cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Frequent Visitor

"Power Platform Export Solution" task error

Hello,

I am trying to build out a small POC pipeline that includes the "Power Platform Export Solution" task via a "Generic" service connection but I am seeing the error below. I am pretty positive my credentials are correct so I'm not sure what the issue and don't understand the following line in particular:

"USER intervention required but not permitted by prompt behavior"

Any suggestions?
Thanks!

------
##[error]Failed to connect to instance: https://{instance}.crm.dynamics.com/. Please verify your credentials for *** and instance url.
ERROR REQUESTING Token FROM THE Authentication context - USER intervention required but not permitted by prompt behavior
AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01
Correlation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7
Timestamp: 2020-10-03 13:35:39Z => Response status code does not indicate success: 400 (BadRequest). => {"error":"interaction_required","error_description":"AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.\r\nTrace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01\r\nCorrelation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7\r\nTimestamp: 2020-10-03 13:35:39Z","error_codes":[53001],"timestamp":"2020-10-03 13:35:39Z","trace_id":"4f3ea847-eae1-43b4-853d-68850b9e9e01","correlation_id":"1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7","error_uri":"https://login.microsoftonline.com/error?code=53001","suberror":"message_only"}: Unknown errorUnable to connect to CRM: Response status code does not indicate success: 400 (BadRequest).
AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01
Correlation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7
Timestamp: 2020-10-03 13:35:39Z => Response status code does not indicate success: 400 (BadRequest). => {"error":"interaction_required","error_description":"AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.\r\nTrace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01\r\nCorrelation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7\r\nTimestamp: 2020-10-03 13:35:39Z","error_codes":[53001],"timestamp":"2020-10-03 13:35:39Z","trace_id":"4f3ea847-eae1-43b4-853d-68850b9e9e01","correlation_id":"1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7","error_uri":"https://login.microsoftonline.com/error?code=53001","suberror":"message_only"}: Unknown errorUnable to Login to Dynamics CRM
Unable to Login to Dynamics CRM
1 ACCEPTED SOLUTION

Accepted Solutions
Frequent Visitor

Hi @jhoolachan ,

 
Are you using the Service Account for connecting to the Power Platform environment? If not, you need to use a service account to bypass the MFA requirement.
 
The process the setup the service account is mentioned in the below url where a PowerShell Script has to be executed.
 
I hope this helps to resolve the issue.
Kindly "Accept as solution" if this provides guidance to proceed.
 
 

View solution in original post

4 REPLIES 4
Frequent Visitor

Hi @jhoolachan ,

 
Are you using the Service Account for connecting to the Power Platform environment? If not, you need to use a service account to bypass the MFA requirement.
 
The process the setup the service account is mentioned in the below url where a PowerShell Script has to be executed.
 
I hope this helps to resolve the issue.
Kindly "Accept as solution" if this provides guidance to proceed.
 
 

View solution in original post

Hi @M365Architect 

I'm trying to use a Generic service connection with username/password so that is probably it. Out of curiosity, does the area mean that a Generic connection will never work with Power Platform Build Tools in general or does it mean my organization requires MFA so a Generic connection will not work with that specific restriction?

Thanks!

 

Hi @jhoolachan 

 

Generic service connections (i.e. username/password authentication) will work IF your user credential's AAD config allows for it. Many AAD admins do configure their user accounts to require additional security/identity confirmation like 2FA/MFA etc.; summarily known as Conditional Access

 

This is also what happened in your authN attempt via the Build Tools tasks: the particular user account seems to be configured to require a login to come from a domain joined PC/device, but the Azure DevOps build agents are typically not domain joined (certainly not the AzDO hosted agents).

From the error log:

 

USER intervention required but not permitted by prompt behavior AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.

 

Two approaches to work around that:

a) ask the AAD admin to remove those stricter security requirements for that particular user, i.e. enable "Legacy Access"
b) in many enterprises, the above isn't a tolerable approach. Instead, authenticate to CDS using an AppID/AppUser (aka SPN) and a client secret, as @M365Architect  suggested earlier.
More info: https://docs.microsoft.com/en-us/power-platform/alm/devops-build-tools#configure-service-connections...

 

Hi @DavidJen 

Thanks for the extra detail. As you mentioned, an AAD admin definitely will not grant me legacy access so a service principal account is the way to go.

 

Thanks!

Jordan

Helpful resources

Announcements
New Badges

New Solution Badges!

Check out our new profile badges recognizing authored solutions!

New Power Super Users

Congratulations!

We are excited to announce the Power Apps Super Users!

Power Apps Community Call

Power Apps Community Call: February

Did you miss the call? Check out the Power Apps Community Call here.

Microsoft Ignite

Microsoft Ignite

Join digitally, March 2–4, 2021 to explore new tech that's ready to implement. Experience the keynote in mixed reality through AltspaceVR!

Users online (55,718)