search

microsoft / coe-starter-kit

Other
721 stars 212 forks source link

Admin | Sync Template v4 (Connection Identities) failed at Action 'Get_user_profile_(V2)' failed every day after user/users left from the org #8530

Closed sandeshsushir closed 1 day ago

sandeshsushir commented 1 week ago

Does this bug already exist in our backlog?

Describe the issue

We have installed the Power platform COE (Core Components) tool kit (V 4.32) without any customization. As a daily routine to monitor the synch flows, The flow (Admin | Sync Template v4 (Connection Identities)) is getting failed every day with error Action 'Get_userprofile(V2)' failed.

  1. Further digging down in the flow action we have found that the user/users are not found, and flow is getting terminate which in terms fall into active sync flow errors (CoE Admin Command Center).
  2. We have observed that the users those who have left the organization or inactive are listed in the action (Get user profile (V2)) with error users not found.’
  3. We have removed manually all inactive (no longer with org) user/users from the respective environment as well.
  4. We are seeing the flow Admin | Sync Template v4 (Connection Identities)) is getting failed every day. How we can avoid such failures/termination of the flow if the user is inactive or no longer with organization.

Following are the screen shots steps.

  1. CoE Admin Comand Center -> Active sync flow errors

  2. SC03. Admin | Sync Template v4 (Connection Identities)) with Error - Action 'Get_userprofile(V2)' failed.

  3. Further drill down to the flow

SC1
  1. SC2
  2. SC4

Expected Behavior

  1. The flow should not get failed/terminate and not listed down in the CoE admin Center (Active sync flow error). there might be other way to handle the scenarios an for example -send an email to the admin about inactive user at the max 2-3 reminders and then stops etc.
  2. If the user is inactive or no longer with organization the flow should understand and execute accordingly without any error

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.32

What app or flow are you having the issue with?

Admin | Sync Template v4 (Connection Identities

What method are you using to get inventory and telemetry?

None

Steps To Reproduce

  1. User should be inactive or no longer with organization (user should not be listed in the Azure AD group or in the user).
  2. Run Admin | Sync Template v4 (Connection Identities
  3. if the user is inactive the error will listed in the sync flow error section

Anything else?

No response

AB#3660

Jenefer-Monroe commented 1 week ago

It is expected that this call fails for users no longer in Entra, and then the failure is caught to proceed. Note that flow always shows the first failure even if its a caught failure, so you need to go further down in the flow to find the flow actually terminates (fails) the flow

Here is an image showing how this happens for an unrelated flow just so you can see how fail/catch surfaces. image

Jenefer-Monroe commented 1 week ago

In your specific case, it should be caught and go down this set of calls. Does it do that? And what happens in these calls? image

sandeshsushir commented 1 week ago

Hi Jenefer , Thanks for addressing this issue ,

  1. we get blank value as out put = {"body":{"value":[]}} in the action ->see if orphan is already in table

    image

  2. next action is -

    SC5

action name -> find the users in system user table ->out put is -

SC6
Jenefer-Monroe commented 1 week ago

It looks like you (the identity running the flow) do not have permission to the target environment.

Likely you have been impacted by new product behavior that just shipped around the way the product treats privileged roles (ex Power Platform Admin role, Global Admin role)

While there is a workaround we can put into the kit to fix this directly, we cannot ship it with the kit until the workaround is available in all regions. Hopefully for the July release.

The product change

Here is information about the product feature: Manage admin roles with Microsoft Entra Privileged Identity Management

How to check if this is the case

  1. Validate the user running the flow has direct and permanent assignment to the Power Platform Admin role.
  2. Take one of the target environments in your repro, one of the environments which is failing, and make sure the user running the flow has System Admin security role in that target environment.

How to address and More information

Please see https://github.com/microsoft/coe-starter-kit/issues/8119 for a write up on this change. Included also is a workaround you can do until we can have it natively in the kit.

Jenefer-Monroe commented 1 day ago

closing out as no further action for starter kit team