Azure DevOps Import Solution Fails Service Principal does not have minimum required permission

(0) Share

Report

Posted on by Nebulas

Hi team

Special invite to @EricRegnier (I have seen your fingerprint on other posts).

I have got Azure DevOps pipelines setup that does the following:

Exports solution from source environment within Service Provider (Me) tenancy
Uploads solution source files to Azure DevOps Repo
Performs a Backup target environment(s) in Customer tenancy
Imports solution in target environment(s) in Customer tenancy

This is enabled by:

App Registration(s) / Service Principal(s) (1 per tenancy: 1 for Service Provider, 1 for Customer)
- Appropriate API Permissions and admin consent (Access Common Data Service as organization users & MS Graph)
Environment App User (Referencing the App Registration)
Azure DevOps Service Connection(s) (1 per environment and Referencing the App Registration)
- Have checked the configuration of this several times to ensure correct ID's for URL, tenant, App ID, Secret
Environment specific settings file.json with environment variables and connection references
I have also run a powershell command that gives the service principal same admin permissions as my admin account (not sure if this is just duplicating the Azure UI button in the app reg API permissions 'Grant admin consent'

This all works perfectly when exporting from Service Provider environment and importing to a Customer environment.

My issues is that when I try and export solution and import into a new test environment within my Service Provider tenancy, I get an XML error within the Import Solution Step:

<Message>Request failed with: Forbidden and error: {"error":{"code":"ConnectionAuthorizationFailed","message":"The caller with object id 'xxxx-xxxx-xxxx-xxxx' does not have the minimum required permission to perform the requested operation on connection 'xxxx-xxxx-xxxx-xxxx' under API 'shared_commondataserviceforapps'."}} and request url https://api.powerapps.com/providers/Microsoft.PowerApps/scopes/service/apis/shared_commondataserviceforapps/connections/xxxx-xxxx-xxxx-xxxx?api-version=2018-10-01&amp;$expand=permissions($filter=maxAssignedTo('xxxx-xxxx-xxxx-xxxx')&amp;$filter=environment eq 'xxxx-xxxx-xxxx-xxxx'</Message>

I do know that the API permissions on some level are working correctly because the preceding step of Backup Environment works successfully and so does a test Who Am I step.

Any assistance would be greatly appreciated as I have been driving myself crazy with this for over a week now.

Kind regards

Rob

Categories:

Power Apps Pro Dev & ISV

I have the same question (0)

All responses (8)

Answers (2)

cchannon 4,702 Moderator on at

Like (0)

Report

Does your App user just not have the correct role in the new Target env? Backup Env can be done without having a role in that env, if you have PPlat Admin or GA or the ability to run delegated actions as a user with those Azure roles; it is only once you go to import the solution that it will check to make sure you have that permission in that specific env.

Was this reply helpful? Yes No
Nebulas 95 on at

Like (0)

Report

Thanks for your response @cchannon, I should have included this in my initial post.

The App User (Service Provider) has got both System Administrator and System Customizer roles assigned. This is the same level of permissions of the App User in the Customer environments.

In addition, the User that provided the admin consent to the App Registration / Service Principal also has both System Administrator and System Customizer roles assigned for the target environment.

@mdevaney adding you also to this thread as I know you are also very knowledgeable in this space. Any assistance would be greatly appreciated.

Was this reply helpful? Yes No
Verified answer

RajYRaman 270 on at

Like (0)

Report

@Nebulas - The error looks like it is coming from Connection Reference/Connection possibly. Do you have Flows/Canvas app in the solution? In that case, look at the connections that are associated with the connection references and make sure that the connection is shared with the Service Principal that is importing the solution. I assume that the connections have been created for the owner of the Flow/canvas app, which is different to the service principal that is running the solution import from Pipeline. In this case, the connections need to be shared with that service principal.

Was this reply helpful? Yes No
Nebulas 95 on at

Like (0)

Report

Hi @rajyraman, thanks for your response, I had extremely high hopes for this suggestion.

I just gave this a try and I continue to get the same error. I have also checked the sharing of the connections in all target environments that are working in the Customer tenancy, and I have not had to explicitly share the connection with the service principal. I have always assumed that this is just inherited.

I have also just tried deleting the connection and recreating and still same error.

Was this reply helpful? Yes No
RajYRaman 270 on at

Like (1)

Report

@Nebulas - Run the SQL in SQL4CDS or do a search in the environment with the user whose azureactivedirectoryobjectid is same as the caller objectid in the error message.

select fullname,azureactivedirectoryobjectid,domainname,systemuserid from systemuser where azureactivedirectoryobjectid='xxx-xxx'

Now you need understand who is this user? Is it the user importing the solution, or user who is the owner of the Flow? If they are different the owner of the connection has to share it out the the service principal importing the solution. Also check if the user in the error message has access to the Dataverse environment.

Was this reply helpful? Yes No
Nebulas 95 on at

Like (0)

Report
Hi @rajyraman

Thanks for your response again and persisting with me on this issue.

I have been wanting a way to run SQL against Dataverse for a while, so thanks for the tip! I have had a quick look at the project and will get this setup another time. I don't think that it is a requirement for me right now with this issue as I do know the user for the objectid in question; it is the Service Principal for the App Registration and I can see this in Entra (Azure AD).

In terms of your next question on who is the user, the user is the Service Principal that is being used on the Import Solution step of the release pipeline in Azure DevOps. This user is different to the Owner of the App, however the admin consent for the API permissions for the Service Principal was provided by the same App Owner who is also an Admin.

I need to explore the last two statements below, as I think there maybe something I am missing in what you are saying, or my understanding on how this pipeline hangs together is slightly incorrect:
'If they are different the owner of the connection has to share it out the the service principal importing the solution.'
Are you saying that the owner of the connection needs to share the connection with the service principal? If yes, I have already tried this by going to make.powerapps.com within the target environment, navigating to connections, and then clicking on the 'Share' icon; there I could see the App/Connection owner and in addition I added the Service Principal. Unfortunately, this had no impact on the result - same error.
In addition, in my target environments where the release pipeline is working without issue, I did NOT have to explicitly share the connection.
Also check if the user in the error message has access to the Dataverse environment.
My understanding is that access to the environment is given by adding the Service Principal as an App User (S2S User) to the environment from the PP Admin Center; I have already set this up. Or are you referring to some other way of providing access?
Sorry for the novel, just wanted to be clear.

Many thanks, Rob

Was this reply helpful? Yes No
Verified answer

EricRegnier 8,720 Most Valuable Professional on at

Like (1)

Report

Hi @Nebulas,

Not sure if you resolved this yet, but for backups I believe the SPN needs a service administration role (ie D365 admin or Power Platform admin). For solution exports/imports, it's fine with system admin in the source and target Dataverse environments.

As for the exact error message you're getting, make sure that the connection (not the connection reference) that the connection reference(s) is using is shared ("can use" privilege) with that SPN running the solution imports. Since connection can't be automated/scripted yet, you'll have to do this one-time in each target environments.

Hope this helps!

Was this reply helpful? Yes No
Nebulas 95 on at

Like (0)

Report

Hi @rajyraman , @EricRegnier

In my haste to try @rajyraman's solution, I actually shared the wrong connection. After sharing the connection with the service principal this now works.

What I am struggling to explain is how I have 3 other test environments where I don't encounter this issue and have NOT shared the connection(s) with the service principal. The pipelines within each of these environments run perfectly. See example below of the sharing of the Dataverse connection.

Thanks for the support, this has helped me move forward with this environment.

Rob

Was this reply helpful? Yes No