cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Darren137227
Resolver I
Resolver I

Does not have authorization to perform action 'Microsoft.Automation/automationAccounts/jobs/write' over scope

Hi,

we have created a flow that is kicked off via a button in a canvas Power App, which passes a parameter of AccountName.
This is used as a Runbook Parameter for the PowerShell script within the Runbook called 'EnableAccount' that requires an accountName param.
The flow has an azure AD connection which basically calls the runbook job. 
The job enables an account on an On Prem AD so we have an Hybrid Automation worker group.
Let's say the account that enables the account in AD on prem is AccountA - credentials specified in runbook etc.
The Automation account is AccountB (has read over scope permission)
The Create Job connection Account is AccountC (has write over scope permission)

The issue is, since AccountC has correct permission (write over permissions scope ) when Account C uses the canvas app and clicks the button to fire off the flow (to enable account) the flow runs without error and runbook runs OK and Account is Enabled.
However, when a normal user (with permission to the canvas app) clicks the button the flow fails with error:

Does not have authorization to perform action 'Microsoft.Automation/automationAccounts/jobs/write' over scope

We're not understanding why flow is not using the Account C credentials specified in the Create Job connection and is instead trying to use the credentials of the user who initialized the Flow.
We do not want to have to give all users who require to use the app, write over scope, but instead, only have the account specified for the connection do the work, make the connection.

Our create job connection is set up as below:
Any help in understanding the setup, why this is happening is highly appreciated.

Darren137227_0-1641547018258.png

 

1 ACCEPTED SOLUTION

Accepted Solutions

OK, so I've managed to resolve this.
The reason why the flow is ignoring Account C and running under the user is because the workflow is being triggered directly from a canvas app. Therefore, I spilt the workflow into two. One called Start Account Action that is triggered from the canvas app button. This asks for the account name param from the canvas app. I then have a child workflow that is called. This child workflow has the AD actions /connections, and is also being passed the account name (the params from the Start Account action workflow) as a variable. This is set as the input to the child workflow that requires an account name input.
On the child workflow I set Run Only user as the Account C account. DO NOT set it to Run Provided -  as run only user.
Now this worked for account C when it run the app but not other users.  Start account workflow wouldn't trigger from canvas app.
So I added the users that need to run the workflow /access the app as run only users but specified Account C for the AD connections - not Provided by as run only user, so it didn't run under the user. This worked.

To make things easier to administer, I created a Dataverse team under Security/teams and added all the users to the team that needed to run the workflow/use the app and specified the team under the Run only users in the flow configuration - Run Only users section and made sure it used the Account C connection.

 

Works a treat!!! Hopefully this will help someone out. This way you don't have to give users contribute Azure operator role /write over scope under the automation account.



 

View solution in original post

2 REPLIES 2
Darren137227
Resolver I
Resolver I

Can anyone help on this?

OK, so I've managed to resolve this.
The reason why the flow is ignoring Account C and running under the user is because the workflow is being triggered directly from a canvas app. Therefore, I spilt the workflow into two. One called Start Account Action that is triggered from the canvas app button. This asks for the account name param from the canvas app. I then have a child workflow that is called. This child workflow has the AD actions /connections, and is also being passed the account name (the params from the Start Account action workflow) as a variable. This is set as the input to the child workflow that requires an account name input.
On the child workflow I set Run Only user as the Account C account. DO NOT set it to Run Provided -  as run only user.
Now this worked for account C when it run the app but not other users.  Start account workflow wouldn't trigger from canvas app.
So I added the users that need to run the workflow /access the app as run only users but specified Account C for the AD connections - not Provided by as run only user, so it didn't run under the user. This worked.

To make things easier to administer, I created a Dataverse team under Security/teams and added all the users to the team that needed to run the workflow/use the app and specified the team under the Run only users in the flow configuration - Run Only users section and made sure it used the Account C connection.

 

Works a treat!!! Hopefully this will help someone out. This way you don't have to give users contribute Azure operator role /write over scope under the automation account.



 

Helpful resources

Announcements
MPA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

Learn to digitize and optimize business processes and connect all your applications to share data in real time.

New Process Advisor Capabilities carousel.png

Read the blog for the latest news

Read the latest about new experiences and capabilities in the Power Automate product blog.

PA Survey Carousel Image.png

We want to hear from you!

If you are a small business ISV/Reseller, share your thoughts with our research team.

Top Kudoed Authors
Users online (2,847)