cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Frequent Visitor

"Power Platform Export Solution" task error

Hello,

I am trying to build out a small POC pipeline that includes the "Power Platform Export Solution" task via a "Generic" service connection but I am seeing the error below. I am pretty positive my credentials are correct so I'm not sure what the issue and don't understand the following line in particular:

"USER intervention required but not permitted by prompt behavior"

Any suggestions?
Thanks!

------
##[error]Failed to connect to instance: https://{instance}.crm.dynamics.com/. Please verify your credentials for *** and instance url.
ERROR REQUESTING Token FROM THE Authentication context - USER intervention required but not permitted by prompt behavior
AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01
Correlation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7
Timestamp: 2020-10-03 13:35:39Z => Response status code does not indicate success: 400 (BadRequest). => {"error":"interaction_required","error_description":"AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.\r\nTrace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01\r\nCorrelation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7\r\nTimestamp: 2020-10-03 13:35:39Z","error_codes":[53001],"timestamp":"2020-10-03 13:35:39Z","trace_id":"4f3ea847-eae1-43b4-853d-68850b9e9e01","correlation_id":"1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7","error_uri":"https://login.microsoftonline.com/error?code=53001","suberror":"message_only"}: Unknown errorUnable to connect to CRM: Response status code does not indicate success: 400 (BadRequest).
AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01
Correlation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7
Timestamp: 2020-10-03 13:35:39Z => Response status code does not indicate success: 400 (BadRequest). => {"error":"interaction_required","error_description":"AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.\r\nTrace ID: 4f3ea847-eae1-43b4-853d-68850b9e9e01\r\nCorrelation ID: 1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7\r\nTimestamp: 2020-10-03 13:35:39Z","error_codes":[53001],"timestamp":"2020-10-03 13:35:39Z","trace_id":"4f3ea847-eae1-43b4-853d-68850b9e9e01","correlation_id":"1e15c054-91c4-4fa9-ae2a-c06cdaa42bc7","error_uri":"https://login.microsoftonline.com/error?code=53001","suberror":"message_only"}: Unknown errorUnable to Login to Dynamics CRM
Unable to Login to Dynamics CRM
1 ACCEPTED SOLUTION

Accepted Solutions
Frequent Visitor

Hi @jhoolachan ,

 
Are you using the Service Account for connecting to the Power Platform environment? If not, you need to use a service account to bypass the MFA requirement.
 
The process the setup the service account is mentioned in the below url where a PowerShell Script has to be executed.
 
I hope this helps to resolve the issue.
Kindly "Accept as solution" if this provides guidance to proceed.
 
 

View solution in original post

4 REPLIES 4
Frequent Visitor

Hi @jhoolachan ,

 
Are you using the Service Account for connecting to the Power Platform environment? If not, you need to use a service account to bypass the MFA requirement.
 
The process the setup the service account is mentioned in the below url where a PowerShell Script has to be executed.
 
I hope this helps to resolve the issue.
Kindly "Accept as solution" if this provides guidance to proceed.
 
 

View solution in original post

Hi @M365Architect 

I'm trying to use a Generic service connection with username/password so that is probably it. Out of curiosity, does the area mean that a Generic connection will never work with Power Platform Build Tools in general or does it mean my organization requires MFA so a Generic connection will not work with that specific restriction?

Thanks!

 

Hi @jhoolachan 

 

Generic service connections (i.e. username/password authentication) will work IF your user credential's AAD config allows for it. Many AAD admins do configure their user accounts to require additional security/identity confirmation like 2FA/MFA etc.; summarily known as Conditional Access

 

This is also what happened in your authN attempt via the Build Tools tasks: the particular user account seems to be configured to require a login to come from a domain joined PC/device, but the Azure DevOps build agents are typically not domain joined (certainly not the AzDO hosted agents).

From the error log:

 

USER intervention required but not permitted by prompt behavior AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.

 

Two approaches to work around that:

a) ask the AAD admin to remove those stricter security requirements for that particular user, i.e. enable "Legacy Access"
b) in many enterprises, the above isn't a tolerable approach. Instead, authenticate to CDS using an AppID/AppUser (aka SPN) and a client secret, as @M365Architect  suggested earlier.
More info: https://docs.microsoft.com/en-us/power-platform/alm/devops-build-tools#configure-service-connections...

 

Hi @DavidJen 

Thanks for the extra detail. As you mentioned, an AAD admin definitely will not grant me legacy access so a service principal account is the way to go.

 

Thanks!

Jordan

Helpful resources

Announcements
News & Announcements

Community Blog

Stay up tp date on the latest blogs and activities in the community News & Announcements.

Power Apps Community Call

Power Apps Community Call- January

Mark your calendars and join us for the next Power Apps Community Call on January 20th, 8a PST

PP Bootcamp Carousel

Global Power Platform Bootcamp

Dive into the Power Platform stack with hands-on sessions and labs, virtually delivered to you by experts and community leaders.

secondImage

Power Platform Community Conference On Demand

Watch Nick Doelman's session from the 2020 Power Platform Community Conference on demand!

Users online (6,143)