Tutorials//Add Approval Gates Before Pipeline Deployments
intermediate

Add Approval Gates Before Pipeline Deployments

Implement pre-deployment approval checks in Power Platform Pipelines using a custom Dataverse table and Power Automate approvals.

NA
Narmer Abader
@narmer · Published June 3, 2026

Power Platform Pipelines provide a streamlined path to move solutions between environments, but they lack a built‑in approval mechanism. Without an approval gate, any authorized user can deploy to a production stage without oversight. By combining a custom Dataverse table with a Power Automate approval flow, you can enforce that one or more designated approvers must sign off before a deployment proceeds. This article walks through a practical implementation that you can adapt to your own ALM governance requirements.

Understanding the Approval Flow

The pipeline triggers a Power Automate flow when a pre‑deployment action is initiated. That flow looks up the approvers configured for the target stage, sends them an approval request (via Teams, email, or the Approvals center), and then updates the pipeline's status based on the response. The entire process runs inside the Pipelines Host environment, keeping everything centralized.

Our example uses these fictional entities:

  • Stage Gate Approver – a custom table that links an Entra ID user to a specific deployment stage.
  • Gate Review Flow – the Power Automate flow that orchestrates approval.
  • Environment stagesReview (validation) and Release (production), each requiring separate approvals.

Creating the Stage Gate Approver Table

Open the solution editor in your Pipelines Host environment. Create a new table named Stage Gate Approver and set ownership to User or Team. After saving, add two required lookup columns:

Column nameLookup to
Gate ApproverMicrosoft Entra ID User
Target StageDeployment Stage

These columns define who can approve and which stage they oversee. You can also add optional fields like Approver Priority or Is Active to support multiple approvers or to temporarily disable a gate.

Adding the Form to the Pipelines Configuration App

  1. Open the Main Form for the Stage Gate Approver table.
  2. Add both lookup fields (Gate Approver, Target Stage) to the form.
  3. Save and publish the form.

Now administrators can configure approvers directly from the Deployment Pipeline Configuration app without leaving the Pipelines interface.

Assigning Approvers to Pipeline Stages

  1. Launch the Deployment Pipeline Configuration app and go to Pipelines.
  2. Select the deployment stage you want to protect (e.g., Review Stage).
  3. In the stage form, mark Pre‑deployment step required as Yes. This tells the pipeline engine to trigger the approval flow before the actual deployment.
  4. Navigate to the Related tab and choose Stage Gate Approvers.
  5. Click New Stage Gate Approver and fill in the lookup fields:
    • Target Stage – the stage you are configuring.
    • Gate Approver – the Entra ID user that must approve.
  6. Save the record.

Repeat the process for every stage that needs an approval gate (e.g., Release Stage). You can assign multiple approvers per stage; the flow will send the approval request to all of them and act on the first response.

Building the Approval Automation

In the same solution, create an Automated cloud flow triggered by the Dataverse action When an action is performed. Configure the trigger:

ParameterValue
Trigger categoryPower Platform Pipelines
Action nameOnApprovalStarted

The flow receives a StageRunId that identifies the pipeline run.

Retrieving the Stage and Its Approvers

  1. Get a row by ID using the Deployment Stage Runs table and the StageRunId. Store the Deployment Stage ID from the result.
  2. Get a row by ID on the Deployment Stages table using the stage ID. This gives you the stage details.
  3. List rows on the Stage Gate Approver table with a filter that returns only rows matching the current stage:
powerfxFilter to match current deployment stage
_new_tg_stage_value eq @{outputs('Get_a_row_by_ID:_Deployment_Stage')?['body/deploymentstageid']}

The exact filter expression depends on the schema name you chose; the pattern above uses the temporary name _new_tg_stage_value. After adding the flow step, use the Peek code feature to find the correct schema name for your lookup column.

Building the Approvers Email List

A Start and wait for an approval action expects a semicolon‑separated list of email addresses (User Principal Names). Because we have a collection of approver rows, we need to compose that string:

  1. Initialize a string variable named varApproverEmails with an empty value.
  2. Apply to each the approver rows from the list step.
  3. Inside the loop, use Get user profile (V2) from the Office 365 Users connector with the approver’s Entra ID.
  4. Append to string variable using the expression:
powerfxAppend UPN to variable
concat(variables('varApproverEmails'),
outputs('Get_user_profile')?['body/mail'],
';')

This builds a string like alice@contoso.com;bob@contoso.com;.

Sending the Approval Request

Add an ApprovalsStart and wait for an approval action:

FieldValue
Approval typeApprove/Reject – First to respond
TitleDeployment approval required: {Artifact Name} to {Stage Name}
Assigned tovarApproverEmails
DetailsPlease approve or reject the deployment of {Artifact Name} to the {Stage Name} stage.

You can pull {Artifact Name} and {Stage Name} from the earlier Dataverse lookups using dynamic content.

Marking the Pipeline as Approved or Rejected

After the approval action, add a Condition that checks the outcome of the approval.

  • If the outcome equals Approve → use the unbound Dataverse action UpdateApprovalStatus with these inputs:

    • Approval Properties: workflow() (the trigger outputs)
    • StageRunId: the StageRunId from the trigger
    • Approval Status: 20 (approved)

  • Else (rejected or canceled) → same UpdateApprovalStatus action but with Approval Status: 30 (rejected)

powerfxCalling UpdateApprovalStatus in the yes branch
Approval Status: 20
StageRunId: @{triggerOutputs()?['body/StageRunId']}

The pipeline engine listens for this status change and continues or stops the deployment accordingly.

Testing the Implementation

  1. In a development environment that is connected to your pipeline, open a solution and select Deploy.
  2. Choose the target stage that has approvals enabled.
  3. The pipeline will show a “pending approval” state as soon as the flow triggers.
  4. The approver receives the request in Teams, email, or the Power Automate Approvals center.
  5. After approval, the pipeline proceeds to deploy. If rejected, the run is marked as failed and the solution is not applied.

Security and Delegation Considerations

  • The flow must run under an identity that has write privileges to the Deployment Stage Runs table and can execute the UpdateApprovalStatus action. Usually the System Customizer or Pipeline Admin role suffices.
  • Approver users need no additional permissions beyond being able to see the approval request.
  • The Stage Gate Approver table is stored in the Pipelines Host environment. Ensure the flow’s Dataverse connection points to that environment.
  • For sensitive stages, consider using a separate approval flow per stage to limit the blast radius of a misconfiguration.

Common Mistakes and Troubleshooting

IssueLikely causeSolution
Flow not triggeredPre‑deployment required flag not set on the stageMark the stage as requiring pre‑deployment step
Filter returns no rowsWrong column schema name or incorrect GUID comparisonPeek code of the stage ID output and update the field name
Approval request not deliveredvarApproverEmails is empty or contains invalid UPNsCheck each user profile lookup output; test with a single user
UpdateApprovalStatus failsFlow owner lacks permissions on DeploymentStageRun entityGrant Pipeline Administrator role to the flow owner
Deployment hangs after approvalThe approval status update did not execute; missing workflow()Ensure Approval Properties is set to workflow()

A Final Recommendation

Adding approval gates to Power Platform Pipelines significantly strengthens your ALM security without requiring expensive third‑party tools. The pattern described here is maintainable and can be extended to include multi‑stage approvals, escalation timers, or integration with Microsoft Teams adaptive cards. Start with a single critical stage, validate the flow with a test user, and then roll it out to your entire pipeline.

References