Rajeev Pentyala – Technical Blog on Power Platform, Azure and AI

We recently encountered the following solution import error while trying to import a solution containing Connection Reference components.

Import failed: Request failed with: Forbidden and error: {"error":{"code":"ConnectionAuthorizationFailed","message":"The caller with object id 'xxxx-xxx-xxxxx-xxxx' does not have the minimum required permission to perform the requested operation on connection 'xxxxxxx' under API 'shared_microsoftteams'."}}

From the error message, it’s clear that the user attempting to import the solution does not have the minimum required permissions to access the connection.

However, the peculiar aspect here is that the GUID mentioned in the ‘caller with object id‘ was nowhere to be found in the ‘systemusers’ table of Dataverse.

Let me reproduce the issue and demonstrate how the fix worked for me..

Create a new Dataverse solution:

• Create a new solution and add a new Connection Reference component.
• I’ve added ‘Microsoft Teams’ as a connector, created a new connection as shown below and named my connection reference cnrfTeams.

• Create a new flow and include the List teams action. If you expand the menu, you will notice that the cnrfTeams connection reference is automatically mapped.

• Lets export and import the solution as Managed to a different environment.
• During the import process, you will receive a prompt to create a new connection because your solution includes the cnrfTeams connection reference.

• Create a new connection on the target environment and map it as below.

• After importing the solution, you can see the installed solution as shown below.

• At this juncture, please note that I constructed the solution in my Development environment and then imported it into a Testing environment. As a result, I will be the owner of all components, including ‘Connection Reference’ and ‘Connection’.

Cause of the issue:

Let me explain how the ConnectionAuthorizationFailed issue appeared and how we resolved it.

To sum up our actions until now, the user ‘Rajeev Pentyala’ created the solution and imported it into Test environment, making him the owner of all the imported solution parts. This includes the new connection that was established during the solution import.

After a few weeks, the team chose to automate the solution import process using DevOps pipelines. Consequently, a pipeline was set up with a solution import task, and the pipeline runs under a Service Account by utilizing the ‘service connection’ as configured below.

While running the pipeline, the solution import task failed with the ConnectionAuthorizationFailed issue.

The issue arises because the pipeline runs under a Service Account. When the pipeline tries to update an existing solution, it lacks access to the Connection created by the user ‘Rajeev Pentyala’. This results in a failure with the error message: ‘The caller with object id ‘xxxx-xxx-xxxxx-xxxx’ does not have sufficient permissions for the requested connection operation.

Fix:

Assuming that you understood the reason, to fix the issue, before you run the pipeline which is running under ‘Service Account’, share the ‘Connections’ to the ‘Service Account’ in the target environment (i.e., Test).

• Rerun the pipeline and it should work now.

In summary, when updating an existing solution on the target environment through pipelines or pac CLI, connections must be shared with the account under which the pipeline or pac CLI commands are being executed.

🙂