You’re offline. This is a read only version of the page.
Announcements
44
Hello!
I created a canvas app for my customer that uses dataverse and custom connectors to Azure Open AI. App is used by my customer's (Customer) employees and one other organization's (Collab-org) employees and both organizations have different Microsoft tenants. Now one of the collab-org's employees can't open the canvas app because she can't sign in to dataverse in the default power apps sign-in window. Do you know how this could be fixed? Appreciate your help. Below some more information:
When she tries to sign-in she gets this error message: Input parameters are invalid. See details for more information. Details:OAuth2Certificate Authorization Flow failed for service Dynamics CRM Online Certificate. Sign-in with Azure Active Directory account xxx failed, due to a tenant isolation policy for tenant xxx.
When she tries to create connection for dataverse, she can only see blank dropdowns where she is supposed to choose the connection.
She is the only one to report this kind of behavior and other employees from collab-org haven't had any problems with signing in. I checked the power platform cross-tenant policies and it was set on. I then whitelisted the collab-org but it didn't help, in fact after that when she tried to open the app, she got in but after few minutes she got back to the same problem. Access to app and dataverse was shared with Microsoft Entra ID security group but I tried to share the app and dataverse directly to her, but it didn't work either and she is still getting the same error.
I went to check sign-in log from Entra ID and there was one succesfull sign-in to dataverse, probably when she succesfully opened the app for a while after whitelisting the collab-org in cross-tenant policies. What was interesting, there weren't any failed logs of signing into dataverse.
But from sign-in log I could find the Power Platform sign-in logs, and they were failed with error code: 700084 and Failure Reason: "The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of {time}, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on {issueDate}."
Thank you for your answers!
Share
Report
All responses (
Answers (
