Common CoE Starter Kit Errors and How to Fix Them

How to Use This Guide

This is a reference guide organised by error. Each entry includes the exact error text (or symptoms), the most likely cause, and a step-by-step fix. Bookmark this page — you will come back to it.

The errors are grouped into three categories: import errors (things that go wrong during solution import), sync flow errors (things that go wrong during daily operation), and permission errors (things that go wrong because someone or something lacks the right access).

If you are setting up the CoE Starter Kit for the first time, read the setup guide first. This guide assumes you have already attempted installation and are troubleshooting a specific problem.

Import Errors

Error 80040224: “An item with the same key has already been added”

When it happens: During solution import.

What it means: A component in the managed solution has the same unique name as something that already exists in your environment. This is almost always caused by unmanaged customisations — someone (possibly you in a previous attempt) manually created a table, column, or other component with the same schema name that the CoE Kit solution uses.

How to fix it:

1. Open the Solutions area in your CoE environment.
2. Look for the “Default Solution” or any unmanaged solution layer that contains components starting with “admin_” or “cat_” (the CoE Kit’s publisher prefixes).
3. For each conflicting component:
   • Select it and click “Remove active customisation” if that option is available.
   • If it is a table or column you created manually, you need to delete it. Be aware that deleting a table removes all data in it.
4. If you previously installed an unmanaged version of the CoE Kit, you need to remove all its components before importing the managed version. There is no automated way to do this — you must remove each component individually.
5. After removing the conflicts, retry the import.

Prevention: Always install the CoE Kit as a managed solution, never unmanaged. And never create components manually in the CoE environment — let the solution manage everything.

Error 80097376: “Flow server BadGateway”

When it happens: During solution import, specifically when the import process tries to activate cloud flows included in the solution.

What it means: This is a transient service error. The Power Automate backend had a momentary issue processing the flow activation. It does not indicate a problem with your configuration.

How to fix it:

1. Wait 15 to 30 minutes. The service usually recovers on its own.
2. Go to Solutions and check the import history. If the import completed with warnings (rather than failing entirely), the solution may have imported successfully and only the flow activation failed.
3. If the import completed with warnings, go into the solution and manually turn on any flows that are still in the “off” state.
4. If the import failed entirely, delete the partially imported solution and retry.

If it keeps happening: Try importing during off-peak hours for your region. Service stability tends to be better outside of business hours. If it consistently fails, open a Microsoft support ticket — there may be a regional service issue.

Import Fails with “Operation Status Unknown”

When it happens: During solution import, often after a previous partial import or failed upgrade attempt.

What it means: The solution import system is confused by a previous incomplete import. There are remnants of the old import that conflict with the new one.

How to fix it:

1. Go to Solutions and check if the CoE solution appears in the list, even in a “broken” or partially imported state.
2. If it does, remove (uninstall) the managed solution. This may take several minutes.
3. Wait five minutes after the removal completes to allow cleanup processes to finish.
4. Retry the import with a fresh download of the solution file from GitHub. Do not reuse the same file — download it again to rule out a corrupted download.
5. If removal fails, you may need to remove individual solution components manually through the Default Solution before attempting a full removal again.

Sync Flow Errors

Sync Template v4 Driver Flow Runs for Days Then Fails

When it happens: During the daily inventory sync, most commonly on the first run or in tenants with more than 500 environments.

What it means: The driver flow is hitting Power Platform admin API throttling limits. The APIs allow a limited number of calls per minute, and in large tenants, cataloguing every environment, app, and flow requires thousands of calls.

How to fix it:

1. Check the flow run history to confirm the error is throttling-related. Look for HTTP 429 responses or “Rate limit exceeded” messages in the flow action details.
2. Open the CoE solution and look for the environment variable that controls the delay between API calls. Increase it to add more breathing room between calls.
3. For very large tenants, check if your CoE Kit version supports batch sync mode. In batch mode, the sync processes a subset of environments per run rather than trying to do everything in one go.
4. Verify the flow timeout settings. The default timeout for a cloud flow run is 30 days, which should be sufficient, but check that it has not been reduced.
5. If the sync consistently times out, split the workload: configure the sync to process specific environment groups on different days.

What is normal: In a tenant with 200+ environments, the first sync taking 24 to 48 hours is expected. Subsequent syncs are faster because they only process changes.

Child Flow Fails with Connection Error (Run Only Users)

When it happens: During sync flow execution. The driver flow runs successfully, but individual child flows fail.

What it means: The child flows do not have their connections configured for “Run as” mode. By default, child flows inherit the connections of the calling user, but when called by another flow (rather than a human), there is no calling user context to inherit.

How to fix it:

1. Go to Solutions, open the CoE Core solution, and filter by Cloud Flow.
2. Identify the child flows. They are typically named with a pattern like “Admin | Sync Template v4 [something]” without the word “Driver”.
3. Open each child flow.
4. Click the ellipsis menu (three dots), then select “Run only users”.
5. For each connection type listed in the Run Only Users panel:
   • Change the dropdown from “Provided by run-only user” to “Use this connection”.
   • Select the appropriate connection (the one created during solution import with your service account).
6. Click Save.
7. Repeat for every child flow. There are typically 10 to 15 of them.
8. After configuring all child flows, trigger a new run of the driver flow.

How to verify you have not missed any: After the next sync completes, go to each child flow’s run history. Sort by “Failed” status. If any show connection errors, you missed that flow.

Important note on upgrades: When you upgrade the CoE Kit to a new version, the Run Only Users configuration may be reset. Check and reconfigure after every upgrade.

Environment Variable Changes Do Not Take Effect

When it happens: After you update an environment variable value. The flows continue using the old value.

What it means: Cloud flows cache environment variable values at the time the flow instance starts. Updating the variable while a flow is active does not propagate the new value to running or subsequently triggered instances of already-active flows.

How to fix it:

1. Go to Solutions, open the CoE solution, and filter by Cloud Flow.
2. Turn off every flow in the solution. Select each flow and click “Turn off”. You can multi-select to speed this up.
3. Go to Environment variables and update the value you need to change.
4. Wait two to three minutes for the cached values to expire.
5. Turn all the flows back on.

Prevention: Always update environment variables before turning on flows (during initial setup) or follow the off-update-on pattern consistently.

Audit Log Sync Returns No Data

When it happens: The audit log sync flow runs successfully (no errors) but the usage data tables in Dataverse remain empty.

What it means: Either unified audit logging is not enabled in your tenant, or the sync is pointing to the wrong audit log endpoint.

How to fix it:

1. Verify unified audit logging is enabled:
   • Go to the Microsoft Purview compliance portal.
   • Navigate to Audit.
   • If you see a “Start recording” banner, auditing is not yet enabled. Enable it and wait 24 hours for data to begin accumulating.
2. Check the audit log environment variable in the CoE solution:
   • For commercial (worldwide) tenants, the default endpoint is correct.
   • For GCC tenants, you need to set the audit log URL to the GCC-specific endpoint. Check the CoE Kit documentation for the exact URL for your cloud instance.
   • For GCC High and DoD tenants, the endpoint is different again.
3. Verify the Azure AD app registration has the AuditLog.Read.All permission with admin consent granted.
4. If auditing was just enabled, wait 24 to 48 hours. Audit data is not retroactive — it only captures activity from the point of enablement forward.

Permission Errors

401 Unauthorized on Graph API Calls

When it happens: During sync flow execution, specifically in flow actions that call the Microsoft Graph API.

What it means: The Azure AD app registration used for Graph API access either lacks the required permissions, has not been granted admin consent, or has an expired client secret.

How to fix it:

1. Go to Azure Active Directory (Entra ID), then App registrations.
2. Find the app registration used for the CoE Kit (the one whose client ID matches the environment variable).
3. Go to API permissions. Check that these permissions are listed and have the green “Granted” checkmark:
   • User.Read.All (Application type)
   • Group.Read.All (Application type)
   • AuditLog.Read.All (Application type, if using audit logs)
4. If any permissions show “Not granted”, click “Grant admin consent for [tenant name]”. This requires Global Administrator privileges.
5. Go to Certificates & secrets. Check if the client secret has expired:
   • If expired: create a new secret, copy the value immediately, then update the corresponding environment variable in the CoE solution.
   • Remember to follow the off-update-on pattern for environment variables (turn off flows, update, turn on).
6. If permissions and secrets look correct, check whether a Conditional Access policy is blocking app-only authentication for this specific app.

Empty Inventory Tables After Sync Completes

When it happens: The sync driver flow completes without errors, but the Dataverse inventory tables (environments, apps, flows) contain zero records.

What it means: The service account running the flows does not have the Power Platform admin role. The admin APIs return empty results (not errors) when called by a non-admin account. This makes it particularly insidious — everything looks like it worked, but no data was collected.

How to fix it:

1. Go to the Microsoft 365 admin centre.
2. Find the service account used for the CoE Kit.
3. Check its assigned roles. It needs one of:
   • Power Platform Administrator
   • Dynamics 365 Service Administrator
   • Global Administrator (overkill, but works)
4. Assign the appropriate role if missing.
5. Wait up to one hour for role propagation.
6. Trigger a new sync by running the driver flow manually.

Common gotcha: The role assignment might have been removed by another admin as part of a role review or security audit. If this has happened once, it will happen again. Document the CoE service account in your organisation’s admin account registry so it is not accidentally de-provisioned.

”The specified user is not a member of this organization”

When it happens: During flow execution, usually on actions that involve user lookups or email sending.

What it means: The service account used by the CoE flows has been disabled, deleted, or its licence has been removed.

How to fix it:

1. Go to Azure Active Directory (Entra ID) and search for the service account.
2. Check if the account is enabled. If it was disabled, re-enable it.
3. Check if the account is licensed. It needs a Power Apps Per User licence (or Power Apps Premium) at minimum.
4. Check if the account has been moved to “Deleted users”. If so, restore it within the 30-day recovery window.
5. After restoring the account, all connections created with this account need to be re-authenticated:
   • Go to make.powerapps.com, then Connections.
   • Find each connection used by the CoE Kit.
   • Edit and re-authenticate with the service account credentials.
6. Reconfigure Run Only Users on all child flows (the connection references may have broken).

Prevention: Add the CoE service account to an exclusion list for any automated account cleanup processes. Set up a monitoring alert that triggers if the account is disabled or its licence is removed.

”The caller with object ID does not have permission”

When it happens: During flow execution, specifically when a flow tries to read from or write to Dataverse tables.

What it means: The account running the flow does not have the required Dataverse security role in the CoE environment. The Power Platform admin role grants access to the admin APIs, but Dataverse has its own security model.

How to fix it:

1. Go to the Power Platform admin centre.
2. Open the CoE environment.
3. Go to Settings, then Users.
4. Find the service account and verify it is listed as a user in this environment. If not, add it.
5. Check its security roles. It needs the “System Administrator” role in the CoE environment at minimum for full CoE Kit functionality.
6. If the account is listed but does not have the correct role, assign it.
7. Wait five minutes for the security role to propagate, then retry the failed flow.

Note on least privilege: “System Administrator” is a broad role. If your security policy requires least privilege, you can create a custom Dataverse security role that grants read/write access only to the CoE Kit’s custom tables. However, this requires maintenance whenever the CoE Kit adds new tables in an update.

Upgrade-Specific Errors

Flows Suspended After Upgrade

When it happens: After importing a new version of the CoE Kit solution.

What it means: The upgrade process may invalidate existing flow connections. When a flow cannot authenticate with its connections, the platform suspends it.

How to fix it:

1. Go to Solutions and open the CoE solution.
2. Filter by Cloud Flow and sort by status.
3. For each suspended flow:
   • Open the flow and check which connection is failing (the flow designer highlights broken connections in red).
   • Edit the connection reference to point to a working connection.
   • If the connection itself is broken, go to Connections, edit it, and re-authenticate.
4. After fixing connections, turn the flow back on.
5. Reconfigure Run Only Users on all child flows — upgrade often resets this configuration.
6. Verify environment variables still have correct values. Some upgrades add new required variables that default to blank.

Prevention: Before upgrading, document your current Run Only Users configuration and environment variable values. After upgrading, verify and restore them. The CoE Kit team recommends following their upgrade guide for each specific version, as breaking changes vary between releases.

Setup Wizard Shows Blank Page

When it happens: After import, when you try to open the Setup Wizard canvas app.

What it means: This is a known issue in certain CoE Kit releases where the Setup Wizard app does not render correctly in certain browsers or when specific Dataverse components are not yet provisioned.

How to fix it:

1. Try a different browser. Edge and Chrome typically work best.
2. Clear the browser cache and cookies for the make.powerapps.com domain.
3. If the blank page persists, skip the Setup Wizard entirely and configure the CoE Kit manually:
   • Set environment variables directly in the Solutions area.
   • Configure connections and Run Only Users manually.
   • Turn on flows in the correct order.
4. The manual setup process achieves the same result as the wizard. The wizard is a convenience, not a requirement.

The manual setup path is documented in the setup guide. In practice, many experienced admins prefer manual setup because it gives more control and makes troubleshooting easier when something goes wrong.

General Troubleshooting Tips

When you encounter an error not listed here:

1. Check the flow run history. Open the failed flow run and expand each action to find the specific step that failed. The error message at the action level is almost always more informative than the top-level flow error.

2. Check the CoE Kit GitHub issues. Search the issues in the microsoft/coe-starter-kit repository. Chances are someone else has hit the same error and there is either a fix or a workaround.

3. Check your version. Many errors are version-specific and fixed in later releases. Compare your installed version with the latest release on GitHub. If you are more than two versions behind, consider upgrading.

4. Isolate the problem. If multiple flows are failing, start with the simplest one. Fix that first, then move to the more complex ones. Often a single root cause (like an expired secret or removed role) cascades into multiple flow failures.

5. Document everything. Keep a log of errors you encounter, what caused them, and how you fixed them. The CoE Starter Kit is updated frequently, and the same issues tend to recur after upgrades or environment changes. Your future self will thank you.