same app later under service principal auth does not. The save call returns HTTP 500. If I take the exact same existing app and update it with delegated user auth instead, it works.
The matrix I ended up with was:
SP create (new app / blank appId): works
SP update (existing appId): fails with 500
User create: works
User update: works
I wanted to make sure this wasn't my wrapper code or a PAC quirk, so I took the toolchain out of the middle and replayed the underlying save flow directly against the platform API on the same existing app in the same environment. Same app, same request body, same session flow, only the bearer token changed.
Both tokens could start and end the save session successfully. The split happened on the actual save:
user token -> 200 on PUT /powerapps/apps/{appId}
service principal token -> 500 on PUT /powerapps/apps/{appId}
I also checked the obvious setup issues before filing this:
- the app registration was registered with New-PowerAppManagementApp
- the Dataverse application user has System Administrator in the environment
- Code Apps is enabled on the environment
- I'm not on the older PAC 2.3.2 bug; this was reproduced on PAC CLI 2.4.1
- same behavior from both pac code push and the npm Code Apps CLI path
- solution export/import to another environment works, so this doesn't look like a general ALM failure
One correlation ID from the failing save path was fb76b6d2-cf5c-4fc1-acc5-02d3bff3948a. I also saw the same 500 behavior with fresh probe apps, not just the original app I started with.
This feels like a platform-side difference between delegated user auth and service principal auth when saving updates to an existing Code App. If there's a supported service-principal update flow I'm missing, I'm happy to test it. If useful, I can also share the exact request sequence I replayed directly against the API.