Solved: Re: hNRe: "Power Platform Export Solution" task er...

jhoolachan · ‎10-05-2020

Hello,

I am trying to build out a small POC pipeline that includes the "Power Platform Export Solution" task via a "Generic" service connection but I am seeing the error below. I am pretty positive my credentials are correct so I'm not sure what the issue and don't understand the following line in particular:

"USER intervention required but not permitted by prompt behavior"

Any suggestions?
Thanks!

------
##[error]Failed to connect to instance: https://{instance}.crm.dynamics.com/. Please verify your credentials for *** and instance url.

ERROR REQUESTING Token FROM THE Authentication context - USER intervention required but not permitted by prompt behavior

AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.

Trace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01

Correlation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7

Timestamp: 2020-10-03 13:35:39Z => Response status code does not indicate success: 400 (BadRequest). => {"error":"interaction_required","error_description":"AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.\r\nTrace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01\r\nCorrelation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7\r\nTimestamp: 2020-10-03 13:35:39Z","error_codes":[53001],"timestamp":"2020-10-03 13:35:39Z","trace_id":"4f3ea847-eae1-43b4-853d-68850b9e9e01","correlation_id":"1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7","error_uri":"https://login.microsoftonline.com/error?code=53001","suberror":"message_only"}: Unknown errorUnable to connect to CRM: Response status code does not indicate success: 400 (BadRequest).

AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.

Trace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01

Correlation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7

Timestamp: 2020-10-03 13:35:39Z => Response status code does not indicate success: 400 (BadRequest). => {"error":"interaction_required","error_description":"AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.\r\nTrace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01\r\nCorrelation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7\r\nTimestamp: 2020-10-03 13:35:39Z","error_codes":[53001],"timestamp":"2020-10-03 13:35:39Z","trace_id":"4f3ea847-eae1-43b4-853d-68850b9e9e01","correlation_id":"1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7","error_uri":"https://login.microsoftonline.com/error?code=53001","suberror":"message_only"}: Unknown errorUnable to Login to Dynamics CRM

Unable to Login to Dynamics CRM

M365Architect · ‎10-06-2020

Hi @jhoolachan ,

Are you using the Service Account for connecting to the Power Platform environment? If not, you need to use a service account to bypass the MFA requirement.

The process the setup the service account is mentioned in the below url where a PowerShell Script has to be executed.

https://docs.microsoft.com/en-us/power-platform/alm/devops-build-tools

I hope this helps to resolve the issue.

Kindly "Accept as solution" if this provides guidance to proceed.

View solution in original post

M365Architect · ‎10-06-2020

Hi @jhoolachan ,

Are you using the Service Account for connecting to the Power Platform environment? If not, you need to use a service account to bypass the MFA requirement.

The process the setup the service account is mentioned in the below url where a PowerShell Script has to be executed.

https://docs.microsoft.com/en-us/power-platform/alm/devops-build-tools

I hope this helps to resolve the issue.

Kindly "Accept as solution" if this provides guidance to proceed.

View solution in original post

jhoolachan · ‎10-06-2020

Hi @M365Architect

I'm trying to use a Generic service connection with username/password so that is probably it. Out of curiosity, does the area mean that a Generic connection will never work with Power Platform Build Tools in general or does it mean my organization requires MFA so a Generic connection will not work with that specific restriction?

Thanks!

DavidJen · ‎10-07-2020

Hi @jhoolachan

Generic service connections (i.e. username/password authentication) will work IF your user credential's AAD config allows for it. Many AAD admins do configure their user accounts to require additional security/identity confirmation like 2FA/MFA etc.; summarily known as Conditional Access

This is also what happened in your authN attempt via the Build Tools tasks: the particular user account seems to be configured to require a login to come from a domain joined PC/device, but the Azure DevOps build agents are typically not domain joined (certainly not the AzDO hosted agents).

From the error log:

USER intervention required but not permitted by prompt behavior AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.

Two approaches to work around that:

a) ask the AAD admin to remove those stricter security requirements for that particular user, i.e. enable "Legacy Access"
b) in many enterprises, the above isn't a tolerable approach. Instead, authenticate to CDS using an AppID/AppUser (aka SPN) and a client secret, as @M365Architect suggested earlier.
More info: https://docs.microsoft.com/en-us/power-platform/alm/devops-build-tools#configure-service-connections...

jhoolachan · ‎10-07-2020

Hi @DavidJen

Thanks for the extra detail. As you mentioned, an AAD admin definitely will not grant me legacy access so a service principal account is the way to go.

Thanks!

Jordan

"Power Platform Export Solution" task error

Helpful resources

New Solution Badges!

Congratulations!

Power Apps Community Call: February

Microsoft Ignite