cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
JimmyJams
Advocate I
Advocate I

Add member to group instant flow failing - how to run in the context of another user?

99% sure I have a permissions issue but sure how to resolve it. Asked a questions ages ago in Power Automate community with no response, hoping someone here might have an idea.

 

My app is connected to a flow and passes along a few variables including a users email address. The flow adds the user to their appropriate groups. Worked for me, shared the app with a colleague, fails for them. The flow says it's "Forbidden." Output shows 

 

{
    "statusCode": 403,
    "headers": {
        "Transfer-Encoding": "chunked",
        "Vary": "Accept-Encoding",
        "Strict-Transport-Security": "max-age=31536000",
        "request-id": "a7ba0852-9a7b-4ec8-bf48-2b136f8aab05",
        "client-request-id": "deleted",
        "x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"West US\",\"Slice\":\"E\",\"Ring\":\"4\",\"ScaleUnit\":\"003\",\"RoleInstance\":\"deleted\"}}",
        "x-ms-resource-unit": "1",
        "Timing-Allow-Origin": "*",
        "x-ms-apihub-cached-response": "true",
        "Cache-Control": "no-cache",
        "Date": "Thu, 16 Dec 2021 18:11:45 GMT",
        "Content-Type": "application/json",
        "Content-Length": "331"
    },
    "body": {
        "error": {
            "code": "Authorization_RequestDenied",
            "message": "Insufficient privileges to complete the operation.",
            "innerError": {
                "date": "2021-12-16T18:11:45",
                "request-id": "deleted",
                "client-request-id": "deleted"
            }
        }
    }
}

 


So permissions issue probably, and probably related to a service account. The flow is shared and co-owned to myself, my colleague, and the service account. I noticed the account connections on the flow page has myself and the service account listed as active connections. Not sure why I'm listed though, in the flow itself all actions in the flow are using the service account, but the next part supports this. 

 

The flow is set to use the service account for all 'add to group' actions. So I removed myself from the connections. The flow was very unhappy about this, I had to go back through re-select the service account. This makes me think that even though the action said it was using the service account, it was still relying on my account's connection.

JimmyJams_1-1639688578924.png

 

Now when I run the flow, I'm just like my colleague and everything is failing for the both of us. Except for the very first Add to Group. Which is weird. Why that one?

JimmyJams_2-1639688667983.png

 

 

Peaking at the code gives me a glimpse with the connection name:

 

{
    "inputs": {
        "host": {
            "connectionName": "shared_office365groups_3",

 


The service account is listed twice. If I change it, the other shows "shared_office365groups" for the name instead of the _3. If I use the connection without the _3 it fails, and if I change it back it works. Yet if I go to any other group actions and use the connection that will show shared_office365groups_3, they still fail with the same permission issue.

 

Now I noticed in all the back-and-forth testing that every time I save the flow and re-add it back to the app like we have to do (unless that's been fixed) the it asks be to re-allow the 365 Connections. And under my account was subtle light grey text of "Switch Account". Could it be that simple?! I click it, change it to the service account, add the email and sure enough it worked.

JimmyJams_0-1639688450072.png

 

I call up my colleague, have him go to the app, switch account... and he's the only name listed there. Go to create a new connection, it adds his name a second time. Still no service account. More grey hairs, closer to becoming Gandalf. At least there's some silver lining, pun intended.

 

So we go back into the flow as my colleague, we can see the service account being used, but for the sake of it, we add a new connection with the service account. Go through 20 step process to save and re-add the flow back to the app, and same issue with the connection not showing when he tries to switch the account. Absolutely maddening.

 

Thank you for listening to explanation/rant. Any chance someone out there has dealt with this and can offer assistance?

 

Here is the previous power automate community post in case that helps:

Add to Groups Failing - Power Platform Community (microsoft.com)

1 ACCEPTED SOLUTION

Accepted Solutions
JimmyJams
Advocate I
Advocate I

We were about to try Jeff's suggestion and place my colleague as an owner in all the groups, but when he logged into the app yesterday, the service account started appearing with the "Switch Account" option. Using it added the groups as expected.

 

The only thing different that we tried several days ago was editing the flow, logged in as my colleague, and adding the service account as a connection.  Immediately after making the changes and re-adding the instant flow to the app, he still couldn't select the service account. 

 

I guess there was a delay between adding permissions to the flow and the app picking up on those changes. 

View solution in original post

3 REPLIES 3
Jeff_Thorpe
Super User
Super User

If the flow is being called from the Power App then the flow is running under the context of the user. If the user doesn't have permissions to update the group then the flow will fail. If it is a scheduled flow then it will run under the context of those connections you see in the flow.



--------------------------------------------------------------------------------
If this post helps answer your question, please click on “Accept as Solution” to help other members find it more quickly. If you thought this post was helpful, please give it a Thumbs Up.
JimmyJams
Advocate I
Advocate I

Hi Jeff, it's an instant flow that runs on command from the Power App. But that would somewhat make sense why the first action in the flow would succeed. Just not sure why my colleague is unable to choose the service account when loading up the app after making a change on the flow.

 

If he were able to do that, then he'd be able to successfully run the instant flow like I can with the context of the flow. 

 

Maybe will just have to go the route of making the colleague an owner on all those groups. If that's the route we go, thank goodness for unsubscribe I suppose.

JimmyJams
Advocate I
Advocate I

We were about to try Jeff's suggestion and place my colleague as an owner in all the groups, but when he logged into the app yesterday, the service account started appearing with the "Switch Account" option. Using it added the groups as expected.

 

The only thing different that we tried several days ago was editing the flow, logged in as my colleague, and adding the service account as a connection.  Immediately after making the changes and re-adding the instant flow to the app, he still couldn't select the service account. 

 

I guess there was a delay between adding permissions to the flow and the app picking up on those changes. 

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

PA.JPG

New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

Top Solution Authors
Top Kudoed Authors
Users online (3,242)