[CoE Starter Kit - QUESTION] Unable to update the "Audit Logs - Client Azure Secret" variable

[firefox-edge123]

Does this question already exist in our backlog?

• [X] I have checked and confirm this is a new question.

What is your question?

I recently upgraded my COE kit from the April 2023 release to the July 2023 release.

Things generally went smoothly, but I'm having trouble re-setting up the Audit Log to use the new HTTP connector. (We were previously using the Custom Connector for the Audit Logs)

I am at the step "Update environment variables"

https://learn.microsoft.com/en-us/power-platform/guidance/coe/setup-auditlog-http#update-environment-variables

I successfully set these environment variables

Audit Logs - Audience https://manage.office.com

Audit Logs - Authority https://login.windows.net

Audit Logs - ClientID (I can't post my ClientID, but it saved successfully)

When I try to update the "Audit Logs - Client Azure Secret" variable, I get the attached error message.

Here is where I grabbed the values from.

I'm not sure where I should start troubleshooting. Any suggestions?

What solution are you experiencing the issue with?

None

What solution version are you using?

No response

What app or flow are you having the issue with?

No response

What method are you using to get inventory and telemetry?

None

AB#289

[Jenefer-Monroe]

Validate that the azure key vault access control is correct the (IAM). User needs to be in Key Vault Secret User role explicitly to read, and in the Key Vault Contributor Role to update

[firefox-edge123]

I plan to update the secret in my Key Vault manually using Azure AD (when necessary), so would I therefore only need to add the user to the "Key Vault Secret User" role?

[Jenefer-Monroe]

I'm not an expert in Azure Key Vault access control, but from my experience you need the contributor role to update the secret in Power Platform.

[firefox-edge123]

I made the necessary changes to the Access Control (IAM) and waited a few hours, but I still get the same error message when I try to update the "Audit Logs - Client Azure Secret" variable. Any suggestions on what I should do to troubleshoot next?

[Jenefer-Monroe]

Unfortunately I've seen these permissions take even a few days to propogate. Since all you are trying to do here is use a product feature (setting an env var to an azure secret), you may be able to get help from product support.

[firefox-edge123]

Thank you for your suggestion. I will submit a support ticket in Power Platform Admin Centre for product support.

It's been 3 days and still getting the same error message when I try to update the "Audit Logs - Client Azure Secret" variable. I noticed that under "Connections", the "Office 365 Management API" connect says "Can't sign in". When I click "Fix Connection" and try to login, I get the error message below (see the second screenshot).

Is the "Office 365 Management API" connector disconnected due to the "Audit Logs - Client Azure Secret" not being setup yet? Or is there a clue here on a misconfiguration I made somewhere?

[Jenefer-Monroe]

There are currently two ways to gather audit logs

• old way via custom connector (deprecated with August release) Collect audit logs using a custom connector (deprecated)
• new way via http Collect audit logs using an HTTP action

The error you see with this connection is from the old way. These break with every upgrade, one of the reasons we are deprecating. You casn delete that since we are switching you to the new technique with the above.

[github1339]

I'm seeing the same issue with new installs for both command center and audit log secrets. I have tried assigning higher levels of permission to the CoE account and dataverse with no change. The permissions have been in place for around a week. I have submitted a ticket with Azure support, also. -edit- this is in GCC High

[firefox-edge123]

@github1339 I was given this link to a Microsoft documentation by a Microsoft support technician. Maybe it can also help you with your troubleshooting. I will be doing some testing and will post back when I manage to find a fix to this issue. https://learn.microsoft.com/en-us/power-apps/maker/data-platform/environmentvariables?WT.mc_id=M365-MVP-5003400#use-azure-key-vault-secrets

[github1339]

@firefox-edge123 Thanks for sharing. I have reviewed that document a few times with no change, but I'll comb through it step by step again. Still working with MS Support on this, myself. I will share if we make any progress.

[firefox-edge123]

@github1339 I haven't found a solution yet either. For the MS Support ticket I currently have open, I got recently got transferred to a different support technician. Hopefully we can find a solution soon.

[Jenefer-Monroe]

Please do let us know what you find.

[github1339]

@firefox-edge123 @Jenefer-Monroe Still working our ticket with MS Support here, also. Started with Azure team who pulled in Power Platform support. The most recent update I received was notifying me that the issue has been escalated to the Product Group team. I will reply back here when I have any useful info or updates.

[firefox-edge123]

@github1339 I still haven't had any luck with resolving this issue with a Microsoft support technician. I recently tried upgrading to the Sept 2023 release of the COE kit, but that did not fix the issue. Have you had any luck?

[github1339]

@firefox-edge123 My ticket is still open with Microsoft. It's been sitting with the product group for a couple weeks now, no recent progress. We're still on the August release with the same results as before. I will definitely send an update here if we can find a resolution. Thanks for the update from your side!

[github1339]

@firefox-edge123 I got an update this afternoon from Microsoft support. I'm told the Product Group team has determined that the feature we're attempting to utilize with PowerApps CoE solution has not been enabled yet. They anticipate the feature should be available by end of this year. I am not certain if this is for all Azure tenant types or just government-cloud tenants. I will provide more info if I get anything useful.

[Jenefer-Monroe]

I do believe this is all non-commercial tenants. Good news is that for the CoE Starter Kit, we were just using this for making setup easier, it doesnt actually block you from using the feature. So we've worked around this by just removing the dependency to ARM to a separate app starting in next weeks release. You'll have to manually setup the audit logs instead of using the wizard, and the setup wizard (for you all) will point you to that documentation.

[github1339]

@Jenefer-Monroe Thanks for the additional info! I've done all manual setup to get a working config, so I'll be ready for this. I haven't been able to get the setup wizard to fully work in gcc high (gets stuck on activating and running the initial flows after initial data entry). I haven't tried the September release yet, though. I really appreciate the team's work on this feature. Thank you!

[firefox-edge123]

@github1339 I am glad that you now have a working config of the Audit log. I am still not able to update the "Audit Logs - Client Azure Secret" environment variable, so I will keep working with MS Support. Just curious, what was the obstacle you were facing, and how did you get past it?

[github1339]

@firefox-edge123 For audit logs we ended up just using the admin_AuditLogsClientSecret environment variable to get things working, so the secret is currently in clear text. We had to do the same for the command center secret, as well. Hope that helps. Please let me know if you'd like any other info or if I misunderstood your question.

[firefox-edge123]

@github1339 I see. For me, I'm going to still try and get the Azure Key Vault working. I realized that in the original post, my error message was "This variable didn't save properly. Could not verify the user permission on …. Make sure that Microsoft.PowerPlatform provider is registered in the Azure subscription."

And now I'm getting the error message "This variable didn't save properly. User is not authorized to read secrets from …"

So I made progress, but I checked the IAM permissions on my Azure Key Vault, and they seem correct.

I will post a solution when I find it.

[firefox-edge123]

@Jenefer-Monroe

I am still having issues with setting up Audit Logs with HTTP connector, but I decided to just go ahead and upgrade my COE production environment from the July 2023 release to the Sept 2023 release.

I will continue working with a Microsoft support technician to get Audit Logs with the HTTP connector working.

But in the meanwhile, I will continue using the "custom connector" for Audits Logs in my COE production environment. I followed your instructions to "Maintain custom connector methodology to gather audit logs after deprecation", then successfully upgraded to the Sept 2023 release.

https://github.com/microsoft/coe-starter-kit/issues/6017

Will I be able to use the "custom connector" for Audit logs indefinitely, or will at some point the "custom connector" permanently stop working for everyone (even those who followed the steps in the link above)?

[firefox-edge123]

@manuelap-msft Would you by any chance know the answer to my question above?

https://github.com/microsoft/coe-starter-kit/issues/6017

Will I be able to use the "custom connector" for Audit logs indefinitely, or will at some point the "custom connector" permanently stop working for everyone (even those who followed the steps in the link above)?

[johnravas]

I am trying to set this up myself and running into the exact same issue. Getting this error: This variable didn't save properly. User is not authorized to read secrets from '/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults//secrets/' resource. I am still on the May edition, but was doing this to prepare to upgrade to August (Yes, trying to get caught up).

Confirmed my roles:

I am using a standard commercial tenant. Have been working with my key vault admins and we are all scratching our heads on this one. I'd really prefer not to put the secret in clear text in the other environment variable. @manuelap-msft can I stay with the custom connector in the August edition? I understood it to be deprecated.

Has anyone made this work?

[firefox-edge123]

I discovered the cause of the issue. It's due to the firewall on my Azure Key Vault. When I "allow public access from all networks", the issue goes away.

@Jenefer-Monroe I work for an organization that is very strict on security. So I will have to keep the firewall on my Azure Key Vault. Do you by any chance know which IP addresses to allow through my Azure Key Vault firewall?