Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
Preview features aren’t meant for production use and may have restricted functionality. These features are available before an official release so that customers can get early access and provide feedback.
This technical document outlines the security architecture of the authentication mechanisms in Power Apps Test Engine. For user-focused guidance on selecting and configuring authentication methods, see Authentication Guide.
Authentication methods overview
Test Engine supports two primary authentication methods:
- Storage State Authentication - Based on persistent browser cookies and storage state
- Certificate-Based Authentication - Based on X.509 certificates and Dataverse integration
Both methods are designed to support modern security requirements including multifactor authentication (MFA) and conditional access policies.
Storage state authentication architecture
The storage state authentication method uses Playwright's browser context management to securely store and reuse authentication tokens.
Windows Data Protection implementation
The local storage state implementation uses the Windows Data Protection API (DPAPI) for secure storage:
Security considerations
The storage state security architecture provides:
- Protection of authentication tokens at rest using DPAPI encryption
- Support for Microsoft Entra MFA and conditional access policies
- Sandbox isolation through Playwright's browser contexts
- Compliance with Microsoft Entra session lifetime policies
Certificate-based authentication architecture
Certificate-based authentication integrates with Dataverse and uses X.509 certificates for enhanced security and encryption of the information at rest.
Dataverse storage implementation
The Dataverse implementation uses a custom XML repository for secure storage of protection keys:
Encryption technology
The following sections describe the encryption algorithms and key management approaches used by Test Engine to protect authentication data at rest and in transit.
AES-256-CBC + HMACSHA256
By default, data values are encrypted with a combination of AES-256-CBC and HMACSHA256:
This approach provides:
- Confidentiality through AES-256 encryption
- Integrity through HMAC verification
- Authentication of the data source
Data Protection API integration
The Test Engine integrates with ASP.NET Core's Data Protection API for key management and encryption:
Custom XML repository implementation
Test Engine implements a custom IXmlRepository for Dataverse integration:
Conditional access and MFA compatibility
Test Engine's authentication architecture is designed to work seamlessly with Microsoft Entra conditional access policies:
Advanced security considerations
The following sections highlight other security features and integrations that enhance the protection of authentication data and support secure operations in enterprise environments.
Dataverse security model integration
Test Engine uses Dataverse's robust security model:
- Record-Level Security - Controls access to stored authentication data
- Sharing Model - Enables secure sharing of test authentication contexts
- Auditing - Tracks access to sensitive authentication data
- Column-Level Security - Provides granular protection of sensitive fields
Azure CLI token management
For Dataverse authentication, Test Engine securely obtains access tokens:
Security best practices
When implementing Test Engine authentication, consider these security best practices:
- Least privilege access - Grant minimal necessary permissions to test accounts
- Regular certificate rotation - Update certificates periodically
- Secure CI/CD variables - Protect pipeline variables containing sensitive data
- Audit access - Monitor access to authentication resources
- Environment isolation - Use separate environments for testing
Future security enhancements
Potential future enhancements to the authentication security architecture include:
- Integration with Azure Key Vault for enhanced secret management
- Support for managed identities in Azure environments
- Enhanced logging and security monitoring capabilities
- More protection providers for cross-platform scenarios
Related articles
Data Protection in ASP.NET Core
Windows Data Protection API
Microsoft Entra authentication
Dataverse security model
X.509 certificate-based authentication