[CoE Starter Kit - QUESTION] CoE Sync Flow Fails While Assigning System Administrator Role to Power Platform Admin

[Krisoo7]

Does this question already exist in our backlog?

• I have checked and confirm this is a new question.

What is your question?

We are getting error stating Sync Flows in the CoE Starter Kit have failed. Upon checking the run history (for the specified flow), we found that it is trying to add our Power Platform admin account as system administrator to Teams environments. We are getting this error for all the Teams environments. As per Microsoft, Power Platform admin is automatically added as system administrator. Could you please help us on how to fix these errors?

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.43

What app or flow are you having the issue with?

HELPER - Driver Escalation Check

What method are you using to get inventory and telemetry?

None

[pbattini]

@Krisoo7 Can you please share the error log from a failed flow action? This will help us better understand the issue.

[Krisoo7]

@pbattini I am not able to attach the error screenshot here. Can you please guide to do the same ?

[Krisoo7]

@***@***.***> PFA. FYI, user mentioned is our service account which has Power Platform admin role and security group is Teams Team which is linked 1:1 when a Teams environment is created. Best Regards, Kamlesh Rai Ameriprise India LLP Plot No 14, Sector 18, Udyog Vihar Gurugram, Haryana, India – 122015 From: pbattini ***@***.***> Sent: Tuesday, February 4, 2025 6:54 PM To: microsoft/coe-starter-kit ***@***.***> Cc: Rai, Kamlesh ***@***.***>; Mention ***@***.***> Subject: [EXTERNAL] Re: [microsoft/coe-starter-kit] [CoE Starter Kit - QUESTION] CoE Sync Flow Fails While Assigning System Administrator Role to Power Platform Admin (Issue #9569) CAUTION: This email is from outside the organization. DO NOT CLICK a link or open an attachment unless you know the content is safe and are expecting it from the sender. If in doubt, contact the sender separately to verify the content. @Krisoo7<https://github.com/Krisoo7> Can you please share the error log from a failed flow action? This will help us better understand the issue. — Reply to this email directly, view it on GitHub<#9569 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BPD2WWCENVQNLV6YZ36WSMD2OC5N5AVCNFSM6AAAAABWMO4YPCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMZTHEYDKNRZHE>. You are receiving this because you were mentioned.Message ID: ***@***.***> ****************************************************************************** “This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply email, or call, and immediately and permanently delete the message and any attachments. Thank you.” ******************************************************************************

[Krisoo7]

@pbattini Let me know if you need any further details.
 {
"errors": [
{
"Subject": "Result",
"Description": "User 0c3a27ca-5c8a-4cc2-a0e7-ef151864f21d is not part of security group cfb3b8e2-b982-4ab5-a919-ca2b0b8ca49e",
"Code": "userNotPartOfSecurityGroup"
},
{
"Subject": "InnerException",
"Description": null,
"Code": null
},
{
"Subject": "AdditionalData",
"Description": null,
"Code": null
}
],
"information": [
{
"Subject": "Result",
"Description": "["SyncMode: Default","Instance 09923ac6-8c37-ee11-8475-002248282d39 exists","Instance 09923ac6-8c37-ee11-8475-002248282d39 in enabled state","Instance Url found https://org34744879.crm.dynamics.com","User found in AD tenant","User in enabled state in AD tenant","User 0c3a27ca-5c8a-4cc2-a0e7-ef151864f21d is not part of security group cfb3b8e2-b982-4ab5-a919-ca2b0b8ca49e"]",
"Code": "userNotPartOfSecurityGroup"
},
{
"Subject": "AdditionalResultDetails",
"Description": "",
"Code": null
},
{
"Subject": "RequestId",
"Description": "e33b1410-85d4-4383-8161-d69f839270cd",
"Code": null
},
{
"Subject": "CorrelationId",
"Description": "2223d7f0-2ffa-4379-9afd-485cbc73ff75",
"Code": null
},
{
"Subject": "SystemUserId",
"Description": null,
"Code": null
},
{
"Subject": "SecurityGroupId",
"Description": "cfb3b8e2-b982-4ab5-a919-ca2b0b8ca49e",
"Code": null
},
{
"Subject": "Timestamp",
"Description": "2/3/2025 4:03:10 AM",
"Code": null
}
]
}

[pbattini]

@Krisoo7 : Thanks for the details. Based on the error log you shared : "User 0c3a27ca-5c8a-4cc2-a0e7-ef151864f21d is not part of security group cfb3b8e2-b982-4ab5-a919-ca2b0b8ca49e", I see that the issue is that the user being added to the environment is not part of the environment’s 'Security Group'.

Please refer to the following screenshot on how to find the environment’s security group from Power Platform Admin Center.

[Krisoo7]

@pbattini The action is being performed for all the Teams environments in the tenant and hence, getting same error for all of them. Teams' environment security group is tied to Microsoft 365 group and as a admin we don't have control over it.
Also, as per Microsoft, Power Platform Admin (the user has the same role) is automatically added as System Administrator to Teams environment. Could you please suggest further ?

[SSSTREDDD]

Likely related to: #9270

[pbattini]

@Krisoo7 Please check this Manage admin roles . Microsoft no longer automatically assigns the System Administrator role to users with global or service level admin roles such as Power Platform Administrator and Dynamics 365 Administrator.

Also please refer: #9270 on 'Direct' membership.

[Krisoo7]

@pbattini "Manage admin role" this is not applicable here. User already have the Power Platform admin role assigned but via group membership.
Does this mean that the account who install and own the product should have directly assigned Power Platform admin role rather than assigned via group membership for the flow to work?
If not, then we will get the error? Could you please confirm?