microsoft / coe-starter-kit

Other
751 stars 221 forks source link

[CoE Starter Kit - BUG] App Owner field blank when owner exists - guest users #7457

Open bleno123 opened 9 months ago

bleno123 commented 9 months ago

Does this bug already exist in our backlog?

Describe the issue

I installed the CoE starter kit a few weeks ago and installation went fine. (Center of Excellence - Core Components version 4.17). I started digging through the associated Power BI Dashboard and for many of my apps, no owner is listed. However when I go into make.power.apps and view properties of that app, an owner exists. Secondly, very few apps show as orphaned but when I once again look at properties of the app, that owner is no longer with my company.

Expected Behavior

I expect that the app owner would fill in according to what I see via PP admin center and not show as null in Power BI Dashboard. I would also expect to see more orphaned apps.

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.17

What app or flow are you having the issue with?

Not sure which one pulls in app owner or ophaned apps

What method are you using to get inventory and telemetry?

Cloud flows

Steps To Reproduce

No response

Anything else?

No response

AB#2037

Jenefer-Monroe commented 9 months ago

Please go to the Admin Command Center > CoE Flows > Inventory. Validate that all flows are turned on and that there are no unmanaged layers as shown here. image

bleno123 commented 9 months ago

All flows are turned on. There are a few that failed but not sure it would affect the issue I'm having. The failed flows include the following: Admin | Add Maker to Group, HELPER - ObjectOperations, and SetupWizard>ShareApps

bleno123 commented 9 months ago

There are also no unmanaged layers

Jenefer-Monroe commented 9 months ago

Ownership is determined at the time the object is inventoried. Meaning these flows for canvas apps: Admin | Sync Template v4 (Apps) SYNC HELPER - Apps

Orphan check happens with this flow CLEANUP - Admin | Sync Template v3 (Orphaned Makers)

If someone already left the organization at the time you start the inventory, we are not able to get their information as we use the O365 Users connector and it cannot get users deleted from the AD.

If this still does not answer the question, can you please share some specific cases of concern?

bleno123 commented 9 months ago

Hi Jenefer. I think that does make sense. I think I was confused because when I reviewed the app or flow detail, it would always list an owner but the dashboard wouldn't reflect that. But you're saying regardless of what the app/flow detail says for an owner, the dashboard is only going to pull in an owner if they were active in Azure AD at the time the object was inventoried, correct?

On a similar note, I've found a couple of examples where no app owner is listed in dashboard but listed in app detail like above. However, the user in this case is listed in AD as a guest user with a different identity (ExternalAzureAD) than a regular employee. I'm assuming that also causes an app owner to show up as blank in the dashboard. Do you know for sure on this one?

Thanks again for your help. I really appreciate it.

Jenefer-Monroe commented 9 months ago

Correct. The product has some extra tables it keeps around and stores old deleted users but we do not access them for our processes. So if they are gone when the object is inventoried they will be blank. However if they leave after you install the kit then we store the users information like Display Name.

Regarding guest users. That is interesting. I havent tested how they show up I had just assumed they would work. I can take a look.

Jenefer-Monroe commented 9 months ago

This should work. External AD users do come back as normal when you query with their ID. Can you please find one of these examples, note its app id and envt id, then run this flow with the input image

Open the results and look here image

bleno123 commented 9 months ago

Regarding maker ID, where do I find that. Is that the same as their object ID in Azure AD? If so it's different.

Here is the output: { "userisorphan": true, "userissystem": false, "userisserviceprinciple": false, "usercompany": "", "userdepartment": "", "userdisplayname": "", "usercity": "", "usercountry": "", "userpreferredlanguage": "en-US", "userid": "removed this part for security purposes", "useremail": "", "usermanagerid": "", "usermanagername": "", "userisenabled": true, "userupn": "", "userstate": "" }

Jenefer-Monroe commented 9 months ago

Yes the GUID expected there is the same as the GUID in the AD. Sounds like the issue is that PowerApps isnt returning the correct user to us. Please scroll up in the run to this step and look at the output. What is returned for owner? image

bleno123 commented 9 months ago

I don't see a "show raw inputs" button but if I look under OUTPUTS, that user name and his info does show up.

Jenefer-Monroe commented 9 months ago

What shows up for Owner ID? If you browse to the run from flow.microsoft.com instead of powerapps.microsoft.com you will see "show raw outputs"

bleno123 commented 9 months ago

in my case it's "a4869....." and displays the name of the owner of the app

Jenefer-Monroe commented 9 months ago

Sorry and to clarify, a4869... is the guest user's account in AD?

Jenefer-Monroe commented 9 months ago

Please go run this flow, put their GUID in the parameter and set Recheck to true Please open the run and share the path that is followed. image

bleno123 commented 9 months ago

Sorry and to clarify, a4869... is the guest user's account in AD?

I'm trying to figure out what that ID refers to. Their object ID in AD starts with '273'

bleno123 commented 9 months ago

I ran that last flow. I'm not sure what you mean by "path". Also, happy to jump on the phone too. You may not do that type of troubleshooting but wanted to throw it out there. Thanks.

Jenefer-Monroe commented 9 months ago

Unfortunately we are not staffed to have calls with our GitHub users, we are a very small team staffing all 11k installs of the kit. We do best effort to assist but since we arent a product, and rather just a template implementation, we just arent staffed for it.

That said, no need to run that flow. This was the key, I had misunderstood. image

So for guest users the product does not return the AD GUID of the user but some other GUID. So that is the product blocking bug.

If I were to guess it would be that this is the GUID of the user in the system users table in that envt. So if it were in your default envt, for example, you could go to the default envt, open the systemuser table image

These are probably the two GUIDs we are seeing. Can you take a look?

bleno123 commented 9 months ago

Ok. I did what you asked and in this system users table (I pulled from our default environment, not the environment where CoE is installed), His Azure AD Object ID (according to this table) starts with a486, which is what I mentioned at one point earlier in this thread (see image) even though when I look at his users profile in Azure AD, his object ID starts with 273. I'm not sure why they are different or what that means. This users table also has a column for "isdisabled" and is listed as True. However, his account status in Azure AD is "Enabled". So guess I'm confused as to what all this means.

image

Jenefer-Monroe commented 9 months ago

Just as an FYI, each envt has a different GUID for users in that table. But it sounds like the issue is with what Power Apps is returning.

In summary: Guest user with Azure AD 273... created an app When Power Apps returns the owner id of the app it returns, as his GUID, a4869... which is incorrect

If thats a correct summary I'll have to mark this as a product bug and see if they will take traction on it.