Solved! Go to Solution.
Hi @jhoolachan ,
Hi @jhoolachan ,
I'm trying to use a Generic service connection with username/password so that is probably it. Out of curiosity, does the area mean that a Generic connection will never work with Power Platform Build Tools in general or does it mean my organization requires MFA so a Generic connection will not work with that specific restriction?
Generic service connections (i.e. username/password authentication) will work IF your user credential's AAD config allows for it. Many AAD admins do configure their user accounts to require additional security/identity confirmation like 2FA/MFA etc.; summarily known as Conditional Access
This is also what happened in your authN attempt via the Build Tools tasks: the particular user account seems to be configured to require a login to come from a domain joined PC/device, but the Azure DevOps build agents are typically not domain joined (certainly not the AzDO hosted agents).
From the error log:
USER intervention required but not permitted by prompt behavior AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Two approaches to work around that:
a) ask the AAD admin to remove those stricter security requirements for that particular user, i.e. enable "Legacy Access"
b) in many enterprises, the above isn't a tolerable approach. Instead, authenticate to CDS using an AppID/AppUser (aka SPN) and a client secret, as @M365Architect suggested earlier.
More info: https://docs.microsoft.com/en-us/power-platform/alm/devops-build-tools#configure-service-connections...
Thanks for the extra detail. As you mentioned, an AAD admin definitely will not grant me legacy access so a service principal account is the way to go.
Check out our new profile badges recognizing authored solutions!
We are excited to announce the Power Apps Super Users!
Did you miss the call? Check out the Power Apps Community Call here.