search

microsoft / coe-starter-kit

Other
764 stars 225 forks source link

[CoE Starter Kit - QUESTION] "HELPER - Driver Escalation Check" sync flow failed with error "The user is not a member of the organization" #9270

Open carusyte opened 1 week ago

carusyte commented 1 week ago

Does this question already exist in our backlog?

What is your question?

The sync flow "HELPER - Driver Escalation Check" can run successfully most of the time but fails constantly for a few of our environments. The error mainly stems from these 2 actions inside the flow:

Image

Output body of failed action:

{
  "errors": [
    {
      "Subject": "Result",
      "Description": "User 0b96678d-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is not part of security group f180e0e0-xxxxxxxxxxxxxxxxxxxxxxxxx",
      "Code": "userNotPartOfSecurityGroup"
    },
    {
      "Subject": "InnerException",
      "Description": null,
      "Code": null
    },
    {
      "Subject": "AdditionalData",
      "Description": null,
      "Code": null
    }
  ],
  "information": [
    {
      "Subject": "Result",
      "Description": "[\"SyncMode: Default\",\"Instance 52e379c2-xxxxxxxxxxxxxxxxxxxx exists\",\"Instance 52e379c2-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx in enabled state\",\"Instance Url found https://org86xxxxxxx.crm5.dynamics.com\",\"User found in AD tenant\",\"User in enabled state in AD tenant\",\"User 0b96678d-xxxxxxxxxxxxxxxxxxxxxx is not part of security group f180e0e0-xxxxxxxxxxxxxxxxxxxxxxxxxxx\"]",
      "Code": "userNotPartOfSecurityGroup"
    },
    {
      "Subject": "AdditionalResultDetails",
      "Description": "",
      "Code": null
    },
    {
      "Subject": "RequestId",
      "Description": "b34060a8-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "Code": null
    },
    {
      "Subject": "CorrelationId",
      "Description": "cdd1c516-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "Code": null
    },
    {
      "Subject": "SystemUserId",
      "Description": null,
      "Code": null
    },
    {
      "Subject": "SecurityGroupId",
      "Description": "f180e0e0-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "Code": null
    },
    {
      "Subject": "Timestamp",
      "Description": "11/17/2024 5:51:08 AM",
      "Code": null
    }
  ]
}

Image

{
  "error": {
    "code": "0x80072560",
    "message": "The user is not a member of the organization."
  }
}

What solution are you experiencing the issue with?

None

What solution version are you using?

November 2024

What app or flow are you having the issue with?

HELPER - Driver Escalation Check

What method are you using to get inventory and telemetry?

Cloud flows

Jenefer-Monroe commented 1 week ago

Can you please confirm that the user identity installing and running the flow has the Power Platform Admin Role assigned both directly and permanently? Note that the escalation does not work for some envt situations if the assignment is not direct. Microsoft Azure Users > Your User > Assigned Roles

Ensure Power Platform Administrator is Direct and Permanent image

carusyte commented 4 days ago

We checked and found that the role assignment is indeed a group membership instead of direct. Many thanks for the great advice!

Besides, I realized that some of the environments are Teams environments, they seemed to be created from Teams app and bound to creator's security group by default, this admin account is not in their group for sure. Does it matter if I only change the membership type to direct but keeping it out of the Teams security groups, since users might not prefer adding one more account into their group.

Jenefer-Monroe commented 1 day ago

The product owns the escalation path here, but as I recall this does not add them to the SG, instead it adds them in some other manner to the System Admin role. But please do let me know.