Tag: Dynamics 365

Filter rows and Trigger Conditions in Power Automate


Filter rows and Trigger Conditions can be used to specify the condition on which the trigger should fire. This makes sure that we do not exceed flow execution limits.

Power Automate Licensing – Power Platform Requests

Power Automate Limits and Configuration

In the case of our Dataverse trigger “When a row is added, modified or deleted” we can make use of either Filter rows or Trigger Conditions, as we have both options available.

We’d be using Trigger Conditions for those triggers where we do not have additional property to specify the filter condition.

E.g. we want the flow to run only on a specific file in a library or based on the extension of the file as nicely explained here

https://tomriha.com/trigger-power-automate-flow-only-on-specific-file-in-a-library/

https://www.enjoysharepoint.com/trigger-conditions-in-power-automate/

Now out of curiosity, we tried specifying both Filter rows and Trigger conditions to see how it behaves.

Here for the same trigger we have specified Filter Rows as below

address1_city eq ‘Ahmedabad’

And Trigger Conditions as below

@equals(triggerOutputs()?[‘body/companyname’], ‘MS’)

During our test, we observed that the trigger is firing only when both the conditions or expressions, specified in Filter Rows as well as Trigger Conditions are true.

So basically it will only fire for those rows or records having Company as MS and City equal to Ahmedabad.

It will not fire if either of Filter Rows or Trigger Conditions expression evaluate to be false.

Hope it helps..

Advertisements

Fixed – Authorization failed. The client with object id does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subcriptions’ while configuring Azure Synapse Link for Dataverse


Recently while configuring Azure Synapse Link for Dataverse, for exporting data to Azure Data Lake we got the below error –

{“code”:”AuthorizationFailed”,”message”:”The client ‘abc’ with object id ‘d56d5fbb-0d46-4814-afaa-e429e5f252c8’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subscriptions/30ed4d5c-4377-4df1-a341-8f801a7943ad/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/saazuredatalakecrm/providers/Microsoft.Authorization/roleAssignments/2eb81813-3b38-4b2e-bc14-f649263b5fcf’ or the scope is invalid. If access was recently granted, please refresh your credentials.”}


As well as the below error –


As the error suggests the error was because the user account used was not having the appropriate role(s) assigned.

The user needs to have the Owner as well as Blob Storage Data Contributor role on the Azure Data Lake Storage Gen2 account.

Also check –

https://nishantrana.me/2020/09/07/error-access-to-the-resource-is-forbidden-while-trying-to-connect-to-azure-data-lake-storage-gen2-using-power-bi-desktop/

https://nishantrana.me/2021/06/24/fixed-authorizationfailed-the-client-with-object-id-does-not-have-authorization-to-perform-action-microsoft-authorization-roleassignments-write-over-scope-storageaccou/

https://docs.microsoft.com/en-us/power-apps/maker/data-platform/azure-synapse-link-synapse#prerequisites

Hope it helps..

Advertisements

How to – Create Administrative User Account for managing user / security roles, in Dynamics 365 / CRM


We recently wanted to create user accounts in CRM for managing users and their roles inside CRM, without accessing any of the data or functionality.

Below are the steps we can follow to achieve the same –

Login to Microsoft 365 Admin Center

https://admin.microsoft.com/#/homepage

Add a user

Temporarily assign the license to the user

In optional settings, specify either Global Admin or Dynamics 365 Administrator / Power Platform admin role.

And create the user.

Next,

Login to Power Platform Admin Center

https://admin.powerplatform.microsoft.com/

and navigate to [Environment] >> Settings >> Users

If the users is not yet synced try- https://nishantrana.me/2021/12/14/the-trick-to-force-trigger-user-sync-power-platform-dynamics-365/

Select the User and click on Client Access License (CAL) Information

Change it to Administrative and save the change.

Now back in Microsoft 365 Admin Center we can remove the license and the roles from the user’s account.

Back inside CRM the user will only have access to the Dynamics 365 – Custom app.

Inside app he gets the message No Read Privilege for data.

User will have access to following area within Settings

Inside Settings >> Security

The administrative user can see the users –

Basically when a Global or Power Platform admins having license are synced to the environment, they get the access mode of Read-Write and also System Administrator security role is assigned to them.

That is the reason why we need to change the access mode to Administrative after sync.

If they do not have license assigned, there access mode is still “Read-Write” after sync but no security roles assigned. Also the unlicensed Global and Power Platform admin will have access to the administrative areas.

Also we could create a new custom security role having access to “Security Role” table instead of assigning System Administrator or copy of system admin role.

https://docs.microsoft.com/en-us/power-platform/admin/prevent-elevation-security-role-privilege#assign-the-new-security-role-to-an-administrative-user

Get all the details here –

https://docs.microsoft.com/en-us/power-platform/admin/global-service-administrators-can-administer-without-license

Hope it helps..

Advertisements

Fixed – You do not have prvReadmsdyn_personasecurityrolemapping permission to access Persona Security Role Mapping records. Contact your Microsoft Dynamics 365 administrator for help


Recently one of the users, while accessing a few of the System User’s views, was getting the below error.

You do not have prvReadmsdyn_personasecurityrolemapping permission to access Persona Security Role Mapping records. Contact your Microsoft Dynamics 365 administrator for help.

There were a few System users’ views that were working fine.

The user had the Security Role = System Administrator, however, the Access Mode was set to Administrative.

Changing the Access Mode to Read-Write fixed the issue.

Hope it helps..

Advertisements

Security Enhancements – 24 hours maximum user session timeout in Dynamics 365 / CRM


With recent security enhancements in Customer engagement apps, the maximum user session timeout of 24 hours is removed.

https://docs.microsoft.com/en-us/power-platform/admin/user-session-management#user-session-timeout-management

Now it uses the Azure AD Session Policy to manage user session timeout, which by default has Azure AD refresh token expiration set as 90 days.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#refresh-and-session-token-lifetime-policy-properties

Refresh toke lifetime and expirationhttps://docs.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens#refresh-token-lifetime

Use Configuring sign-in frequency in Conditional Access to define the periods before a user is required to sign-in again – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

Earlier the default session timeout used to be 24 hours with 20 minutes for warning the user – https://nishantrana.me/2017/11/17/configure-session-timeout-and-inactivity-timeout-dynamics-365/

However, we can still override the default Azure AD Session policy, by setting the session timeout and/or inactivity timeout for the individual environment.

To set the same navigate to –

Environments > [Environment] > Settings > Privacy + Security in Power Platform Admin Center.

Specify appropriate values and save the changes.

Get all the details here –

https://docs.microsoft.com/en-us/power-platform/admin/user-session-management#configure-session-timeout

Hope it helps..

 

Advertisements

Sample Code to Approve Email – Mailbox programmatically C# (Dynamics 365/CRM)


Suppose we want to Approve the Email for the mailbox of the user(s) programmatically.

We’d see the below notification for the user whose mailbox is not yet approved.

Email won’t be processed for this mailbox until the email address of the mailbox is approved by an Office 365 Global Administrator or by an Exchange Administrator. For more information, contact your system administrator.

Below is the sample code –

On running the code, we can see the notification for the email address approval removed or the mailbox approved for the user.

C# Code –

            CrmServiceClient svc = new CrmServiceClient(ConnectionString);

            if (svc.IsReady)
            {

                var systemUser = new Entity("systemuser", new Guid("C48A539A-F493-EC11-B400-000D3A4F37D3"));

                // emailrouteraccessapproval - status of the primary email address
                //0	= Empty, 1 = Approved, 2 = Pending Approval, 3 = Rejected
                systemUser.Attributes["emailrouteraccessapproval"] = new OptionSetValue(1);

                svc.Update(systemUser)

The code should run under the context of the user who has either Global Admin or Exchange Admin role.

Hope it helps..

Advertisements