[CoE Starter Kit - BUG] Admin | Audit Logs | Sync Audit Logs (V2) not working correctly with 401 error

[jax-coe-admin]

Does this bug already exist in our backlog?

• I have checked and confirm this is a new bug.

Describe the issue

We are attempting to convert to the "Sync Audit Logs" flow within the Core solution from the deprecated "Audit Logs" solution. When we run the "Admin | Audit Logs | Office 365 Management API Subscription" flow with START we get a 401 error instead of a 400. When we attempt to run the new "Admin | Audit Logs | Sync Audit Logs (V2)" flow, we also get a 401 error.

Following the documentation here

Since we are coming from previous solution, App registrations is already complete:

API permissions:

Certificates & secrets

Environment Variables:

"Admin | Audit Logs | Office 365 Management API Subscription" results after being run with START:

OUTPUTS Body:
{
"error": {
"code": "AF10001",
"message": "The permission set () sent in the request does not include the expected permission."
}
}

OUTPUTS Body:
{
"operation": "START",
"response": "{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}",
"statuscode": "401"
}

The flow completed with Success despite the error.

Assuming this was normal, tested the new "Admin | Audit Logs | Sync Audit Logs (V2)" and received a Failed status:

Expected Behavior

"Admin | Audit Logs | Office 365 Management API Subscription" should give 400 error and "Admin | Audit Logs | Sync Audit Logs (V2)" should complete sucessfully.

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.11

What app or flow are you having the issue with?

Admin | Audit Logs | Sync Audit Logs (V2)

What method are you using to get inventory and telemetry?

Cloud flows

Steps To Reproduce

1. Enable and run new Sync Audit Log flows

Anything else?

This the same registration information being used by the Custom Connector for the deprecated solution

[manuelap-msft]

I think you've missed updating the App registration, see:

Update app registration

1. Browse to your app registration.
2. API Permissions > Remove the delegated permissions to Office 365 Management APIs ActivityFeed.Read

3. Add instead Application permissions to Office 365 Management APIs ActivityFeed.Read and get it granted for the organization
   

Here are the detailed steps on how to move from using the custom connector to the new HTTP method for collecting audit logs:
#6009

[jax-coe-admin]

I overlooked the permission type on the registration and I'm working on getting the correct permission added.

I will update once I get this complete.

Thanks!

[jax-coe-admin]

This is all set.

I can confirm that I missed the change in API permission from Delegation to Application.

Once the correct API permission was added and consented, the "Admin | Audit Logs | Office 365 Management API Subscription" flow completed with the expected 400 response.

Thank you, Manuela!

[Jenefer-Monroe]

Wonderful news, thank you for letting us know!