cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Neville
Neville
Level: Powered On

UserMissingRequiredPermission when setting Connection-Direct-Consent-Bypass

‎08-01-2019 03:33 PM

Hi.  What's the missing ingredient in this recipe?

Create a PowerApp for a SharePoint Online (list named "Spotlight") and bypass the horrible-user-experience that prompts the "Almost there..." consent dialog.almostthere.png

 

Used a SharePoint Admin account that is also the "Spotlight" PowerApp Creator, Owner and Publisher...Owner.png

Also ensuring that the account is an o365 Global Admin...GlobalAdmin.png

Also account has a P2 license (just in case)...P2.png

And ensuring account is the PowerApps Environment Admin...

EnvAdmin.png

On a local machine open PowerShell ISE as local admin, and successfully executive and authenitcate using...

Add-PowerAppsAccount

And (double-checking the App ID correct) then execute...

Set-AdminPowerAppApisToBypassConsent -AppName xxxxxxxx-xxxx-xxxx-xxxx-9af945177a94

And it returns this permissions error:

Invoke-WebRequest : {"error":{"code":"EnvironmentAccess","message":"The user with object id 'xxx' in tenant 'xxx' does not have access to permission 'Set PowerApps Connection Direct Consent Bypass' in environment 'xxx'. Error Code: 'UserMissingRequiredPermission'"}}

Message 1 of 9
296 Views
0 Kudos
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Neville
Neville
Level: Powered On

Re: UserMissingRequiredPermission when setting Connection-Direct-Consent-Bypass

‎08-02-2019 09:12 AM

DON'T USE WINDOWS SERVER!!!

I had overlooked that little admonition in my notes from a year ago.  So on my local local Windows10Enterprise x64 box I opened PowerShell ISE as admin, installed the PowerApps modules, and all subsequent commands succeeded.  That's 24-hours I wish I could have back...

View solution in original post

Message 6 of 9
261 Views
Reply
8 REPLIES 8
Pstork1
Dual Super User
Dual Super User

Re: UserMissingRequiredPermission when setting Connection-Direct-Consent-Bypass

‎08-01-2019 04:50 PM

The only requirement should be that you are a Global Admin in the Tenant and that the Oauth permissions were created when you setup the app.  I think you should go back and try again, but don't skip the "Almost There..." dialog.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Message 2 of 9
291 Views
0 Kudos
Reply
Neville
Neville
Level: Powered On

Re: UserMissingRequiredPermission when setting Connection-Direct-Consent-Bypass

‎08-02-2019 07:05 AM

Just to clarify... The Admin account has completed the consent dialog, and verified the connection to the SPO-list on Admin profile.  We are seeking now only to bypass consent for the rest of the members of the tenancy.

Message 3 of 9
280 Views
0 Kudos
Reply
Neville
Neville
Level: Powered On

Re: UserMissingRequiredPermission when setting Connection-Direct-Consent-Bypass

‎08-02-2019 07:11 AM

...adding @iAm_ManCat to this thead as he seems very knowledgable in this area of consent-bypass.

we have successfully executed these commands about a year ago, but it was in "default" environment and the platform appears to have changed siginificantly since then

Message 4 of 9
278 Views
Reply
Pstork1
Dual Super User
Dual Super User

Re: UserMissingRequiredPermission when setting Connection-Direct-Consent-Bypass

‎08-02-2019 07:13 AM

The only two requirements that should be in play then are that the user running the PowerShell command is a global Admin for the tenant and has a PowerApps P2 license.  I would double check to make sure that you are logged in through PowerApps with credentials that have those requirements fulfilled. I know you said you already checked that, but those are the only requirements for that command.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Message 5 of 9
277 Views
Reply
Neville
Neville
Level: Powered On

Re: UserMissingRequiredPermission when setting Connection-Direct-Consent-Bypass

‎08-02-2019 09:12 AM

DON'T USE WINDOWS SERVER!!!

I had overlooked that little admonition in my notes from a year ago.  So on my local local Windows10Enterprise x64 box I opened PowerShell ISE as admin, installed the PowerApps modules, and all subsequent commands succeeded.  That's 24-hours I wish I could have back...

View solution in original post

Message 6 of 9
262 Views
Reply
iAm_ManCat
Super User
Super User

Re: UserMissingRequiredPermission when setting Connection-Direct-Consent-Bypass

‎08-02-2019 09:17 AM

Using Windows server might be to do with your SSO for that server, or the version of PowerShell that it's running, glad you managed to figure it out! Cat Very Happy

 

I've had this issue before when trying to run some commands locally (as it would then SSO as my non-admin user, which does not have global admin rights), so would always do it on my local machine with an elevated PowerShell ISE running under my admin creds.

 

Cheers,

ManCat



Don't forget to 'Mark as Solution' if a post answered your question and always 'Thumbs Up' the posts you like or helped you!
Message 7 of 9
253 Views
Reply
Pstork1
Dual Super User
Dual Super User

Re: UserMissingRequiredPermission when setting Connection-Direct-Consent-Bypass

‎08-02-2019 09:38 AM

Yes, all these PowerShell commands should be run from a client workstation and not a server.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Message 8 of 9
241 Views
0 Kudos
Reply
Neville
Neville
Level: Powered On

Re: UserMissingRequiredPermission when setting Connection-Direct-Consent-Bypass

‎08-02-2019 09:47 AM

@iAm_ManCat : that was precisely my fear! that SSO would require the local-machine-admin be SharePoint-Online-Admin too ( I've learned in the past, as we all probably have, that SSO highjacks even "incognito" browser sessions) 

So I retreated to a remote-desktop-session on a remote-Windows-Server-box where I knew I could operate exclusively as SharePoint-Online-Admin and simultaneous local-admin and not worry about an overlap of session tokens.

Only out of frustration did I finally execute on my local-machine. Even with my local-daily-user-account I only authenticated as the SharePoint-Online-account when prompted by executing the "Add-PowerAppsAccount" command. And it all worked!

So I learned these interesting lessons: TL:DR : The account running the admin-elevated PowerShell-session locally does NOT need to be the same as the PowerApps-admin account executing the commands in the cloud. (plus, as stated earlier, never use Windows Server for this)

Message 9 of 9
240 Views
Reply

Helpful resources

Announcements
thirdimage

Power Automate Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

sixthImage

Power Platform World Tour

Find out where you can attend!

Power Platform 2019 release wave 2 plan

Power Platform 2019 release wave 2 plan

Features releasing from October 2019 through March 2020

fifthimage

Microsoft Learn

Learn how to build the business apps that you need.

View All
Top Kudoed Authors (Last 30 Days)
View All
Users online (6,403)