search

microsoft / coe-starter-kit

Other
743 stars 219 forks source link

[CoE Starter Kit - BUG] "HELPER – Maker Check" failing for managed identity #3544

Open schaud137 opened 2 years ago

schaud137 commented 2 years ago

Error6

Describe the issue

I deployed power platform landing zone using user access managed identity. Environments are deployed using this managed identity. https://github.com/microsoft/industry/blob/main/foundations/powerPlatform/referenceImplementation/readme.md "Admin | Sync Template v3" is failing and "HELPER – Maker Check" is failing. The Helper Maker check is failing to recognize the managed identity as service principal tries to do Get User Profile which fails. "Admin | Sync Template v3" takes about 6 hours and then fails. If I go further in the flow then I get below: "InvalidTemplate. Unable to process template language expressions in action 'Add_Service_Principle' inputs at line '0' and column '0': 'The template language expression 'outputs('Look_up_in_AD_for_Service_Principles_New_App')['body/appDisplayName']' cannot be evaluated because property 'body/appDisplayName' doesn't exist, available properties are 'statusCode, headers, body'. Please see https://aka.ms/logicexpressions for usage details.'."

Error1 Error2 Error4 Error5

How it can be resolved?

Expected Behavior

the managed identity with which the power platform landing zones are installed should be seen as service principal and the helper maker check flow should not fail on it.

What solution are you experiencing the issue with?

Core

What solution version are you using?

3.42

What app or flow are you having the issue with?

HELPER – Maker Check and Admin | Sync Template v3

Steps To Reproduce

No response

Anything else?

No response

AB#1114

Jenefer-Monroe commented 2 years ago

Will need to explore this so putting on backlog. Here is the user type needed https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity

schaud137 commented 2 years ago

I created and am using user assigned managed identity according to https://github.com/microsoft/industry/blob/main/foundations/powerPlatform/referenceImplementation/readme.md

schaud137 commented 2 years ago

Helper Check flow is not taking into account that environments are created by user assigned managed identity. HelperCheck1

schaud137 commented 2 years ago

Just for info I found another interesting thing is: •If I run Helper flow manually with Client ID of managed identity, then it’s successful. •If I run Helper flow manually with Object (principal) ID of managed identity, then it fails.

And during scheduled run it tries to look for Object (principal) ID and fails.