Admin | Sync Template v4 (AI Events) failing - some users azureid not listed

[heatheronder]

Does this question already exist in our backlog?

• I have checked and confirm this is a new question.

What is your question?

I am getting some errors in Admin | Sync Template v4 (AI Events) and Admin | Sync Template v4 (Connection Identities) due to null/invalid users.

Here is an example from the AI Events flow. This is being being appended to the AIEventsArray:
{
"CreditsConsumed": 200,
"UserId": null,
"ProcessingDate": "2024-07-22T08:04:21Z",
"AIEventId": "6ad82fae-4158-4d4a-814e-014672af1a79"
}
This causes the flow to fail at "See if already in User Table" because filter rows is invalid - admin_powerplatformuserid eq

And from Connection Identities, it is failing on "Get user profile (V2)" because the connection creator is invalid (no longer exists in our tenant).

I am looking for suggestions on how to handle these situations in these 2 flows so they will run without errors. Thank you!

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.33

What app or flow are you having the issue with?

Admin | Sync Template v4 (Connection Identities) and (AI Events)

What method are you using to get inventory and telemetry?

Data Export

[heatheronder]

I drilled down a bit further and I may have a solution for the Connection Identities flow. I believe our CoE account is missing permissions to one environment. Ignore that for now....

For AI Events, the ultimate failure is on the Error Handling scope.

[heatheronder]

Here is another issue with Connection Identities - it it failing to add an orphaned user because the user already exists. If it already exists, why didn't "See if Orphan already in User Table" find them?

[Jenefer-Monroe]

For the issue where you are missing permission in some environments, please see #8119

Here is more detail:

New PIM Feature and the Kit

Hello likely you have been impacted by new product behavior that shipped recently around the way the product treats privileged roles (ex Power Platform Admin role, Global Admin role)

While there is a workaround we can put into the kit to fix this directly, we cannot ship it with the kit until the workaround is available in all regions. Hopefully for the July release.

The product change

Here is information about the product feature: Manage admin roles with Microsoft Entra Privileged Identity Management

How to check if this is the case

1. Validate the user running the flow has direct and permanent assignment to the Power Platform Admin role.
2. Take one of the target environments in your repro, one of the environments which is failing, and make sure the user running the flow has System Admin security role in that target environment.

How to address and More information

Please see #8119 for a write up on this change.
Included also is a workaround you can do until we can have it natively in the kit.

[Jenefer-Monroe]

For this failure

We do have a few spots like this in the kit where you may see intermittent failures of the same entry trying to get added twice.
It will not repro on rerun ad the identity will already exist.

[Jenefer-Monroe]

For this error

It just means that you havent run the metadata flow to get hte new flows integrated into the kits metadata.
Please run Admin | Sync Template v3 CoE Solution Metadata

Please use the setup wizard after each upgrade as it will do this for you automatically and ensure all new flows are on / all new env vars are exposed / etc

Use the setup wizard

Its highly recommended that you use the Setup Wizard to walk you through setup and upgrades. It will ensure all the new flows are turned on in the correct order, trigger things like population of the bookmarks screen and do other cleanup steps needed.
You should do this both for upgrades and clean installs.
To use it, first perform the import of the solution install or upgrade manually, then boot the app and walk through the screens.

[heatheronder]

Issue is persisting with the AI Events flow. I got another email with the failure from last night's run. The UserIds are all null. The setup wizard was run after I upgraded the kit Friday.

I'll go ahead and run it again to see if that helps.

Here is the current error with AI Events

[Jenefer-Monroe]

This is a different issue than the one you posted originally. That was a race condition on adding a record to Dataverse.

[Jenefer-Monroe]

Please go up in the flow run and see what happens here:

• How many loops does it go through?
• What is returned in the "CurrentAiEvent" step?

[heatheronder]

Sorry for posting two issues at once. Here is a screenshot of one of the failure AI Events flows.

CurrentAiEvent:
{
"@odata.type": "#Microsoft.Dynamics.CRM.msdyn_aievent",
"@odata.id": "https://org4c390708.crm.dynamics.com/api/data/v9.1.0/msdyn_aievents(6ad82fae-4158-4d4a-814e-014672af1a79)",
"@odata.etag": "W/"24788776"",
"@odata.editLink": "msdyn_aievents(6ad82fae-4158-4d4a-814e-014672af1a79)",
"msdyn_creditconsumed@OData.Community.Display.V1.FormattedValue": "200",
"msdyn_creditconsumed": 200,
"msdyn_processingdate@OData.Community.Display.V1.FormattedValue": "7/22/2024 8:04 AM",
"msdyn_processingdate@odata.type": "#DateTimeOffset",
"msdyn_processingdate": "2024-07-22T08:04:21Z",
"msdyn_aieventid@odata.type": "#Guid",
"msdyn_aieventid": "6ad82fae-4158-4d4a-814e-014672af1a79",
"createdby@odata.associationLink": "https://org4c390708.crm.dynamics.com/api/data/v9.1.0/msdyn_aievents(6ad82fae-4158-4d4a-814e-014672af1a79)/createdby/$ref",
"createdby@odata.navigationLink": "https://org4c390708.crm.dynamics.com/api/data/v9.1.0/msdyn_aievents(6ad82fae-4158-4d4a-814e-014672af1a79)/createdby",
"createdby": {
"@odata.type": "#Microsoft.Dynamics.CRM.systemuser",
"@odata.id": "https://org4c390708.crm.dynamics.com/api/data/v9.1.0/systemusers(f0163578-d668-ed11-9561-0022482db56a)",
"@odata.editLink": "systemusers(f0163578-d668-ed11-9561-0022482db56a)",
"azureactivedirectoryobjectid": null,
"systemuserid@odata.type": "#Guid",
"systemuserid": "f0163578-d668-ed11-9561-0022482db56a",
"ownerid@odata.type": "#Guid",
"ownerid": "f0163578-d668-ed11-9561-0022482db56a"
}
}

[Jenefer-Monroe]

Will have to get some credits to investigate this one, not sure why its not returning the users AzureID.

[heatheronder]

I think this is the problem. This is the user tied to the id that is null.

Somehow all the actions are getting logged under an application not an actual user which is why it doesn't exist in Entra ID.

[Jenefer-Monroe]

thanks for investigating!

[Jenefer-Monroe]

Fix which is not perfect but which allows it to stop failing is to put in our SYSTEM USER ID when there is no Azure Object ID

{
  "CreditsConsumed": @{outputs('CurrentAIEvent')?['msdyn_creditconsumed']},
  "UserId": @{coalesce(items('eachAIEvent')?['createdby/azureactivedirectoryobjectid'], parameters('CoE System User ID (admin_CoESystemUserID)'))},
  "ProcessingDate": @{items('eachAIEvent')?['msdyn_processingdate']},
  "AIEventId": @{items('eachAIEvent')?['msdyn_aieventid']}
}

I happened to have to fix this flow for August due to another issue so I went ahead and fixed this too.

[Jenefer-Monroe]

fixed in August release https://github.com/microsoft/coe-starter-kit/releases/tag/CoEStarterKit-August2024