pac code push returns internal server error (500) when using service principal authentication

[SergioCantera]

Description

pac code push consistently fails with an internal server error (HTTP 500) when authenticating
via service principal (application ID + client secret). The same command works correctly when
authenticated with a personal user account.

Environment

• PAC CLI version: 2.2.1+g666525f (.NET 10.0.2)
• OS: Windows (GitHub Actions runner: windows-latest)
• Power Platform environment region: EMEA

Steps to reproduce

1. Register the app as a Management Application:
   pac admin application register --application-id
2. Create an Application User in the target environment with System Administrator security role.
3. Authenticate using service principal:
   pac auth create --url https://.crm4.dynamics.com --applicationId --clientSecret --tenant
4. Run:
   pac code push --environment https://.crm4.dynamics.com --solutionName

Expected behavior

The Code App is pushed successfully to the environment, same as when using a personal account.

Actual behavior

The command retries 4 times and fails with:
bolt.authentication.http.AuthenticatedClientException: Encountered internal server error.
at bolt.authentication.http.AuthenticatedHttpClient.Execute(...)
at bolt.authentication.http.AuthenticatedHttpClient.PutT
at bolt.module.code.PushVerb.SaveCodeApp(...) line 328
at bolt.module.code.PushVerb.SaveCodeApp(...) line 338
at bolt.module.code.PushVerb.ExecuteAsync(...) line 118

Correlation IDs

• b46d6575-7360-427c-bef3-61525ed25024
• 784ec08e-d1fb-4e35-9ffa-d6e3377ef8d5
• 635ebb3e-6fea-4db5-a8e0-42ba76ddd870
• 657926aa-46ec-4378-bf4e-42afb8668741

Additional context

• The service principal is correctly registered as a Management Application at tenant level.
• The service principal has an Application User with System Administrator role in the target environment.
• Authentication succeeds (pac auth who returns the correct organization and environment details).
• The error only occurs at the SaveCodeApp (PUT) step.
• The same pac code push command works correctly when authenticated with a personal user account.
• This blocks CI/CD automation for Code Apps using service principals.

[markheck-solutions]

Ran into the same issue independently and filed #244 with some additional isolation details. We replayed the underlying save flow directly against the API on the same existing app and environment, with only the bearer token changed. User token returned 200 on the PUT, service principal token returned 500 on the same PUT. Linking it here in case it helps consolidate evidence: #244

[rgrey-marra]

Hitting the same issue. npx power-apps push with SP auth (client_credentials) returns 500 on the saveApp PUT. generateResourceStorage and startSession pass fine.

We decoded both tokens to compare. The user token (interactive auth) has delegated scopes including All.All.ReadWrite. The SP token has neither roles nor scp - zero permissions. The Power Platform API only exposes CopilotStudio.Copilots.Invoke as an application permission, so there's no app-level equivalent of the delegated scopes that saveApp needs.

We also tried registering the SP via New-PowerAppManagementApp and adding the only available Azure AD application permission - neither helped.

This looks like a fundamental gap: saveApp requires delegated permissions that the client_credentials flow can't obtain.