Closed Star-Donovan closed 1 month ago
From here Update environment variables, it appears that the correct audiance url for GCC High is https://manage.office365.us and the correct authority is https://login.microsoftonline.us
Can you please remove any unamanged layers on the flow, and validate it looks like this:
Then share your env vars
I edited the issue description this morning to add that the flow names differ between the previous bug & this one. Otherwise, I did not make any changes.
@Jenefer-Monroe, Yes, that screenshot matches. Here are the environmental variables:
Again, we are not in GCC-High. We are just in GCC.
More specifically, we appear to be in Azure Commercial with a GCC sub-scope:
BTW, our MS CSAM /SME already had us try hardcoding to the .us URLs & it kept the 401 error, but changed the error body to indicate an invalid audience (presumably because we are in Commercial/GCC & have no .us identities or users).
The issue tracked in 6569 was resolved by removing that page from the setup wizard. So you should not have any workarounds to do there any longer.
I'm not a sovereign cloud expert so I dont know if being in a sub-scope is normal or not, but it sounds like you have issues with using the URLs at all without the kit being involved.
I would suggest taking this to product support.
Sorry, I thought removing the page was a workaround to get past the connector giving the sign in error.
I should have said we implemented the fix.
I understand the confusion! :) I thought my org was in Government Azure until we encountered the 6569 issue, so I did some digging.
I can't speak to how widespread or “normal” a configuration it is, but from my limited online research, being in Azure Commercial with a GCC subscope is not quite uncommon. Typical reasons for it seem to be mainly:
Yes, we have had a few issues. We actually had to delete our (pre setup-wizard) CoE environment because we couldn’t update it. We created a new CoE environment & have been trying to finish setup with the help of our MS contact for quite some time now.
I will open a support ticket.
closing out as no further action for starter kit team
Does this bug already exist in our backlog?
Describe the issue
similar to https://github.com/microsoft/coe-starter-kit/issues/6975, but I am in GCC (not GCC High). Also, the affected flow is named differently. The error body is: { "error": { "code": "AF10001", "message": "The permission set () sent in the request does not include the expected permission." } } With CSAM assistance, tried hardcoding Audience in URI (tried both https://graph.microsoft.us and https://graph.microsoft.com), and error was still 401, but then body changed to indicate invalid audience: { "error": { "code": "InvalidAuthenticationToken", "message": "Access token validation failure. Invalid audience.", "innerError": { "date": "2024-07-17T19:26:12", "request-id": "950e40a2-f6e4-4078-9698-02da085dcf29", "client-request-id": "950e40a2-f6e4-4078-9698-02da085dcf29" } } }
Tried going directly to https://manage-gcc.office.com/api/v1.0/[tenantID]/ where [tenant ID] is our actual tenant ID, & got a page with the following text: { "Message": "No HTTP resource was found that matches the request URI 'https://manage-gcc.office.com/api/v1.0/[tenantID]/'.", "MessageDetail": "No type was found that matches the controller named 'v1.0'." }
Removed hardcoded URI & restored Dynamic Content. Added a compose step & confirmed Tenant ID is correct & matches Entra. Then edited compose to check Authority, App ID & Secret, which were also correct & match values in Entra. /
Expected Behavior
Should receive message subscription was started
What solution are you experiencing the issue with?
Core
What solution version are you using?
4.31
What app or flow are you having the issue with?
Admin | Audit Logs | Office 365 Management API Subscription
What method are you using to get inventory and telemetry?
Cloud flows
Steps To Reproduce
Anything else?
Troubleshot with MS CSAM/SME, who recommended submitting github as new issue, as https://github.com/microsoft/coe-starter-kit/issues/6975 is closed & applied to GCC-High (whereas my org is just in GCC). Also, the flows have different names.
AB#3820