[CoE Starter Kit - BUG] Audit Log custom connector configuration error: '{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}'

[ChrisHuntingford]

Describe the issue

We are working on implementing the audit log functionality and we have followed all of the usual steps to get this working. We have configured the customer connector as a global admin and connected with this account. Everything connected correctly, however when testing the "StartSubscription" action we get the following errors:

401

'{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}').

Request:

URL:

https://europe-002.azure-apim.net/apim/admin-5foffice-20365-20management-20api-5f9924d3d59a6fb2d8/4a60b5c35a6346f69caa357b58a46ea1/aa06dce7-99d7-403b-8a08-0c5f50471e64/activity/feed/subscriptions/start?contentType=Audit.General&PublisherIdentifier=f916ab2d-630b-49b7-ab53-b600230bf8a9 Method:

Post

HEaders:

{ "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSIsImtpZCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSJ9.eyJhdWQiOiJodHRwczovL2FwaWh1Yi5henVyZS5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9hYTA2ZGNlNy05OWQ3LTQwM2ItOGEwOC0wYzVmNTA0NzFlNjQvIiwiaWF0IjoxNjU3ODA0NTk3LCJuYmYiOjE2NTc4MDQ1OTcsImV4cCI6MTY1NzgwOTA4MSwiYWNyIjoiMSIsImFpbyI6IkUyWmdZQWdRL2hoYm5LM1d0U1U0NWIyeWFwQkVWY3lsS3FOcXd3TzZHcklCV2RkNDRnRT0iLCJhbXIiOlsicHdkIiwicnNhIl0sImFwcGlkIjoiN2RmMGExMjUtZDNiZS00Yzk2LWFhNTQtNTkxZjgzZmY1NDFjIiwiYXBwaWRhY3IiOiIyIiwiZGV2aWNlaWQiOiIyODZhYTRmNy0yOTUzLTRkZDItODQ0Zi02MzMwMjhhM2YyNmEiLCJmYW1pbHlfbmFtZSI6IlZpbGxhbGJhIFNhaW56IGRlIEFqYSIsImdpdmVuX25hbWUiOiJKdWxpbyIsImlwYWRkciI6IjEzNi4yMzguMi41MSIsIm5hbWUiOiJKdWxpbyBWaWxsYWxiYSBTYWlueiBkZSBBamEiLCJvaWQiOiJmOTNiZTIyNS1iOGRlLTRlOTEtYTNjZC00ZmUxOTRmYzkzZWYiLCJvbnByZW1fc2lkIjoiUy0xLTUtMjEtMzY2MzkwMzM0OS0zNzUwODg1MjU5LTEwMTExNTk0OTEtNDIzMTI1IiwicHVpZCI6IjEwMDMyMDAwQTg0QkM3MUIiLCJyaCI6IjAuQVFrQTU5d0dxdGVaTzBDS0NBeGZVRWNlWkY4OEJmNlNOaFJQcnZMdU5Qd0lISzRKQUh3LiIsInNjcCI6InVzZXJfaW1wZXJzb25hdGlvbiIsInN1YiI6ImZGLW1FSVF2bkxrLTRpc2dzZVZCaWk1MEdlaTRGTDFnakxSOWs0c1kxcFEiLCJ0aWQiOiJhYTA2ZGNlNy05OWQ3LTQwM2ItOGEwOC0wYzVmNTA0NzFlNjQiLCJ1bmlxdWVfbmFtZSI6Imp1bGlvLnZpbGxhbGJhQHNjaGluZGxlci5jb20iLCJ1cG4iOiJqdWxpby52aWxsYWxiYUBzY2hpbmRsZXIuY29tIiwidXRpIjoiWW9VSHNROHhNazJuQmlMeXdiWXRBQSIsInZlciI6IjEuMCJ9.HMUMcV5qPTBJaj3mC63AcLn5uBUv1XRr5iK0BuBmR33472FF_mom7RKhkdWiRxe4g6k1Q4Dcd7lxj9CtNtUD9Iv2-1rgyiBYF4ox_T5C0yvd7RUZ3t3MwdJEpaRZD-yOZo-4fh-RBzObZQB5s31joZxpFmjxnAlBAA4zse0LEIP9cjipJ0feV_OgEtdVblB6MMvp0DEYmRUvaiOmMfAeOW949tMQXUvnIfMewHK2y_hWUY-WbIh4elBMBPEC760ZCgl51j5xEQBOi82OTG9311uzlei1nwNZDFOSDMIKa8WkNfKOVWDdCHJUnVbDjjnx3V2yFgxkevwP-8umVYzA", "Content-Type": "application/json; utf-8" } Body: {}

Response:

Status:

(401)

Headers:

{ "cache-control": "no-cache", "content-length": "161", "content-type": "application/json; charset=utf-8", "date": "Thu, 14 Jul 2022 13:30:11 GMT", "expires": "-1", "pragma": "no-cache", "www-authenticate": "Bearer", "x-aspnet-version": "4.0.30319", "x-ms-apihub-cached-response": "true", "x-ms-apihub-obo": "true", "x-powered-by": "ASP.NET" }

Body

{ "error": { "code": "AF10001", "message": "The permission set (.d3f85fe8-8726-416f-807b-6bf5dcad01c9) sent in the request does not include the expected permission." } }

Expected Behavior

The start subscription action should successfully test.

What solution are you experiencing the issue with?

Audit Log

What solution version are you using?

2,9

What app or flow are you having the issue with?

Custom Connector

Steps To Reproduce

No response

Anything else?

No response

[Jenefer-Monroe]

My guess from the error message is that you added the secret id (its GUID) and not the secret's value in the configuration.

[ChrisHuntingford]

Hey Jenefer! Thanks so much for responding. We actually did do that in the beginning and ended up changing to the actual secret, and we still experienced the error :(

[Jenefer-Monroe]

The same error?

[ChrisHuntingford]

You're looking at it :)

[manuelap-msft]

Can you check if the Azure App Registration has the right permissions and does have Grant Admin Consent done? Steps 5 to 7 here: https://docs.microsoft.com/en-us/power-platform/guidance/coe/setup-auditlog#create-an-azure-ad-app-registration-for-the-office-365-management-api

The permissions should look like this

[manuelap-msft]

Here's the error code that you're getting from the API we're using if that helps with your debugging: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference#errors

[ChrisHuntingford]

Thank you kindly! Let me connect with the org I'm working with.... I hope you don't mind if I test and feedback asap :) APpreciate you all looking into this with me.

[ChrisHuntingford]

HI ALL! Okay I have just checked with my friend who had global admin privileges and we checked the permissions as well as ran through the URL you sent and we are still unable to figure it out. It's the first time getting this so we may be missing something small. Would it be possible to jump on a short call to run you through the setup! I know you are busy so I don't want to use too much of your time. Please and Thank you :)

[ChrisHuntingford]

[manuelap-msft]

Hello,

from the screenshot, it looks like you have assigned the ActivityFeed.Read permission to Application and not Delegated. It should look like this

[manuelap-msft]

When you add the permissions, pick this:

[ChrisHuntingford]

AAAGH Im an idiot! THANK YOU!! I think just too long looking at one thing! Ill get this changed and report back :D

[manuelap-msft]

Hopefully that's it!

No worries, we see setup errors often enough that we have a sixth sense for when something doesn't look right ;)

[ChrisHuntingford]

You are a digital psychologist! Fixing all my traumatic past CoE installation & Configuration issues.

[manuelap-msft]

If we're the ones causing the pain, I'm not sure we can then claim credit for fixing it ;)

[ChrisHuntingford]

The only person who can heal you is the one who made you cry in the first place :D :D Jokes aside... You are rarely the ones causing the pain... It's normally based on my inability to follow pretty clear instructions. I get distracted by shiny objects :D

[ChrisHuntingford]

RIGHT ALL IS WORKING! WE HAVE AUDIT LIFTOFF!! THank you once again for all of your help :)