cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Frequent Visitor

"Power Platform Export Solution" task error

Hello,

I am trying to build out a small POC pipeline that includes the "Power Platform Export Solution" task via a "Generic" service connection but I am seeing the error below. I am pretty positive my credentials are correct so I'm not sure what the issue and don't understand the following line in particular:

"USER intervention required but not permitted by prompt behavior"

Any suggestions?
Thanks!

------
##[error]Failed to connect to instance: https://{instance}.crm.dynamics.com/. Please verify your credentials for *** and instance url.
ERROR REQUESTING Token FROM THE Authentication context - USER intervention required but not permitted by prompt behavior
AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01
Correlation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7
Timestamp: 2020-10-03 13:35:39Z => Response status code does not indicate success: 400 (BadRequest). => {"error":"interaction_required","error_description":"AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.\r\nTrace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01\r\nCorrelation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7\r\nTimestamp: 2020-10-03 13:35:39Z","error_codes":[53001],"timestamp":"2020-10-03 13:35:39Z","trace_id":"4f3ea847-eae1-43b4-853d-68850b9e9e01","correlation_id":"1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7","error_uri":"https://login.microsoftonline.com/error?code=53001","suberror":"message_only"}: Unknown errorUnable to connect to CRM: Response status code does not indicate success: 400 (BadRequest).
AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01
Correlation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7
Timestamp: 2020-10-03 13:35:39Z => Response status code does not indicate success: 400 (BadRequest). => {"error":"interaction_required","error_description":"AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.\r\nTrace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01\r\nCorrelation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7\r\nTimestamp: 2020-10-03 13:35:39Z","error_codes":[53001],"timestamp":"2020-10-03 13:35:39Z","trace_id":"4f3ea847-eae1-43b4-853d-68850b9e9e01","correlation_id":"1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7","error_uri":"https://login.microsoftonline.com/error?code=53001","suberror":"message_only"}: Unknown errorUnable to Login to Dynamics CRM
Unable to Login to Dynamics CRM
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Frequent Visitor

Hi @jhoolachan ,

 
Are you using the Service Account for connecting to the Power Platform environment? If not, you need to use a service account to bypass the MFA requirement.
 
The process the setup the service account is mentioned in the below url where a PowerShell Script has to be executed.
 
I hope this helps to resolve the issue.
Kindly "Accept as solution" if this provides guidance to proceed.
 
 

View solution in original post

4 REPLIES 4
Highlighted
Frequent Visitor

Hi @jhoolachan ,

 
Are you using the Service Account for connecting to the Power Platform environment? If not, you need to use a service account to bypass the MFA requirement.
 
The process the setup the service account is mentioned in the below url where a PowerShell Script has to be executed.
 
I hope this helps to resolve the issue.
Kindly "Accept as solution" if this provides guidance to proceed.
 
 

View solution in original post

Highlighted

Hi @M365Architect 

I'm trying to use a Generic service connection with username/password so that is probably it. Out of curiosity, does the area mean that a Generic connection will never work with Power Platform Build Tools in general or does it mean my organization requires MFA so a Generic connection will not work with that specific restriction?

Thanks!

 

Highlighted

Hi @jhoolachan 

 

Generic service connections (i.e. username/password authentication) will work IF your user credential's AAD config allows for it. Many AAD admins do configure their user accounts to require additional security/identity confirmation like 2FA/MFA etc.; summarily known as Conditional Access

 

This is also what happened in your authN attempt via the Build Tools tasks: the particular user account seems to be configured to require a login to come from a domain joined PC/device, but the Azure DevOps build agents are typically not domain joined (certainly not the AzDO hosted agents).

From the error log:

 

USER intervention required but not permitted by prompt behavior AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.

 

Two approaches to work around that:

a) ask the AAD admin to remove those stricter security requirements for that particular user, i.e. enable "Legacy Access"
b) in many enterprises, the above isn't a tolerable approach. Instead, authenticate to CDS using an AppID/AppUser (aka SPN) and a client secret, as @M365Architect  suggested earlier.
More info: https://docs.microsoft.com/en-us/power-platform/alm/devops-build-tools#configure-service-connections...

 

Highlighted

Hi @DavidJen 

Thanks for the extra detail. As you mentioned, an AAD admin definitely will not grant me legacy access so a service principal account is the way to go.

 

Thanks!

Jordan

Helpful resources

Announcements
Community Conference

Power Platform Community Conference

Check out the on demand sessions that are available now!

News & Announcements

Community Blog

Stay up tp date on the latest blogs and activities in the community News & Announcements.

secondImage

Power Platform 2020 release wave 2 plan

Features releasing from October 2020 through March 2021

Community Highlights

Community Highlights

Check out the Power Platform Community Highlights

Users online (9,259)