Answered

Unexplained user authorisation failure for retrieving password secret from azure key vault

Like (3) Share

Report

Posted on 13 Jun 2023 15:18:49 by PhilB

We have started to experience an issue with a power automate flow called from a power app without any changes being applied. Investigation is proving fruitless and would welcome any ideas or insights.

Our flow

Performs an unbound action (from dataverse) to RetrieveEnvironmentVariableSecretValue

This was working fine on the 7th June but started failing on the 12th.

We get the following message

Error occured while reading secret: User is not authorized to read secrets from '/subscriptions/{ resource guid }/resourceGroups/{primaryresourcegroup}/providers/Microsoft.KeyVault/vaults/{ keyvaultprimaryname }/secrets/{ secretkeyword }' resource.

One of the users accessing this is the owner of the app, solution and the keyvault. The secret has get access for dataverse application.

What is odd is that the secret keyword has a couple of values (for test and live) and in a development environment the get for the test value works from my development account, but no account can access the live version.

This has occurred across apps and environments.

Looking at the values in the key vault does not shed any light and we have not attempted (yet) and tweaks to recreate any new secrets because of the knock on effects for the apps and flows.

Please can anyone let us know of where we should be looking or if any changes have happened in the key vaults that we need to react to.

Many thanks

I have the same question (0)

All responses (5)

Answers (1)

Verified answer

PhilB 32 on 19 Jun 2023 at 08:55:06

Like (0)

Report

Re: Unexplained user authorisation failure for retrieving password secret from azure key vault

We have solved the issue with a bit of help form a consultancy company that helped set up things with the key vault to start with. They were a little peeved that they missed the warning notices.

That article was the key.

As I understand it, we had initially been set up with the access policy of Key Vault access method, the alternative was in preview (it is Role Based Access Control - RBAC). Now things are moving over to RBAC, so we either needed to explicitly allocate users or change.

Our use of secrets in key vault was not via users, but by application (Dataverse) - the handling of which is implicitly handled via the Dataverse Action - Perform Unbound Action with the specific action RetrieveEnvironmentVariableSecretValue

Switching to RBAC allowed this to carry on as we wanted. I think that any new keys can be set for RBAC and things would be fine. Switching offers up a warning - that things may break (they were anyway). It also needs to be handled by a user with access atthe subscriptions (or resource) level. Not sure the user we have had User Access Administrator.

To then add Dataverse as an application service principal a user with Role Based Control Administrator privilege is needed - this role has preview in the title so we are probably still in a state of flux.

The last point to note, is in the article it talks about checking the application id when dataverse is granted the access. For us there were 3 dataverse type entries. At this point the application id was not apparent only the object id. Once added and the Role Assignments viewed, the app can be dug into and the application id seen. For us the one simply labelled Dataverse had an application id of 00000007-0000-0000-c000-000000000000.
From that point all was good, and we did not need to assign user specific permissions.

1 people found this reply helpful.

Was this reply helpful? Yes No
MikeHatheway 11 on 16 Jun 2023 at 13:35:52

Like (0)

Report

Re: Unexplained user authorisation failure for retrieving password secret from azure key vault

When I try to remove the setting from the environment variable and re-add the values, I get this:
But this user has full access to go to the Azure key vault and read the secret. I have tested manually, and with the "Get Secret" action in Power Automate.

Was this reply helpful? Yes No
SimonB_FP 15 on 16 Jun 2023 at 11:20:08

Like (1)

Report
Re: Unexplained user authorisation failure for retrieving password secret from azure key vault

The following article appears as a solution when raising a case with Microsoft. I can't see this article publicly. I've already implemented the changes recommended in this article and still experiencing difficulties, so I'm still reaching out to MS.

Recommended solutions
This article explains how to fix the following errors:
Could not verify the user permission on '...' resource. Make sure that Microsoft.PowerPlatform provider is registered in the Azure subscription.
User is not authorized to read secrets from '...' resource.
In late May with Service Update 23054, we will begin rolling out a few key changes to how Azure Key Vault secrets are implemented with Dataverse environment variables.
The following updates have been made to the service:
The service now validates that the current user has access to the underlying key vault resource value when the environment variable is created, updated, or used. In the past we were only validating the user access when the environment variable was created or updated.
The key vault role now validates access checks from Key Vault Reader to Key Vault Secrets User to better align with the purpose of the roles in Azure Key Vault.
Please monitor the service update site for information on when this update will be deployed to your region.
How will this affect your organization:
These changes may impact customer implementations and surface as access denied errors. Specifically in these two areas:
Customers that have previously used environment variables with data type of secret can fail if the users have not been granted the specific roles in Azure Key Vault.
Some users may start to experience failures in Power Automate flows or custom connectors that use environment variables secrets. This is due to the increase in the scope of operations that now require direct authorization checks.
How do you fix the error:
Evaluate all users that interact with the environment variable secrets and ensure that all users that either create, update, or use the environment variable are granted the Key Vault Secrets User role.
If you are doing this action prior to the deployment of the updated version, consider leaving the existing Key Vault Reader role assigned. Once you have received the updated version you can remove this role if it is no longer needed.
For additional information, please review Use environment variables in solutions.

Was this reply helpful? Yes No
MikeHatheway 11 on 16 Jun 2023 at 10:59:47

Like (1)

Report

Re: Unexplained user authorisation failure for retrieving password secret from azure key vault

I am also seeing this error. Nothing has changed on the config side to my knowledge.
The action started failing Jun 4th.

Was this reply helpful? Yes No
SimonB_FP 15 on 16 Jun 2023 at 10:57:34

Like (1)

Report

Re: Unexplained user authorisation failure for retrieving password secret from azure key vault

We're also encountering the same authentication failure, starting this week, without having made any changes to Key Vault or the Power Automate Flow or its dependencies.

We've found this article that refers to a change in how access permissions should be granted to Dataverse.

Having said that, we've now made changes to apply the relevant role assignments to both the Dataverse service principal and to individual users.

Although we can now create and update Environment Variables linked to that Key Vault, the Power Automate Flow is still failing to retrieve the secrets, even though the Key Vault Reader and Key Vault Secrets User roles are present for the user configured in the Dataverse connection reference.

I'd be interested to hear whether you've made any progress in resolving the issue? I'm going to raise a support case with Microsoft in the meantime and will update if there's any progress with that.

Was this reply helpful? Yes No