velnoro
Sign Up

Microsoft Power Platform Setup

Connect Velnoro to your Power Platform tenant using Quick Connect or manual app registration.

This guide walks you through connecting Velnoro to your Microsoft Power Platform tenant. There are two setup paths depending on your organization's preferences.

Account role required: Owner or Admin (members with the "Manage" permission)

Admin authorization required: The person who completes the authorization step must have the Power Platform Administrator or Global Administrator role in your Microsoft tenant. Their permissions determine which environments and resources Velnoro can see.

Choose Your Setup Path

Quick Connect (Recommended)Manual Setup
Best forMost organizations. Get connected in under 2 minutes.Organizations that require full control over app registrations and permission grants.
Steps3 steps in Velnoro7 steps across Azure portal and Velnoro
App registrationVelnoro creates and manages the app registration for youYou create and manage your own Entra ID app registration
PermissionsAutomatically configured with minimum required scopesYou add each permission manually and grant admin consent

Quick Connect

  1. Open Connections in the Admin section of the sidebar
  2. Click Add Connection and select Microsoft Power Platform
  3. Click Authorize with Microsoft. A Microsoft sign-in window opens. An admin signs in, reviews the requested permissions, and grants consent.
  4. The connection status changes to "Authorized". You are ready to scan.

Manual Setup

Use this path if your organization requires you to create your own Entra ID app registration.

Step 1: Navigate to Connections

  1. Open Connections in the Admin section of the sidebar
  2. Click Add Connection
  3. Select Microsoft Power Platform as the platform

Step 2: Create an App Registration

In your Azure portal:

  1. Go to Entra ID > App registrations > New registration
  2. Name it something recognizable (e.g., "Velnoro - Platform Inventory")
  3. Set the supported account type to "Accounts in this organizational directory only"
  4. Click Register

Step 3: Add a Client Secret

  1. In your app registration, go to Certificates & secrets > New client secret
  2. Add a description and choose an expiry period
  3. Click Add
  4. Copy the secret value immediately (it is only shown once)

Step 4: Add API Permissions

In your app registration, go to API permissions > Add a permission:

  1. Microsoft Graph > Application permissions > Organization.Read.All (reads tenant info)
  2. Power Platform API > Delegated permissions > ResourceQuery.Resources.Read (reads resource inventory)
    • Find "Power Platform API" under "APIs my organization uses" (search by name or GUID 8578e004-a5c6-46e7-913e-12f58912df43)
  3. (Optional) Microsoft Graph > Application permissions > User.Read.All (reads user profiles for department-level builder analysis). Without this permission, you can still upload builder data via CSV on the Builders page.

After adding permissions, click Grant admin consent for your organization.

Step 5: Add a Redirect URI

  1. Go to Authentication > Add a platform > Web
  2. Enter the redirect URI: https://app.velnoro.com/api/connections/microsoft/callback
  3. Click Configure

Step 6: Enter Credentials in Velnoro

Back in the Velnoro connection setup form, enter:

  • Tenant ID (found on the Azure portal overview page for your Entra ID tenant)
  • Client ID (from your app registration overview)
  • Client Secret (the value you copied in Step 3)

Click Verify to test the Graph API connection. A successful test confirms Velnoro can read your organization metadata.

Step 7: Authorize Power Platform Access

Click Authorize with Microsoft to complete the Power Platform delegated consent flow:

  1. A Microsoft sign-in window opens
  2. An admin signs in and grants consent
  3. Velnoro stores an encrypted refresh token for background scanning
  4. The connection status changes to "Authorized"

What Happens When You Click Authorize

When an admin clicks Authorize with Microsoft, here is what happens behind the scenes:

  1. OAuth consent flow opens in a popup window. Microsoft shows the admin exactly which permissions Velnoro is requesting.
  2. The admin reviews and grants consent. This authorizes Velnoro to read Power Platform inventory data on behalf of the admin.
  3. Velnoro receives a refresh token and encrypts it using AES-256-GCM before storing it. This token allows Velnoro to silently refresh access for background scans without requiring the admin to sign in again.
  4. All access is strictly read-only. Velnoro never writes to, modifies, or deletes anything in your Microsoft tenant. It reads asset metadata only (names, types, owners, environments).
  5. You can revoke access at any time by deleting the connection in Velnoro or removing the app registration from your Azure portal.

What's Next

Once authorized, you can run your first scan to discover all Power Platform assets in your tenant.