[ALM Accelerator - QUESTION] CustomAzureDevOps connection issue with Dataverse AAD Security Group

[sefa-phaag]

What is your question?

I'm trying to roll out the ALM Accelerator app to some citizen developers and I followed the steps here to grant them the proper permissions through an AAD Security Group bound Team. However, when they attempt to launch the ALM Accelerator App, the CustomAzureDevOps connection isn't signed in. When they attempt to sign in, they are presented with a screen that can't be filled out:

This appears to be a timing issue. Looking at the members of the relevant Team, my new users don't exist yet. I know that Dataverse dynamically adds them to the team upon log in, but it appears they need some permission prior to that happening for whatever reason. When I have them log into a different app in the ALM Accelerator environment, they are added to the Team and when they relaunch the ALM Accelerator, they are able to sign into the custom connector and then continue to launch the ALM Accelerator.

While having them log into another app works, that seems like a step I shouldn't have to take. Did I miss some other step?

What component are you experiencing the issue with?

ALM Accelerator Canvas App

What solution version are you using?

October 2023

AB#321

[mikefactorial]

@sefa-phaag can you try sharing the custom connector with the user group in question as well and let me know if that makes a difference? If so, we may need to update the docs you referenced to include this step.

[mikefactorial]

@sefa-phaag closing this out since we haven't heard anything back in a while. Feel free to follow up if this is still an issue.

[CoEStarterKitBot]

@sefa-phaag This has been fixed in the latest release. Please install the latest version of the toolkit following the instructions for installing updates. Note that if you do not remove the unmanaged layers as described there you will not receive updates from us.

[kimjensen90]

@mikefactorial - I'm having a similar issue, when a new users has to access AA4PP for the first time, I'm getting this:

The user is already in a team with proper security roles and existing user have no issues connecting. Testing the custom connector also works fine.

Do you think the upgrade will fix this too?

[kimjensen90]

@mikefactorial - alright, I was able to resolve the above, but now my redirect url is causing issues. I would like to use: https://global.consent.azure-apim.net/redirect, but it is generating a unique redirect URL. I have tried resetting the authentication and re-enter the parameters, but it doesn't generate the correct redirect URL and I'm not able to change it manually.

What to do? Would an upgrade change this in any way?

[kimjensen90]

@mikefactorial - first, I was able to solve the issue altogether, so sorry for bombarding you with questions. Upgrading the AA4PP changed back the redirect URL. I enabled the unique redirect url due to this warning:

This was an issue for me, as I am not the owner of the App Registration in Azure, so I couldn't change the redirect there, which made the mismatch. Importing the upgraded solution turned the redirect back and solved the issue.

Might be good to have some kind of statement about the unique redirect and how to use it in the documentation somewhere. :-)

The first error occurred because of a wrong Resource URL, which should have been the client ID for Azure DevOps, as described in the documentation.

Just wanted to share my findings. Thanks for all your work on this!