cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
jhoolachan
Frequent Visitor

"Power Platform Export Solution" task error

Hello,

I am trying to build out a small POC pipeline that includes the "Power Platform Export Solution" task via a "Generic" service connection but I am seeing the error below. I am pretty positive my credentials are correct so I'm not sure what the issue and don't understand the following line in particular:

"USER intervention required but not permitted by prompt behavior"

Any suggestions?
Thanks!

------
##[error]Failed to connect to instance: https://{instance}.crm.dynamics.com/. Please verify your credentials for *** and instance url.
ERROR REQUESTING Token FROM THE Authentication context - USER intervention required but not permitted by prompt behavior
AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01
Correlation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7
Timestamp: 2020-10-03 13:35:39Z => Response status code does not indicate success: 400 (BadRequest). => {"error":"interaction_required","error_description":"AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.\r\nTrace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01\r\nCorrelation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7\r\nTimestamp: 2020-10-03 13:35:39Z","error_codes":[53001],"timestamp":"2020-10-03 13:35:39Z","trace_id":"4f3ea847-eae1-43b4-853d-68850b9e9e01","correlation_id":"1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7","error_uri":"https://login.microsoftonline.com/error?code=53001","suberror":"message_only"}: Unknown errorUnable to connect to CRM: Response status code does not indicate success: 400 (BadRequest).
AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01
Correlation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7
Timestamp: 2020-10-03 13:35:39Z => Response status code does not indicate success: 400 (BadRequest). => {"error":"interaction_required","error_description":"AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.\r\nTrace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01\r\nCorrelation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7\r\nTimestamp: 2020-10-03 13:35:39Z","error_codes":[53001],"timestamp":"2020-10-03 13:35:39Z","trace_id":"4f3ea847-eae1-43b4-853d-68850b9e9e01","correlation_id":"1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7","error_uri":"https://login.microsoftonline.com/error?code=53001","suberror":"message_only"}: Unknown errorUnable to Login to Dynamics CRM
Unable to Login to Dynamics CRM
1 ACCEPTED SOLUTION

Accepted Solutions
M365Architect
Frequent Visitor

Hi @jhoolachan ,

 
Are you using the Service Account for connecting to the Power Platform environment? If not, you need to use a service account to bypass the MFA requirement.
 
The process the setup the service account is mentioned in the below url where a PowerShell Script has to be executed.
 
I hope this helps to resolve the issue.
Kindly "Accept as solution" if this provides guidance to proceed.
 
 

View solution in original post

4 REPLIES 4
M365Architect
Frequent Visitor

Hi @jhoolachan ,

 
Are you using the Service Account for connecting to the Power Platform environment? If not, you need to use a service account to bypass the MFA requirement.
 
The process the setup the service account is mentioned in the below url where a PowerShell Script has to be executed.
 
I hope this helps to resolve the issue.
Kindly "Accept as solution" if this provides guidance to proceed.
 
 

View solution in original post

Hi @M365Architect 

I'm trying to use a Generic service connection with username/password so that is probably it. Out of curiosity, does the area mean that a Generic connection will never work with Power Platform Build Tools in general or does it mean my organization requires MFA so a Generic connection will not work with that specific restriction?

Thanks!

 

Hi @jhoolachan 

 

Generic service connections (i.e. username/password authentication) will work IF your user credential's AAD config allows for it. Many AAD admins do configure their user accounts to require additional security/identity confirmation like 2FA/MFA etc.; summarily known as Conditional Access

 

This is also what happened in your authN attempt via the Build Tools tasks: the particular user account seems to be configured to require a login to come from a domain joined PC/device, but the Azure DevOps build agents are typically not domain joined (certainly not the AzDO hosted agents).

From the error log:

 

USER intervention required but not permitted by prompt behavior AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.

 

Two approaches to work around that:

a) ask the AAD admin to remove those stricter security requirements for that particular user, i.e. enable "Legacy Access"
b) in many enterprises, the above isn't a tolerable approach. Instead, authenticate to CDS using an AppID/AppUser (aka SPN) and a client secret, as @M365Architect  suggested earlier.
More info: https://docs.microsoft.com/en-us/power-platform/alm/devops-build-tools#configure-service-connections...

 

Hi @DavidJen 

Thanks for the extra detail. As you mentioned, an AAD admin definitely will not grant me legacy access so a service principal account is the way to go.

 

Thanks!

Jordan

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

MBAS Attendee Badge

Claim Your Badge & Digital Swag!

Check out how to claim yours today!

secondImage

Are Your Ready?

Test your skills now with the Cloud Skill Challenge.

secondImage

Demo Extravaganza is Back!

We are excited to announce that Demo Extravaganza for 2021 has started!

MBAS on Demand

Microsoft Business Applications Summit sessions

On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks

Users online (49,852)