[CoE Starter Kit - BUG] Embedded PowerApp to manage apps/flows in PowerBI Dashboard does not work after August COE release

[dd767]

Does this bug already exist in our backlog?

• [X] I have checked and confirm this is a new bug.

Describe the issue

Everything worked fine before upgrade to August release files.

When trying to manage access for a powerapp using the embedded app in the Powerbi Dashboard, i get an error related to access to another environment which has nothing to do with the one i'm currently viewing (filtered) and where the Powerapp that i try to manage access permissions resides on.

When trying to manage Powerapps access i get:

PowerAppsforAdmins.GetAdminApp failed: { "error": { "code": "EnvironmentAccess", "message": "The user with object id 'AAAAAAA' in tenant 'BBBBBBB' does not have access to permission 'List Any PowerApps' in environment 'CCCCCC'. Error Code: 'UserMissingRequiredPermission'" } }

When trying to manage Automate Flows, i get:

PowerAutomateManagement.AdminGetFlow failed: { "error": { "code": "EnvironmentAccessDenied", "message": "You are not permitted to make flows in this 'DEFAULT ENVIRONMENT(default)'. Please switch to the default environment, or to one of your own environment(s), where you have maker permissions." } }

I am an admin on the COE environment and admin as well on the environment i try to manage apps/flows access on. As i mentioned before, this worked fine before we updated COE package with August release.

Expected Behavior

To open & use the embedded PowerApp in the COE PowerBI Dashboard to manage apps & flows access (add/remove users, owners, grant myself access, etc.)

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.43

What app or flow are you having the issue with?

Admin - Access this App [works embedded in Power BI only], Admin - Access this Flow [works embedded in Power BI only]

What method are you using to get inventory and telemetry?

Cloud flows

Steps To Reproduce

Open COE PBI Dashboard Go to Apps Deep Dive Filter by environment where i am admin Find app in table Rightclick, drill-thru, manage app access

Anything else?

No response

[Jenefer-Monroe]

Hello you need to reconfigure these apps whenever you upgrade the kit and dishboard. Configure embedded apps in the CoE dashboard

[dd767]

Hello you need to reconfigure these apps whenever you upgrade the kit and dishboard. Configure embedded apps in the CoE dashboard

Hi Jen, we did follow that guide after upgrade. Even went thru it again today, set everything again. Same result. It's other users also getting the errors. Somehow it doesn't register/pass the environment that the app you're trying to manage to the embedded app startup "variables". The error message is listing some environment that has nothing to do with the one we're on to manage.

Strangely, for managing flows, the error message says we don't have maker rights on the default environment, which is complete nonsense.

I am a system admin on the COE environment and an environment admin on the one i'm trying to manage app/flow accesses via the embedded app.

Could it be that the flows that invoke PowerAppsforAdmins for example (when clicking an app, right click, drill down, manage app permissions) to open the embedded management PowerApp, have an issue?

[Jenefer-Monroe]

Did you do the setup which includes the Reset to Default?

Then chose the app in your own CoE envt?

Are you trying to use with a Canvas app? Note that Model Driven Apps do not work.

I know there are some instructions online that send you down another path.

[dd767]

yes, we did all the steps above! reset to default as well as choosing the canvas apps: "Admin - Access this App [works embedded in Power BI only]" and "Admin - Access this Flow [works embedded in Power BI only]"

[Jenefer-Monroe]

I'm really not sure. This is working for me. Can you share a screenshot of where you are failing? Are you logged in to PBI as a user with Admin permissions to the CoE Environment? Do you have unmanaged layers on those apps?

[dd767]

My user has System Admin Permissions on the COE environment, has a PowerBI Pro license and a PowerApps per User premium license. No unmanaged layers. The issue is reproduce-able by other users as well.

For FLOWS: Open COE PBI Dashboard (september) -> Go to "Flow Deep Dive" -> Select a flow (in this case i chose one in an environment i am also environment admin) -> rightclick -> Drill Thru -> Manage Flow Access.

I get this error: (from PowerAutomateforAdmins ?!?). The error message is stupid, because it refers to the DEFAULT environment where everyone has maker rights. The flow i am trying to manage is NOT in the default environment, as stated above.

For APPS: Open COE PBI Dashboard (september) -> Go to "App Deep Dive" -> Select an app (in this case i chose one in an environment i am also environment admin) -> rightclick -> Drill Thru -> Manage App Access.

I get this error: (from PowerAppsforAdmins ?!?) The errors message is also stupid, because it refers to an environment where indeed i have no access to, but the app i'm trying to manage is NOT in that environment. As a matter of fact it is my OWN powerapp developed in an environment where i am env. admin

Did something maybe change in August/September releases in the way the embedded app calls / checks user permissions when invoking the PowerAutomateforAdmins / PowerAppsforAdmins connectors in the respective flows?

To me it looks also like now (since 2 releases) it's trying to somehow "poll" the whole tenant, or more environments than it should, when calling this embedded apps. It's not sticking to the environment where the app or flow is residing.

I am not a tenant admin, but even with the rights i have the error message for flows is hilarous for 2 reasons: it's picking on an environment which has nothing to do with COE or where the flow is hosted, plus it's complaining about not having maker rights on the DEFAULT one...which everyone has by default anyway.

The apps error message is also out of place, because -indeed i have no access to the environment it's complaining about in the error - but the app i was trying to manage is my OWN, running in an environment where i am environment admin.

Looking at it logically, the only "common denominator" is the source of the errors: "........forAdmins" connector, let it be Flows or Apps.

[dd767]

Funny enough, i can manage apps permissions just fine (in the environment i am env_admin on) using the "Manage Permissions" - admin_ManagePermissions MDA from the COE solution.

For other environments (like default), i get a permission error, which makes sense in this case as i'm not an env_admin there.

BTW, Flow permissions i cannot manage using the admin_ManagePermissions MDA, it gives a message at the bottom saying "...not possible using this product, so changing it here only changes it in the context of your COE toolkit......" -> but i guess this s another topic, not related to this bug entry.

[Jenefer-Monroe]

Are the false envt GUIDs it gives you in your tenant?

[dd767]

Are the false envt GUIDs it gives you in your tenant?

yes

[Jenefer-Monroe]

I'm stumped, this is working for me. It must be some permissions issue for you. Can you please take an app for which it repros

1. Validate its a canvas type app
2. Go the environment of the app in question and validate you have Sys Admin permissions in the tenant
3. Validate that you have the Power Platform Admin role directly and permanently assigned. Microsoft Azure Users > Your User > Assigned Roles Ensure Power Platform Administrator is Direct and Permanent

[dd767]

to #3: this is i think the key difference from before aug/sept COE releases. I am not a Power Platform Admin and never was. My assigned role shows "0". My only roles are environment admin on the environment i'm trying to manage apps/flows on, and is not a full Dataverse enabled environment. Only approvals tables were provisioned. No premium connectors allowed, only standard. No Dataverse. I could manage everything fine before aug/sept COE releases via the embedded app in PBI COE Dashboard.

For the sake of using that embedded app, i was made also a system admin on the COE Environment, but doesn't make a difference.

Somehow i think the scope of the embedded apps was limited to "full" Power Platform Admins since aug/sept releases, since obviously is giving us a lot of errors since. Worked absolutely fine before August release.

Can you confirm this behavior/logic change?

I remember reading a somewhat similar issue (from Commonwealth of Virginia), but it was over an year old! https://github.com/microsoft/coe-starter-kit/issues/4974

Again, before Aug/Sept releases i could manage my apps/flows/orphans with no issues using this embedded app in the COE PBI Dashboard, with the same rights i have now (and which now don't work anymore).

[Jenefer-Monroe]

Are you saying that you used to be able to manage (ex update permissions for) apps/flows you did not own in environments to which you were not Sys Admin, while not having PPAdmin role?

[dd767]

Are you saying that you used to be able to manage (ex update permissions for) apps/flows you did not own in environments to which you were not Sys Admin, while not having PPAdmin role?

yes. I never had the PPAdmin role on the tenant. I was/am only environment admin in a particular environment where i needed to manage orphans via the embedded PBI apps (take over ownership, assign others as co-owners, delete flow/app, etc.) sys admin role i think is only for dataverse environments, which this particular one doesn't have (fully). I am environment admin, everyone else is "just" environment maker.

and as mentioned here https://github.com/microsoft/coe-starter-kit/issues/8997#issuecomment-2370647628 i can still do it now for powerapps in "my" environment with the admin_ManagePermissions MDA

[Jenefer-Monroe]

Sorry I still dont follow. Are you saying this was possible before?

Default envt

• you are a maker there for SR
• another maker make app "Foo" to which you did not have acccess at all

CoE Envt

• you are sys admin there for SR

PBI You used to be able to update the permissions of the app Foo?

[dd767]

Correct, except Foo was not in default env, but in one which i'm env admin on (sandbox environment type / no dataverse except for approvals).

In the default env i'm just a maker like everyone else. I never tried to take over/edit permissions of app/flows in the default environment. Only in "mine"

[Jenefer-Monroe]

ok sorry we are talking over each other. I believe your answer is no then. That is not what was possible. You've only ever been able to update permissions to apps/flows in environments to which you were admin.

[Jenefer-Monroe]

I just tested this in a test tenant and it does still work. Can you confirm the envt you picked here when setting up?

[dd767]

when setting up that app, they chose the COE environment.

I have new info reg. this. The only person in our team who can actually run the embedded app with no error (he is powerplatform admin) is reporting that when it opens, it always shows the same powerapp & users, regardless of which one he clicked on to drillthru-manage app access. So it seems the filtering in the COE Dashboard is not passed thru properly to the embedded powerapp.

So the AppID passed to the embedded app is always the same, regardless of which app/environment you want to manage apps from.

For the rest of us the app gives an error (like i posted above) but it's always the same, complaining about same app/environment regardless of which app/environment we tried to drillthru-manage app acccess

[Jenefer-Monroe]

Sorry it sounds like it was misconfigured then. That is behavior we see when it is misconfigured.

1. Validate you are logged in as the expected user in the correct tenant

2. Validate by hitting refresh on the PPT to see that it refreshes correctly. If it does not then perhaps you need to clear permissions inside of PBI

3. In App deep dive select a canvas app and go to manage app access Should see the name of the app, owner, and envt where the app lives at the top

4. Select the control, should see these two fields selected

[dd767]

yes, these two: AppID and EnvironmentID appear correctly in the embedded app, but the errors appear mentioing always another environment. Somehow we think the powerapp (via the powerapps visual) does not reset the variables it receives from the PBI?

COE September PBIX refreshes OK.

So we have 2 repro scenarios:

• full powerplatform admin opens the embedded app ok, no errors, but AppID and EnvironmentID are wrong (always the same) no matter what app he drilled down from
• environment admins (like me) gets errors from embedded app, related to not being able to access the (always same) environment/app listed on top, regardless of which app i initiated the drilldown from.

i will be joining the office hours call tonight (for me), maybe we can look at it together or schedule something for later if the time/event is not right for this kind of t-shooting.

[Jenefer-Monroe]

Sorry we are not able to have calls with our users. There is only one person staffing all 12k installs. You can try to delete the control and re-add.

[dd767]

You can try to delete the control and re-add.

which control, where?

[Jenefer-Monroe]

ok it looks like there may have been a change in canvas such that the input fields are not deterministically being picked up. The issue here was from an upgrade to the product not the kit. I'll have to investigate so placing to look for an upcoming release.

[dd767]

thanks Jen! :) persistence paid off ;)

[Jenefer-Monroe]

It does pay off! haha

[Jenefer-Monroe]

It looks like these just needed republished in order to be fixed. I have republished both the embedded apps and now they appear to consistently get the correct app and envt id

[Jenefer-Monroe]

May have just been a bug in the version they were using before republish

[Jenefer-Monroe]

Fix is available in Nov release. Please see latest release to see all changes or just download directly via https://aka.ms/coestarterkitdownload