Support for cases where transitive attributions in http call are not supported

[MgNa-H2O]

Does this bug already exist in our backlog?

• I have checked and confirm this is a new bug.

Describe the issue

We have a failed flow CLEANUP HELPER - Power Apps User Shared With for all of our environments. Please help to look into it, thank you.

The error message is "Unable to process template language expressions in action 'Tenant_Has_Guests' inputs at line '0' and column '0': 'The template language expression 'if(equals(length(outputs('Get_Tenant')?['body/value']), 0), false, coalesce(first(outputs('Get_Tenant')?['body/value'])['admin_grouphasguestusers'], false))' cannot be evaluated because property 'admin_grouphasguestusers' doesn't exist, available properties are '@odata.type, @odata.id, @odata.etag, @odata.editLink, admin_powerplatformuserid@odata.type, admin_powerplatformuserid, admin_groupsize@OData.Community.Display.V1.FormattedValue, admin_groupsize'. Please see https://aka.ms/logicexpressions for usage details.'."

Expected Behavior

The flow ran without error.

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.31

What app or flow are you having the issue with?

CLEANUP HELPER - Power Apps User Shared With

What method are you using to get inventory and telemetry?

Cloud flows

Steps To Reproduce

No response

Anything else?

Here is the screenshot of the error flow.

AB#3246

[Jenefer-Monroe]

Looks like you don;t have the Tenant user in the list yet.
Please go run the following flow: CLEANUP - Admin | Sync Template v3 (Orphaned Users)
That will add the tenant as a user

[MgNa-H2O]

Hi @Jenefer-Monroe Thanks for your quick feedback.
I have checked based on the screenshot you provided, the tenant is already there even without the flow's running. Any idea why the flow CLEANUP HELPER - Power Apps User Shared With still failed?

[Jenefer-Monroe]

Please do go ahead and run the orphaned user flow. It will also clean up malformed records there as we used to store them a different way.

[MgNa-H2O]

Sounds good, we will try it, thank you so much @Jenefer-Monroe

[MgNa-H2O]

We ran the flow CLEANUP - Admin | Sync Template v3 (Orphaned Users) but unfortunately received the error as the following screenshot. It seems like the flow can find the group but could not process further. Would you please help to look into it? @Jenefer-Monroe Thank you!

[Jenefer-Monroe]

Looks like we got past that first issue with the Tenant and are on to something new here.

What is the error output from this call? Note that the error in yellow is just the first error the flow encountered which was, in this case, a caught error. So you'll need to look at the output of the action itself to see the error at hand.

[MgNa-H2O]

Hi @Jenefer-Monroe
This is the output value from this call. It looks like the flow found the group but could not list group member. Please help to look at the following screenshot. Much appreciate it.

[Jenefer-Monroe]

Do any of the groups return correctly?
If you just keep clicking next in this loop, do they all fail or just this one?

[MgNa-H2O]

If I keep clicking next to this loop, all of the groups(Total 5 groups) are failed with the same output as I showed you to the ListGroupMembersTransitive action.

[Jenefer-Monroe]

Can you please tell me, are you a regular commercial tenant? Or are you in one of the sovereign gov type clouds?

Then also what region your coe envt is in as well as its type? This can be found in the product admin pages: https://admin.powerplatform.microsoft.com/

[MgNa-H2O]

We are the regular commercial Canada tenant. The CoE environment is production environment.
There is one more insight we got from this flow. When we keep clicking those 5 groups from the loop as you mentioned from previous instructions, we find that those groups are from our 5 Teams environments, the groups in these Teams environments are not regular security group but the M365 groups. Will this cause the issue? Any thought?

[Jenefer-Monroe]

I tested around that and it did work for me for these group types.

Can you click Show raw input and paste what you see? Obfuscate the GUIDs too

{
"host": {
"connectionReferenceName": "shared_webcontents",
"operationId": "InvokeHttp"
},
"parameters": {
"request/method": "GET",
"request/url": "https://graph.microsoft.com/v1.0/groups/aaaaaaaa-aaaa-aaaa-aaaa-19ea6a0b759b/transitivemembers?$select=odata.type, id, userType"
}
}

[MgNa-H2O]

Hi here is the screenshot after I click on the "Show raw input".

{
"host": {
"connectionReferenceName": "shared_webcontents",
"operationId": "InvokeHttp"
},
"parameters": {
"request/method": "GET",
"request/url": "https://graph.microsoft.com/v1.0/groups/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/transitivemembers?$select=odata.type, id, userType",
"request/headers": {
"Accept": "text/html,application/json"
}
}
}

[VolkerSteltenkamp]

Just want to let you know that we had exactly the same error with the CLEANUP HELPER - Power Apps User Shared With flow. After re-runnnig the orphaned user flow the above error is gone for now. Thanks Jennefer for this!
I also would like to state that we don´t have any Teams envs around and having only three groups which are all security groups. Maybe this helps?

[Jenefer-Monroe]

I don't think the issue is the group type, but I could be wrong. I created these types and they worked fine.
Can you import and run the following flow and see if any groups in your tenant can do the requested action?
test-GetGroupMembershipTransitive_20240517125957.zip

We are hoping for these two numbers to be the same, but I'm wondering if your second number will be zero.

Let me know if you need help importing a flow.

[MgNa-H2O]

Thank you so much Jenefer, we will try it and get back to you.

[VolkerSteltenkamp]

Yep, you´re right, the numbers are the same here:

[MgNa-H2O]

Before we run the test solution, we are trying to understand more about the flow CLEANUP - Admin | Sync Template v3 (Orphaned Users)
, as we saw from the Power Platform Users table, there are more than 5 groups are list in the CoE Command Center app, but why in the loop to Get Groups action, there are only 5 Teams group showing up? Should be more groups as we assumed.

Any thoughts?

[Jenefer-Monroe]

It should return all rows that are set with Type = Group

Do you have other groups in the table that are not marked with Type = Group?

[MgNa-H2O]

This screenshot shows all the rows with Type = Group in the table, it matches the record from the flow Get Group action. The table has Type= User, service principal and Tenant. However, GroupHasGuestUsers options is off. Is that the cause?

[Jenefer-Monroe]

No GroupHasGuestUsers is something we populate. Its not an option so much as its us recording state.
So once we get you unblocked you'll know know which groups have Guest users, and therefore which apps are shared with Guest users.

So it looks like we'll have two issues to resolve here.

1. Can you get transitive counts in your tenant (from you running that test flow)
2. What are these 13 blanks for type.

Lets get through issue 1 then look at issue 2

[MgNa-H2O]

Hi @Jenefer-Monroe , we are working on the test flow and will back to you.

[MgNa-H2O]

Hi @Jenefer-Monroe sorry for our late reply. I finally ran the test flow, however we could not run it successfully. Here is the error message. Do you have any insight for what is the number of 2486?

[Jenefer-Monroe]

Sorry I should have added a catch here. Can you please re-import this or make this change locally?
I knew these failed sometimes, I'm trying to see how often

test-GetGroupMembershipTransitive_20240522210637.zip

[MgNa-H2O]

Hi Jenefer, thank you for your advise. We re-ran the flow and it ran successfully with the same error message.

As you expected, there is no group has passed from the test flow. Here is the screenshot.

[Jenefer-Monroe]

Thank you. I'll work to make the flow not fail for you, I'm trying to do that for the June release.

But I wont be able to get true count of users in the group, or the presence of guest users so I'll add a warning to the Sync Flow Errors table so that admins are aware they are in this state.

Can you take this flow (the test one that counts groups) to product support. Hopefully they can tell you why you are unable to use this call. So far you are the only tenant I've seen in this state. Hopefully there is some setting I'm unaware of, or something else the product team can fix up for you quickly.

[Jenefer-Monroe]

ok I've updated the flow such that if this call fails, it will get the values from the group connector. Unfortunately as I stated, while this will unblock you and allow you to get the information we used to show, you will not benefit from these changes which let you know if there are guest users with access to apps, or the true count of users an app is shared with.

As a result I will have it register a failure in the sync flow table so that admins are aware.

Please do let us know what support says about the inability to make this call. As far as I can tell there should be no reason you cannot make the call.

[MgNa-H2O]

Sounds good, thank you so much for your help Jenefer, much appreciate it.