Your Dataverse environment must be configured to allow the App Registration to access data. This involves creating an Application User and assigning appropriate security roles.
Required Permissions
To create an Application User and assign security roles in Dataverse, you need:
| Permission | Purpose |
| System Administrator security role | Required to create Application Users and assign security roles within the Dataverse environment |
| Power Platform Administrator or Global Administrator | Required for access to the Power Platform Admin Center to manage environment settings |
| 💡 Note: If you have access to the Dataverse environment but cannot create Application Users, contact your Power Platform administrator to perform this configuration or grant you the System Administrator role. | |
Creating an Application User
An Application User links your App Registration to Dataverse, allowing Data Mission Sync to authenticate:
1. Sign in to the Power Platform Admin Center (https://admin.powerplatform.microsoft.com).
2. Select Environments from the left navigation, then select your target environment.
3. Select Settings from the top menu.
4. Expand Users + permissions, then select Application users.
5. Click + New app user.
6. Click + Add an app to search for your App Registration by name or Client ID.
7. Select your app and click Add.
8. Select the Business unit (typically the root business unit).
9. Under Security roles, you will assign roles in the next step.
10. Click Create.
Assigning Security Roles
The Application User needs a security role that grants the minimum permissions required for Data Mission Sync to read your data. We recommend creating a custom role with only the access you need.
Minimum Permissions Required
Data Mission Sync requires the following permissions to function:
| Permission | Purpose |
| Read on synchronized tables | Required to extract data from each table you want to synchronize. Grant Organization-level Read for full access to all records. |
| Read on table metadata | Required to retrieve table schemas (columns, data types, relationships) for building the target database structure. Granted automatically with Read on tables. |
| View Audit History (optional) | Required only if you want to synchronize the Audit table. Also requires Read on the Audit entity. |
Option 1: Create a Custom Role (Recommended)
Create a custom security role with read-only access to specific tables. This follows the principle of least privilege:
1. In Power Platform Admin Center, go to your environment → Settings → Security roles.
2. Click + New role and give it a name (e.g., 'Data Mission Sync Reader').
3. For each table you want to synchronize, set the Read privilege to Organization level (filled circle).
4. If synchronizing Audit logs: also set Read on the Audit entity and enable View Audit History under Miscellaneous Privileges.
5. Save the role and assign it to your Application User.
| Change Tracking Requirement: Each table you synchronize must have Change Tracking enabled in Dataverse. This is a table setting, not a security role permission. Data Mission Sync will verify this when you first sync a table and report an error if change tracking is not enabled. |
Option 2: Use System Administrator (Quick Start Only)
For initial testing or proof-of-concept, you can assign the System Administrator role which grants full access to all tables. However, this is not recommended for production use as it grants far more access than necessary.
| ⚠ Important: Do not use the System Customizer role — it grants access to customize tables and metadata but does not grant access to read table data. |
Verifying Permissions
If the Application User does not have sufficient permissions, you may encounter these errors:
| Error | Solution |
| 403 Forbidden or 'Insufficient permissions' | Grant Read access to the table at Organization level |
| Table not appearing in selection list | Verify the Application User has Read access to the table |
| 'Change tracking is not enabled' | Enable Change Tracking on the table in Dataverse (not a permission issue) |
| Audit sync fails with permission error | Grant View Audit History privilege and Read on Audit entity |
Finding Your Environment URL
You will need your Dataverse environment URL when configuring the source connection in Data Mission Sync:
1. In the Power Platform Admin Center, select your environment.
2. Look for the Environment URL field (e.g., https://yourorg.crm.dynamics.com).
3. Copy this URL — you will enter it in Data Mission Sync.
One Environment Per Profile
| Each Dataverse environment can only be connected to one Data Mission Sync profile. This is because Data Mission Sync uses Dataverse's change tracking API, which maintains state per environment. If you need to sync the same environment to multiple targets, contact support for guidance. |