[CoE Starter Kit - BUG] "Admin | Audit Logs | Office 365 Management API Subscription" flow stops with 401 Error - GCC

[Star-Donovan]

Does this bug already exist in our backlog?

• [X] I have checked and confirm this is a new bug.

Describe the issue

similar to https://github.com/microsoft/coe-starter-kit/issues/6975, but I am in GCC (not GCC High). Also, the affected flow is named differently. The error body is: { "error": { "code": "AF10001", "message": "The permission set () sent in the request does not include the expected permission." } } With CSAM assistance, tried hardcoding Audience in URI (tried both https://graph.microsoft.us and https://graph.microsoft.com), and error was still 401, but then body changed to indicate invalid audience: { "error": { "code": "InvalidAuthenticationToken", "message": "Access token validation failure. Invalid audience.", "innerError": { "date": "2024-07-17T19:26:12", "request-id": "950e40a2-f6e4-4078-9698-02da085dcf29", "client-request-id": "950e40a2-f6e4-4078-9698-02da085dcf29" } } }

Tried going directly to https://manage-gcc.office.com/api/v1.0/[tenantID]/ where [tenant ID] is our actual tenant ID, & got a page with the following text: { "Message": "No HTTP resource was found that matches the request URI 'https://manage-gcc.office.com/api/v1.0/[tenantID]/'.", "MessageDetail": "No type was found that matches the controller named 'v1.0'." }

Removed hardcoded URI & restored Dynamic Content. Added a compose step & confirmed Tenant ID is correct & matches Entra. Then edited compose to check Authority, App ID & Secret, which were also correct & match values in Entra. /

Expected Behavior

Should receive message subscription was started

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.31

What app or flow are you having the issue with?

Admin | Audit Logs | Office 365 Management API Subscription

What method are you using to get inventory and telemetry?

Cloud flows

Steps To Reproduce

1. Run Admin | Audit Logs | Office 365 Management API Subscription. Flow runs successfully, but Audit Logs are not available.
2. Check run history. Explanation point is on step "Perform subscription operation" > action "Switch on operation" > case "START" > action "Start Subscription".
3. Status code is 401. Error code is AF10001.

Anything else?

Troubleshot with MS CSAM/SME, who recommended submitting github as new issue, as https://github.com/microsoft/coe-starter-kit/issues/6975 is closed & applied to GCC-High (whereas my org is just in GCC). Also, the flows have different names.

AB#3820

[Jenefer-Monroe]

From here Update environment variables, it appears that the correct audiance url for GCC High is https://manage.office365.us and the correct authority is https://login.microsoftonline.us

Can you please remove any unamanged layers on the flow, and validate it looks like this:

Then share your env vars

[Star-Donovan]

I edited the issue description this morning to add that the flow names differ between the previous bug & this one. Otherwise, I did not make any changes.

@Jenefer-Monroe, Yes, that screenshot matches. Here are the environmental variables:

Again, we are not in GCC-High. We are just in GCC.

More specifically, we appear to be in Azure Commercial with a GCC sub-scope:

1. We had to use the workaround in https://github.com/microsoft/coe-starter-kit/issues/6569 to get the wizard to work.
2. As per MS Documentation, when I go to https://login.microsoftonline.com/[domainname]/.vvell-knovvn/openid-configuration where [domainname] is our .onmicrosoft.com domain. , I see the scope is NA (for North America/Commercial), not USG or USGov. The sub-scope is "regular" GCC, though (not GCC-High or DoD). I have also confirmed we only have onmicrosoft.com identities, not onmicrosoft.us ones.

BTW, our MS CSAM /SME already had us try hardcoding to the .us URLs & it kept the 401 error, but changed the error body to indicate an invalid audience (presumably because we are in Commercial/GCC & have no .us identities or users).

[Jenefer-Monroe]

The issue tracked in 6569 was resolved by removing that page from the setup wizard. So you should not have any workarounds to do there any longer.

I'm not a sovereign cloud expert so I dont know if being in a sub-scope is normal or not, but it sounds like you have issues with using the URLs at all without the kit being involved.

I would suggest taking this to product support.

[Star-Donovan]

Sorry, I thought removing the page was a workaround to get past the connector giving the sign in error.
I should have said we implemented the fix.

I understand the confusion! :) I thought my org was in Government Azure until we encountered the 6569 issue, so I did some digging.

I can't speak to how widespread or “normal” a configuration it is, but from my limited online research, being in Azure Commercial with a GCC subscope is not quite uncommon. Typical reasons for it seem to be mainly:

1. Tenants were spun up before the sovereign clouds were available, so GCC subscope was added rather than having to migrate everything,
2. Tenants needed to remain in Azure Commercial for specific functionalities (app registrations, etc) & so remained there but with GCC subscope added.

Yes, we have had a few issues. We actually had to delete our (pre setup-wizard) CoE environment because we couldn’t update it. We created a new CoE environment & have been trying to finish setup with the help of our MS contact for quite some time now.

I will open a support ticket.

[Jenefer-Monroe]

closing out as no further action for starter kit team