[CoE Starter Kit - BUG] Admin | Sync Template v3 (Flow Action Details) Failed , where is the connection ?

[fim34]

Does this bug already exist in our backlog?

• [X] I have checked and confirm this is a new bug.

Describe the issue

Hello we have email notification of one flow run was failed because of Get Flow action. its same as #7825 but after checking with a service account, there no connection to fix in connection tab and i not find one with name "shared_logicflows" or id. All connection reference are good. The service account is owner of this flow.

So what next to check? there is a way to check with connection id ?

        "code": "ConnectionAuthorizationFailed",
        "message": "The caller object id is '7d18c858-5dd0-4549-95ba-d5784afc83cf'. Connection 'f40b6a84-dff9-497a-a418-fb124741fbd0' to 'shared_logicflows' cannot be used to activate this flow, either because this is not a valid connection or because it is not a connection you have access permission for. Either replace the connection with a valid connection you can access or have the connection owner activate the flow, so the connection is shared with you in the context of this flow."
    }
}

}

Expected Behavior

No response

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.29

What app or flow are you having the issue with?

Admin | Sync Template v3 (Flow Action Details)

What method are you using to get inventory and telemetry?

Cloud flows

Steps To Reproduce

No response

Anything else?

No response

AB#3631

[Jenefer-Monroe]

That means the connection reference is broken. You will need to select the correct identity from this drop down

And if it doesnt exist, create a new connection as that identity, then come back, refresh, and select.

[fim34]

to be sure created a new connection and changed it to new one. Still had one failed run today with same error but each time its when he want to check the default environment.

[Jenefer-Monroe]

Glad you got the connection fixed.

Sounds like you don't have permissions then to the default envt. You have likely been impacted by new product behavior that just shipped around the way the product treats privileged roles (ex Power Platform Admin role, Global Admin role)

While there is a workaround we can put into the kit to fix this directly, we cannot ship it with the kit until the workaround is available in all regions. Hopefully for the July release.

The product change

Here is information about the product feature: Manage admin roles with Microsoft Entra Privileged Identity Management

How to check if this is the case

1. Validate the user running the flow has direct and permanent assignment to the Power Platform Admin role.
2. Take one of the target environments in your repro, one of the environments which is failing, and make sure the user running the flow has System Admin security role in that target environment.

How to address and More information

Please see https://github.com/microsoft/coe-starter-kit/issues/8119 for a write up on this change. Included also is a workaround you can do until we can have it natively in the kit.

[fim34]

Yes the service account have the Power Platform Admin role and is system admin in default environment. Will check #8119 . That may be good we update each three months and next update have to be the july release.

[Jenefer-Monroe]

Did you check today to see that they are sys admin there? I ask because Power Platform Admin Role no longer guarantees that (per the bug I referenced)

Please share the error you are getting from the flow for default. It likely a different one now right? The connection was broken before for all environments correct?

[fim34]

Yes the account is still sys admin on the default environment. No the run flow failed is only for default, its worked before for other environment.

No still the same error.

{
    "statusCode": 403,
    "headers": {
        "Cache-Control": "no-store, no-cache",
        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
        "x-ms-islandgateway": "GA00000IM",
        "x-ms-request-id": "westeurope:74f07c9b-125f-469b-b002-34584d196df9",
        "x-ms-correlation-request-id": "74f07c9b-125f-469b-b002-34584d196df9",
        "x-ms-flow-mobile-ios-version": "3.0.421",
        "x-ms-flow-routing-request-id": "WESTEUROPE:20240621T044427Z:74f07c9b-125f-469b-b002-34584d196df9",
        "Server-Timing": "x-ms-igw-upstream-headers;dur=267.0,x-ms-igw-req-overhead;dur=0.7",
        "X-Content-Type-Options": "nosniff",
        "x-ms-service-request-id": "0be552c8-7221-44a9-8397-22f884c3bd7c",
        "x-ms-correlation-id": "560728a4-da54-443a-b4f0-3b14bcbb959f",
        "x-ms-activity-vector": "IN.0I.00",
        "Timing-Allow-Origin": "*",
        "x-ms-apihub-cached-response": "true",
        "x-ms-apihub-obo": "false",
        "Date": "Fri, 21 Jun 2024 04:44:26 GMT",
        "Content-Length": "557",
        "Content-Type": "application/json"
    },
    "body": {
        "error": {
            "code": "ConnectionAuthorizationFailed",
            "message": "The caller object id is '7d18c858-5dd0-4549-95ba-d5784afc83cf'. Connection 'f40b6a84-dff9-497a-a418-fb124741fbd0' to 'shared_logicflows' cannot be used to activate this flow, either because this is not a valid connection or because it is not a connection you have access permission for. Either replace the connection with a valid connection you can access or have the connection owner activate the flow, so the connection is shared with you in the context of this flow."
        }
    }
}

[Jenefer-Monroe]

First, please summarize:

1. The account in question is this one: admin.g2s.svc-PowerPlatform....
2. This is the account that you verified is a System Admin in the default envt
3. This is the account that now has been selected here:

Then please note, above this failure the user is explicitly granted access. Can you please go up in the flow run for this loop and see what happens here?

[fim34]

The account in question is this one: admin.g2s.svc-PowerPlatform.... > Yes This is the account that you verified is a System Admin in the default envt > Yes This is the account that now has been selected here > Yes connection existed and created and selected the new one.

[Jenefer-Monroe]

1. Is 7d18... the correct GUID for admin.g2s.svc-PowerPlatform?
2. Please go run this flow: HELPER - CloudFlowOperations

Using the parameters as sent form the failing flow:

3. Open the run you created and see if it falls correctly into this case

4. If so, what happens within the case?

[fim34]

Yes its the correct guid for the account. There the flow run :

[Jenefer-Monroe]

according to that then the user should already have permission to the flow, so I'm not sure what state you are in. Please go to the flow in question itself, the one for which you ran this helper just now, and see what permissions are applied to it.

[fim34]

Permissions for Admin | Sync Template v3 (Flow Action Details), this ?

[Jenefer-Monroe]

Are you running the kit as a service principle? (not a service account but a service principle)

[fim34]

No all the flow use the service account.

[Jenefer-Monroe]

Oh sorry I didnt mean the owner of the flow action details flow, I mean the owner of the flow for which this is failing. The flow being called here:

[fim34]

Its the same account for all flow so service account

[Jenefer-Monroe]

OK. Sorry I'm not sure I'll be able to assist here then. It seems like there is something going on with this particular flow but without being able to log in with you and explore we seem to be at an impasse.

[fim34]

If a teams call is needed i can be available next week

[Jenefer-Monroe]

Sorry we are not staffed up to meet with our GitHub users. There are 12k of you and only one of me, so we have to do our investigation here. Unfortunately I've run out of ideas, likely there was some miscommunication above, or something broken in your tenant. So perhaps re-walk the above and see if something new pops out to you, or pull in a local Power Platform expert to have them review.

[fim34]

No problem, i will update to july release and isee if there still error.

[Jenefer-Monroe]

closing out as no further action for starter kit team

[fim34]

Still here after udpate, so will check again all step in this post.