Model-Driven Apps Error AppContextLoader:502 UciError: 502

(0) Share

Report

Posted on by Razen_Cee

Hi, we created a Model-Driven App that connects to Dataverse tables. We are also managing our users using the Power Platform Admin Center. We created a Custom role for example "App - Business Users".

When we shared the App to 3 Users with the custom role they've received an error.

I switched their roles to System Customizer and asked them to access the App then it worked. I asked CoPilot about this and mentioned "custom security role was missing required read permissions on certain Dataverse system tables". It also mentioned one-time initialization ("bootstrap") including Loading app metadata, Creating per-user app settings, UCI, and Caching the user's effective permissions. The custom role was incomplete that's why the initialization failed and returned the 502 / AppContextLoader error.

Assigning the Users to System Customizer bypasses all those missing permissions but we don't want to assign the Users in the System Customizer in a long run. I've asked CoPilot which roles I need to modify to make this work and mentioned these

Model-Driven App (appmodule) → Read = Organization
App Action → Read = Organization
Security Role → Read = Organization
User → Read = Organization
Business Unit → Read = Organization
Model-Driven App User Setting (appusersetting) → Read = Organization

I did the work and changed their roles back from System Customer to App - Business Users then asked the Users again to login and it worked. After couple of hours 2 out of 3 of Users received this error again but only 1 has able to logged in the App and mentioned it prompted a Microsoft Sign In then it worked. A day passed then all of them cannot access now the app, so I switched them back all to System Customer role. I've attached the screenshots of the access I've changed in the Admin Center for the Custom role App - Business Users.

CoPilot mentioned that another option is use Incognito to open the App and forced Sign the User but that option is disabled in our Organization. Another is Revoke the Sessions but we don't have that kind of access. Lastly is the Password Reset for each of users that forces the User to login again and forces token invalidation but I don't want to go to this route yet unless I'm really sure this is the fix.

Next step we did is we moved the Solution with the App to another environment with correct Custom role and shared the App again to our users and still received the same issue.

Are there any missing settings I'm missing other than what CoPilot suggested?

Settings 3.png

Settings 2.png

Model-Drive App S...

Your file is currently under scan for potential threats. Please wait while we review it for any viruses or malicious content.

Categories:

Building Power Apps

Microsoft Dataverse with Power Apps

I have the same question (0)

All responses (5)

Answers (0)

Sort by

Suggested answer

11manish 2,983 on at

Like (0)

Report
Copy link

Link copied!
Your issue is happening because your custom role does not fully replicate the minimum required “User-level” privileges needed by a Model-Driven app, and the system behaves inconsistently due to cached permissions/tokens.

Assigning System Customizer works because it includes all required baseline privileges.

Your custom role still misses some of those, even if it worked temporarily.

Was this reply helpful? Yes No
Razen_Cee 4 on at

Like (0)

Report
Copy link

Link copied!

@11manish Hi Manish, so I've taken a look at the default App Opener role and all the access to assigned to it has similar setup with our Custom Role.

Is this a subscription issue for those users? Maybe they're missing a Power Apps per User plan license? or just a clear browser cache will do?

Any recommendations?

Was this reply helpful? Yes No
11manish 2,983 on at

Like (0)

Report
Copy link

Link copied!
Razen_Cee

Not a license/subscription problem
Not a browser issue

It’s a missing privilege during app initialization, exposed after session refresh

The fact that it works with System Customizer is your strongest proof.

Was this reply helpful? Yes No
Suggested answer

Razen_Cee 4 on at

Like (0)

Report
Copy link

Link copied!

Thanks for the answers. I think we found out the issue. The I've sent is very generic and doesn't explicitly tell you what the issue is. The missing part is that the users who are receiving this error doesn't have a Power Apps Per User Plan license. It's really important to make sure the custom roles has been setup properly but whether you have missing subscriptions or access in the role the error doesn't give much details on what you are currently missing. In this case I did make sure the App Opener role is somewhat similar to our Custom Role to make sure it atleast access the App without any issues.

The reason why System Customizer works is that it's bypassing license and giving unlicensed users a short sessions when they first authenticate. That's also the reason why Users when they're switched back to their custom roles can access it but also after hours later it will revalidate the license and it will cause again the error.

No Power Apps Per User Plan
↓
User logs in → Microsoft grants a temporary "seeded" session
↓
App loads fine initially
↓
1-2 hours later → Token refresh triggers license re-validation
↓
License check fails → Session invalidated → 502 Error
↓
One user gets Sign-In prompt → Temporary grace renewed → Works briefly
↓
Eventually all users locked out

Hope this helps anyone. Thank you!

Was this reply helpful? Yes No
Vish WR 3,610 on at

Like (0)

Report
Copy link

Link copied!

This isn't a browser cache or licensing issue. Create a new custom role with the required permission and assing the custom role to user

Was this reply helpful? Yes No