Why?
Recently one of my customers called me about a Business App “suddenly not doing its job anymore”. The Business App consists of a Power App connected to Flow. The connected Flow worked fine for a few weeks running behind the push of a Power App button. Without any changes to the Power App nor to the Power Automate Flow, we saw the Flow failing β… but only for a specific user π¨
What?
When opening the failed flow the notification was:
{333
"status": 401,
"source": "https://europe-002.token.azure-apim.net:443/tokens/europe-002/sharepointonline/efbc5085168443c1b41be120c4200b92/exchange",
"message": "Error from token exchange: Runtime call was blocked because connection has error status: Enabled| Error, and sharepointonline is in the block list. Connection errors: [ParameterName: token, Error: Code: Unauthorized, Message: 'Failed to refresh access token for service: sharepointonlinecertificatev2. Correlation Id=0c3b6346-f162-4f6d-9584-eb68d02695d0, UTC TimeStamp=2/12/2021 7:43:30 AM, Error: Failed to acquire token from AAD: {\"error\":\"interaction_required\",\"error_description\":\"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\\r\\nTrace ID: 4d64b9a8-ebc5-4279-b187-863b4b8b2b00\\r\\nCorrelation ID: 2dd555c1-3824-497d-9140-4d56c3a729d9\\r\\nTimestamp: 2021-02-12 07:43:29Z\",\"error_codes\":[50076],\"timestamp\":\"2021-02-12 07:43:29Z\",\"trace_id\":\"4d64b9a8-ebc5-4279-b187-863b4b8b2b00\",\"correlation_id\":\"2dd555c1-3824-497d-9140-4d56c3a729d9\",\"error_uri\":\"https://login.windows.net/error?code=50076\",\"suberror\":\"basic_action\"}']"
}
The first part that caught my attention was about the connector failing because it seemed to be blocked:
ββError from token exchange: Runtime call was blocked because connection has error status: Enabled| Error, and sharepointonline is in the block list.ββ
Before I started to yell at the IT Admin blocking connectors (maybe through a newly created Data Loss Prevention policy in the Power Platform: Data loss prevention policies – Power Platform | Microsoft Docs), I saw the following part:
ββDue to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access…ββ
Based on this info, I (calmly!) checked with the IT Admin and it seems that Multi Factor Authentication (MFA: Azure AD Multi-Factor Authentication overview | Microsoft Docs) was enabled after this user opened the Power App for the very first time. This user was a pilot user and started testing the Business App before it was released to all other users.
This meant that this user created the Power Platform SharePoint Connection before MFA was enabled. Enabling MFA after this moment made sure every connection made previously, would be blocked πβ. This is similar to the situation where a user changes his or her password: this will also require the user to remake the connection.
How?
1) Every user facing this issue can simply visit one of the Power Platform links like: https://flow.microsoft.com/.
If needed just sign in with your account. Go to Data on the left side and select Connections. Here you will see a clickable notification next to the problematic connection:
2) You can just go through the Fix connection steps and magically see everything working fine again πͺπ
HI Django Lohn, thanks for putting this together. I have a similar issue but it because a user has changed their password. But when I go and try to update the connection I don’t see any issue with the existing connection. Just tried “Switch Account” and used the same account again to make the connection and resubmitted the failed flow run, but still failed. Do I have to trigger a new flow rather than resubmitting the existing failed flow? Based on the process I can not ask the user to trigger the flow again (PowerApps button).