Just a reminder: when creating an automated Flow with a CDS trigger (f.e. Create or Update of certain entity), the service principal used to authorize the API Connection in the background, needs to have full privileges on system entity callbackregistration (german: “Rückrufregistrierung“). Privilege scope User is sufficient.
If you forget this, you might ran into a cumbersome troubles. 😉 The most obvious sign, is that your Power Automate Flow or Logic App does (no longer) trigger. In the overview blade of your Logic App ressource, no invocation is listed so you need to go deeper through See trigger history in order to see every invocation that took place. Entries with Status = Failed and indicate Fired column indicate that this is no regular invocation (from CDS userland) but one that happened internally. Peeking into the trigger output data, we now would see an error message like this, when CDS trigger creation did silently fail in the background:
"Principal user (Id=b21db7e8-2a64-40ea-96d9-ef0e023bf1c4, type=8, roleCount=3, privilegeCount=745, accessMode=4), is missing prvCreateCallbackRegistration privilege (Id=a916618b-c454-45bb-ae0a-c30446362191) on OTC=301 for entity 'callbackregistration'. context.Caller=801866e1-0fd9-43f0-9259-d964984c5446"
Or this, when CDS trigger invocation fails silently after a matching event happened in CRM/CDS:
"Principal user (Id=b21db7e8-2a64-40ea-96d9-ef0e023bf1c4, type=8, roleCount=3, privilegeCount=744, accessMode=4), is missing prvReadCallbackRegistration privilege (Id=a916618b-c454-45bb-ae0a-c30446362191) on OTC=301 for entity 'callbackregistration'. context.Caller=801866e1-0fd9-43f0-9259-d964984c5446"
Purpose of callbackregistration entity
In version 9.0 a new event handler type was introduced to the PowerPlatform (aka Dynamics 365), called WebHooks that can be registered similarly to for example Plugins, and be configured to listen for certain Messages like Create or Update and also be narrowed to certain Attributes only. But compared to Plugins — which consist of custom code that is compiled, published as assembly to CRM and being executed right in the physical context of the underlying CDS/CRM database –, a WebHook is actually just an mechanism used to inform a remote party (represented by an URL-addressable HTTP endpoint) that a certain event has happened. The term WebHook is nothing invented by Microsoft in this context, rather more it’s the name of a well-known HTTP communication pattern for doing a primitive form of Inter-Process Communiation (IPC) by exchanging plain HTTP requests with some well-defined payload. The WebHook pattern is quite popular nowadays and it’s origins reach back already 10+ years, where it has been concepted as a simple, versatile and powerful mechanism to enable a connected real-time web, in which different webservices are able to communicate with each other regardless of their underlying technologie stack.
The way WebHooks has been adopted by Microsoft in the PowerPlatform is quite straight forward. Represented by callbackregistration records, their definition consists basically of the entity type and message a WebHook should be registered on, Attributes that should be monitored, the systemuser responsible for it and what data to be included in the WebHook payload.
Summary
In our original case, the problem arised by using a Service Principal for the API Connection used by the CDS trigger of our Logic App or Flow, that had no sufficient privileges to Read the callbackregistration entity everytime a certain entity record was Created or Updated for which a WebHook has been defined (happening automatically in the background when CDS trigger is created in Logic App/Flow → CDS trigger registration will silently fail when Service Principal lacks Create privilege on callbackregistration entity, too).
This little but important detail is unfortunately only mentioned once in a side sentence of a little paragraph across the whole Microsoft documentation, and even asking Google doesn’t yield any further details. Especially when crafting Security Roles with only the really neccessary privileges, such a tiny detail could easily be forgotten.
While doing some R&D for an upcoming XrmToolbox plugin I was curious about how Microsoft itself gathers metadata about solution components related to dependent solutions, unmanaged changes and the “mysterious” Active Solution. I had some closer look on some inner mechanics of Dynamics 365 apps and decided to simply write down my observations. Why this should be of interest for you or me? Well, like in many fields, when collaboration is the modus operandi (=multiple people working on the same subject), at some point it starts to becomes hard to maintain control and confidence of changes. To have a clear and definitive picture about what changed how and when, would therefore make life easier in these contexts.
In the context of CDS, assuming that one might keep 100% control of changes, will sooner or later turn out as naive thinking. Back in the good ol’ on-premise days, this assumption could proof correct for several years, but for most Dynamics 365 customers, this era is over. The online-only platform as we have it with CDS/D365 does and hopefully will evolve, innovate and thus change at a high pace and the reasons for these change will constantly increase. Active system development and customization by partners and customers alike being only one of it. Just have a look at the Solution History area in the system settings, and you will quickly realize how many things (patches, updates asf.) are taking place behind the curtains without users or administrators noticing most of it. With new first-party product addons by Microsoft or 3rd-party through AppSource, this change frequency will even increase further. Some of the more obvious signs that a platform patch/update was installed in the background, are f.e. standard entity forms being modified or even random regression bugs being introduced with a newer version. Those impacts are typically impossible to foresee and thus cannot be regression tested *before* in an automated way. Unfortunately I encountered event cases where customers reported issues in productive environments and only after raising a MS support ticket it turned out as a platform issue or similar. But this would lead to a different topic, about which btw. Jason Lattimer did write about almost exactly one year ago (the referred package is no longer available as of today).
So, instead of trying desperately to keep control of any changes, I started to realistically assess what is and will continue to be under my control as system architect and developer, and what not. My first insights: it needs a special kind of spiritual attitude in order to stay relaxed, what I call “hope competence”: optimistic confidence in the success of Microsoft’s platform and product updates and releases in general. 😁 My second (and admittedly more serious) insight: I need a way to continously observe and track (unmanaged) changes to any solution and solution component relevant for any given CDS/D365 solution I going to maintain. Such a clarity would give back transparency and thus confidence, and also give back a certain degree of control, because by knowing What did change How and When, we are able to react accordingly if needed. In the long term, I would expect similar capabilities to be added to the Solution Checker solution, which is actually kind of a rule checker engine running predefined rule sets periodically.
Trust is good, but control is even better — let’s do an short excourse on what possibibilites we have to identify and trace changes to solution components (like Entities, Forms, Views, Webresources, Workflows asf.) we have in our systems:
Not so long ago, Microsoft introduced a feature called Solution layers to the CDS system standard without much fanfare. Technically, it’s a read-only virtual entity msdyn_componentlayers which just holds a handful of attributes and which must be queried by stating a component id as well as its type in order to yield some actual data. From a UI perspective, the only touchpoint to this addition is a small button labelled “Solution layers” (or “Lösungsebenen” in german) inserted to the toolbar of the legacy solution editor window.
This, ladies and gentlemen, is literally the tip of the iceberg. For this feature, professional system customizers and developers have been waiting since the early days of Dynamics CRM. It’s nothing more than *the* decent, highly specialized and at the same time dead simple way to
discover and identify (even unmanaged) customizations of any solution component across all solutions referencing it (called Solution Layers)
analyze customizations/changes introduced by any solution and compare between different solutions
last, but not least, be able to revert any unmanaged change from the Active solution
For me personally, as well as probably for most professional system architects/customizers/devs/yourrolehere who have a XRM/CRM background ranging back into earlier on-premise CRM days, the third aspect is probably the most inspiring one. When you had to clean up unmanaged changes in systems adhering to managed-only solution deployment strategies, you probably had to come up with obscure MSSQL DB manipulations or preparation of holding solutions, uninstalling, reinstalling asf. … you know the pain and will be probably more than happy about this feature addition. During a recent talk to some Microsoft support engineeres, they chimed in that even they themself are happy about having an easy analysis tool like things at hand now.
Found in assembly Microsoft.Dynamics.PowerAppsChecker.Plugins.dll (Method WebResourceModel.GetModifiedWebResources(...) ) where it is used to quickly determine if certain webresources have been modified and thus also are referenced by solutions other than the predefined ones.
I already saw the dependencynode entity in the system metadata several times, but didn’t think about it much, until now. As the name implies, it is kind of abstract data structure that is used to build up an graph structure for tracking dependencies between solution components like Entities, Attributes, Views, asf.. This system entity is read-only and assumably for internal purposes only, given the fact that there is no publicly available information oder documentation about it other than the formal entity reference in Microsoft documentation (google for it). Given the nature and purpose of this data, I guess that these records are created by the CDS platform in the background when performing solution imports/exports or any other related activity, so that dependencynode records in the end act as materialized dependencies with a focus on inter-solution dependencies (as opposed to the more component focusseddependency entity).
Data-wise it looks like this:
Value
Label
0
None
1
Solution Internal
2
Published
4
Unpublished
Flattened records, building up an abstract graph structure
Found in assembly Microsoft.Dynamics.SalesHealth.Plugins.dll (Method SolutionRepository.GetSolutionIdsFromSolutionLayers(...) ) where it is used to quickly determine if certain managed forms have been customized and thus also are referenced by the Active solution.
This organization message yields list of metadata about solutions which carry changes to the originally requested solution component and thus reference it in some way. The result looks quite similar as when fetching msdyn_componentlayers records, albeit data-wise its pretty reduced. But that’s ok, what we have here is kind of simplified and concise intent to just get a list of any solution holding changes to a given solution component. For example, this data can be used then to easily determine if a given solution component was modified, by checking if the Active Solution (which has always the same GUID) is contained in the list of solutions contained in the message reesponse.
However, what I cannot tell yet is, if the order in which the solutions are contained in response EntityCollection corresponds to their installation dates and thus their layering order in the system. Let’s have another look at it.
Hands on
Come on, I know why you came over to my blog. 😋 Here we go:
Summary
All the methods shown in this article have one thing in common: they
Finally, I found a comparison chart which outlines dis-/abilities of Power Automate (aka Flows) and the classical Dynamics 365 Workflows. Of special interest for me are pre-images of events and transactions. Looking forward…
Wo ich gerade so die DateTime Werte einiger Datensätze anpasse, sticht mir plötzlich diese merkwürdige UI Localization ins Auge:
Welche Uhrzeit ist bitteschön 24:30 ? Vielleicht eine besonders “intuitive” Localization? Nun, ich tippe eher auf einen Bug, da solch eine Zeitangabe meiner Kenntnis nach nirgendwo im europäischen Schrift-/Sprachgebraucht existiert. Who wants to raise a MS support ticket? 😉
Wie eingangs erwähnt, werden Benutzer mit TML fortan keinen Zugriff haben mehr auf benutzerdefinierte Model-driven Apps sowie die Standard Hub Apps der Hauptprodukte wie z.B. Customer Service, Sales und Project Service Automation. Diese Limitierung ist sehr drakonisch und weitreichend, wo sie doch typische TML Anwendungsfälle wie z.B. kleine hochspezialisierte Fachanwendungen (in Form von Model-driven Apps) untersagt. Damit trifft Microsoft eine scharfe Abgrenzung zur generischen PowerPlatform mit deren eigenständiger PowerApp Lizenzierung. Stattdessen führt Microsoft in der 2020 RW1 eigens für Team Members drei neue Model-driven Apps ein, bei welchen es sich sich jeweils um stark reduzierte und TML-kompatible Alternativen ihrer entsprechenden Hub Apps handelt.
Im Falle der Customer Service Team Member App richtet sich diese jedoch meiner Meinung nach nicht an unternehmens-interne Benutzer, wie man erwarten würde, sondern sie ist standardmässig so konfiguriert, dass sie für den eigentlichen unternehmens-externen (End-)Kunden geeignet ist, um quasi einen Self-service Anwendungsfall abzubilden. Vermutlich deswegen wird sie auch nicht standardmässig installiert, sondern muss vom D365 Administrator explizit installiert werden.
Glücklicherweise können die drei Team Member Apps gecustomized werden, sodass also wie gewohnt je nach Anwendungsbereich individuelle App Experiences implementiert werden können, solange hierbei die Team Member Lizenzbedingungen erfüllt werden.
Doch sollte einem Nebensatz im License Guide besondere Aufmerksamkeit gewidmet werden:
“… Customization [of the standard Team Member Apps] is only allowable if it does not result in a change to core purpose of the specified scenario …”
D365 License Guide, Stand 02/2020
Dieser Vermerk ist zwar sehr schwammig formuliert und lässt somit viel Raum zur freien Interpretation, doch dürfte klar sein worauf Microsoft hinaus möchte.