The question what is new in powerapps for MCP server lacks a precise product definition, so rather than speculating on features, this guide shows how to reliably surface and version "What’s New" updates into Power Apps using a secure .NET 8 backend, strict TypeScript validation, and Azure-native security. You will get a production-ready pattern that Power Apps can call via a Custom Connector, keeping your release notes current without manual edits.
The Problem
Teams need a trustworthy way to display "What’s New" for MCP server in Power Apps, but the upstream source and format of updates can change. Hardcoding content or querying unsecured endpoints leads to drift, security gaps, and poor developer experience.
Prerequisites
- .NET 8 SDK
- Node.js 20+ and a package manager (pnpm/npm)
- Azure subscription with permissions to create: Azure Functions or Container Apps, Key Vault, Azure API Management, Application Insights
- Entra ID app registration for the API (OAuth 2.0)
- Power Apps environment (to build a Custom Connector)
The Solution (Step-by-Step)
1) .NET 8 Minimal API that normalizes "What’s New" items
This minimal API demonstrates production-ready design: DI-first, HttpClientFactory, global exception handling, validation, versioned contract, and managed identity for downstream access.
// Program.cs (.NET 8, file-scoped namespace, minimal API, DI-centric)
using System.Net.Http.Json;
using System.Text.Json;
using System.Text.Json.Serialization;
using Azure.Identity; // DefaultAzureCredential for managed identity
using Azure.Security.KeyVault.Secrets;
using Microsoft.AspNetCore.Diagnostics;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Azure;
var builder = WebApplication.CreateBuilder(args);
// Strongly typed options for upstream source configuration
builder.Services.Configure<NewsOptions>(builder.Configuration.GetSection("News"));
// HttpClient with resilient handler
builder.Services.AddHttpClient<INewsClient, NewsClient>()
.SetHandlerLifetime(TimeSpan.FromMinutes(5));
// Azure clients via DefaultAzureCredential (uses Managed Identity in Azure)
builder.Services.AddAzureClients(azure =>
{
azure.UseCredential(new DefaultAzureCredential());
var kvUri = builder.Configuration["KeyVaultUri"]; // e.g., https://my-kv.vault.azure.net/
if (!string.IsNullOrWhiteSpace(kvUri))
{
azure.AddSecretClient(new Uri(kvUri));
}
});
// Application Insights (OpenTelemetry auto-collection can also be used)
builder.Services.AddApplicationInsightsTelemetry();
var app = builder.Build();
// Global exception handler producing problem+json
app.UseExceptionHandler(errorApp =>
{
errorApp.Run(async context =>
{
var feature = context.Features.Get<IExceptionHandlerPathFeature>();
var problem = new ProblemDetails
{
Title = "Unexpected error",
Detail = app.Environment.IsDevelopment() ? feature?.Error.ToString() : "",
Status = StatusCodes.Status500InternalServerError,
Type = "https://httpstatuses.com/500"
};
context.Response.StatusCode = problem.Status ?? 500;
context.Response.ContentType = "application/problem+json";
await context.Response.WriteAsJsonAsync(problem);
});
});
app.MapGet("/health", () => Results.Ok(new { status = "ok" }));
// Versioned route for the normalized news feed (v1)
app.MapGet("/api/v1/news", async (
INewsClient client
) => Results.Ok(await client.GetNewsAsync()))
.WithName("GetNewsV1")
.Produces<NewsItemV1[]>(StatusCodes.Status200OK)
.ProducesProblem(StatusCodes.Status500InternalServerError);
app.Run();
// Options to control the upstream feed location and parsing mode
public sealed class NewsOptions
{
public string? SourceUrl { get; init; } // Upstream JSON or RSS converted via a worker
public string Format { get; init; } = "json"; // json|rss (extend as needed)
}
// Public DTO contract exposed to Power Apps via Custom Connector
public sealed class NewsItemV1
{
public required string Id { get; init; } // stable identifier
public required string Title { get; init; }
public required string Summary { get; init; }
public required DateTimeOffset PublishedAt { get; init; }
public string? Category { get; init; } // optional taxonomy
public string? Url { get; init; } // link to detail page
}
// Client interface for fetching and normalizing upstream data
public interface INewsClient
{
Task<NewsItemV1[]> GetNewsAsync(CancellationToken ct = default);
}
// Implementation that reads upstream source, validates, and normalizes
public sealed class NewsClient(HttpClient http, Microsoft.Extensions.Options.IOptions<NewsOptions> options) : INewsClient
{
private readonly HttpClient _http = http;
private readonly NewsOptions _opts = options.Value;
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
};
public async Task<NewsItemV1[]> GetNewsAsync(CancellationToken ct = default)
{
if (string.IsNullOrWhiteSpace(_opts.SourceUrl))
throw new InvalidOperationException("News:SourceUrl is not configured.");
// Fetch upstream JSON and map to a stable contract consumed by Power Apps
var upstreamItems = await _http.GetFromJsonAsync<UpstreamItem[]>(_opts.SourceUrl, JsonOptions, ct)
?? Array.Empty<UpstreamItem>();
// Normalize and order by publish date desc
return upstreamItems
.Select(u => new NewsItemV1
{
Id = u.Id ?? Guid.NewGuid().ToString("n"),
Title = u.Title ?? "Untitled",
Summary = u.Summary ?? string.Empty,
PublishedAt = u.PublishedAt == default ? DateTimeOffset.UtcNow : u.PublishedAt,
Category = u.Category,
Url = u.Url
})
.OrderByDescending(n => n.PublishedAt)
.ToArray();
}
// Internal model matching the upstream source (keep flexible)
private sealed class UpstreamItem
{
public string? Id { get; init; }
public string? Title { get; init; }
public string? Summary { get; init; }
public DateTimeOffset PublishedAt { get; init; }
public string? Category { get; init; }
public string? Url { get; init; }
}
}
Configuration (appsettings.json):
{
"News": {
"SourceUrl": "https://<your-source>/mcp-news.json",
"Format": "json"
},
"KeyVaultUri": "https://<your-kv>.vault.azure.net/"
}
Pro-Tip: Use AsNoTracking() in Entity Framework when performing read-only queries to improve performance.
2) Secure Azure deployment with Managed Identity and API Management
- Deploy as Azure Functions (isolated) or Azure Container Apps. Enable System-Assigned Managed Identity.
- Expose through Azure API Management with OAuth 2.0 (Entra ID) for inbound auth. Create a Power Apps Custom Connector pointing to APIM.
Required RBAC roles (assign to the managed identity or DevOps service principal):
- Key Vault Secrets User (to read secrets if you store upstream source credentials or API keys)
- App Configuration Data Reader (if using Azure App Configuration instead of appsettings)
- API Management Service Contributor (to publish and manage the API surface)
- Monitoring Reader (to view Application Insights telemetry)
- Storage Blob Data Reader (only if the upstream source is in Azure Storage)
Pro-Tip: Favor Managed Identity and DefaultAzureCredential across services; avoid connection strings and embedded secrets entirely.
3) Strict TypeScript models with Zod and versioning
The client schema mirrors the v1 API and can evolve with v2+ while keeping backward compatibility in Power Apps and React.
// news.schema.ts (TypeScript, strict mode)
import { z } from "zod";
// Discriminated union enables future breaking changes with clear versioning
export const NewsItemV1 = z.object({
id: z.string().min(1),
title: z.string().min(1),
summary: z.string().default(""),
publishedAt: z.string().datetime(),
category: z.string().optional(),
url: z.string().url().optional()
});
export const NewsResponseV1 = z.array(NewsItemV1);
export type TNewsItemV1 = z.infer<typeof NewsItemV1>;
export type TNewsResponseV1 = z.infer<typeof NewsResponseV1>;
// Future-proof: union for versioned responses
export const NewsResponse = z.union([
z.object({ version: z.literal("v1"), data: NewsResponseV1 })
]);
export type TNewsResponse = z.infer<typeof NewsResponse>;
4) React 19 component using TanStack Query
Functional component with error and loading states, plus Zod runtime validation.
// NewsPanel.tsx (React 19)
import React from "react";
import { useQuery } from "@tanstack/react-query";
import { NewsResponseV1, type TNewsItemV1 } from "./news.schema";
async function fetchNews(): Promise<TNewsItemV1[]> {
const res = await fetch("/api/v1/news", { headers: { Accept: "application/json" } });
if (!res.ok) throw new Error(`Failed: ${res.status}`);
const json = await res.json();
const parsed = NewsResponseV1.safeParse(json);
if (!parsed.success) throw new Error("Schema validation failed");
return parsed.data;
}
export function NewsPanel(): JSX.Element {
const { data, error, isLoading } = useQuery({
queryKey: ["news", "v1"],
queryFn: fetchNews,
staleTime: 60_000
});
if (isLoading) return <div>Loading updates…</div>;
if (error) return <div>Failed to load updates.</div>;
return (
<ul>
{data!.map(item => (
<li key={item.id}>
<strong>{item.title}</strong> — {new Date(item.publishedAt).toLocaleDateString()}<br />
{item.summary}
</li>
))}
</ul>
);
}
5) Power Apps Custom Connector
Create a Custom Connector targeting the APIM endpoint /api/v1/news. Map the response to your app data schema. Add the connector to your Power App and display the items in a gallery. When the upstream feed changes, you only update the backend normalizer, not the app.
Best Practices & Security
- Authentication: Use Entra ID for APIM inbound auth. Backend-to-Azure uses DefaultAzureCredential with Managed Identity.
- Secrets: Store upstream tokens in Key Vault; assign Key Vault Secrets User to the app’s managed identity.
- Telemetry: Enable Application Insights. Track request IDs and dependency calls for the upstream fetch.
- Authorization: Restrict APIM access via OAuth scopes and, if needed, IP restrictions or rate limits.
- Resilience: Configure retry and timeout on HttpClient with sensible limits; add circuit breakers if the upstream is unreliable.
- Versioning: Pin /api/v1/news; introduce /api/v2/news when the contract changes. Version TypeScript schemas alongside API versions.
App Insights integration (example):
// Add to Program.cs before app.Run(); ensure Application Insights is enabled
app.Use(async (ctx, next) =>
{
// Correlate requests with upstream calls via trace IDs
ctx.Response.Headers["Request-Id"] = System.Diagnostics.Activity.Current?.Id ?? Guid.NewGuid().ToString();
await next();
});
Testing strategy:
- API: Unit test NewsClient with mocked HttpMessageHandler; integration test /api/v1/news in-memory.
- TypeScript: Schema tests to ensure validation rejects malformed payloads; component tests for loading/error states.
- Contract: Add a CI step that fetches a sample payload from the upstream and validates against NewsResponseV1.
Security roles recap:
- API surface: API Management Service Contributor
- Secrets: Key Vault Secrets User
- Config (if used): App Configuration Data Reader
- Monitoring: Monitoring Reader
- Storage (if used): Storage Blob Data Reader
Pro-Tip: Use APIM policies (validate-content, rate-limit-by-key) to protect the API consumed by Power Apps.
Summary
- Do not guess "what’s new" for MCP server; centralize updates behind a stable, versioned API.
- Use Managed Identity, DefaultAzureCredential, and APIM OAuth to secure end-to-end access for Power Apps.
- Validate with Zod, monitor with Application Insights, and evolve safely via API/schema versioning.
