[CoE Starter Kit - BUG] Admin | Sync Template v4 (Security Roles) Error on "List SystemUser Record" #8244
Comments
hanuschkaih
added
bug
|
Can you please check in Entra if these use cases are disabled there? I ask as Envts also have their own concept of enabled so wondering what your case is. |
|
Hi Jenefer, thanks for your fast reply. I did not find the users in Entra ID at all (tried to search in many ways, same result for both users) |
|
Thank you for checking that. Put this expression: Here: Result you should see: |
|
Hi Jenefer, By the way - another flow now fails with a quite similar message - maybe that helps... |
|
oh interesting. In that case we arent querying for users at all, I think it might be referencing the user identity running the flow. Which would correlate to the Forbidden message better. Can you please :
|
|
Hi Jenefer,
|
|
Unfortunately you need to have System Admin permission in the environment in order for our kit to be used to gather inventory. In the past this requirement was not as obvious to people as the presence in the PPAdmin Role assigned the permission automatically. However this behavior is changing (feature in preview) and so that's why I asked as we will be adding tooling to add the PPAdmin to this role automatically going forward, once the connector is supported in all regions. Please see #8119 |
|
OK, I see... so we need to finde a solution here... |
|
Thanks for the suggestion. I did go test this after your note and found that the technique offered by the product team to escalate privaledge does work even if the user is not in the SG. Please see the workaround solution file in #8119 |
|
Hi Jenefer, I tried out the workaround but the PIM Workaround flow also fails for this environment (and some others) for the same reasons that the user is not part of the security group... |
|
Are you running the flow as someone who is directly and permanently part of the Power Platform Admin Role? |
|
No and yes - the role was assigned through a group, but it's permanent and without PIM.
A Global admin has now changed it to a direct assignment with the following result
*
The PIM Flow still had 2 errors, but NOT for the respective environment
*
the Sync Template v4 (Security Role) Flow now ran succesfully when resubmitting the faulty runs
Thanks for solving the issue!
Best regards
Ihno
|
|
Hello can you please help me understand. So you had to set the PPAdmin to be direct, not through a group. And with that the issue with the SG went away? |
|
Hi Jenefer, After that, I ran the PIM Workaround flow again
Best regards |
|
Really appreciate your response. This is a new feature and so we are still working to understand the limitations it has. |
|
closing out as no further action for starter kit team |
Does this bug already exist in our backlog?
Describe the issue
This error comes up for 2 users in 2 environments.
It seems to me as if disables users should be excluded in an earlier step of the flow.
Expected Behavior
No error
What solution are you experiencing the issue with?
Core
What solution version are you using?
4.29
What app or flow are you having the issue with?
Admin | Sync Template v4 (Security Roles)
What method are you using to get inventory and telemetry?
None
Steps To Reproduce
Activate Flow
Receive COE Error notification by email
Anything else?
No response
AB#3214
The text was updated successfully, but these errors were encountered: