Setting Up the CoE Starter Kit Core: Step-by-Step with Troubleshooting

Before You Begin

Setting up the CoE Starter Kit Core is not difficult, but it is particular. Most failures come from skipping a prerequisite or rushing through a configuration step. Budget two to four hours for the initial setup, plus 24 to 48 hours for the first sync to complete in a medium-to-large tenant.

This guide covers the Core module only. Get Core running cleanly before you attempt Governance, Nurture, or any other module. Every other module depends on the inventory data that Core produces.

Step 1: Complete the Prerequisites Checklist

Work through every item on this list before you download anything. Skipping prerequisites is the single most common reason setups fail.

Create a Dedicated Dataverse Environment

Go to the Power Platform admin centre and create a new environment specifically for the CoE Starter Kit.

• Type: Production (not sandbox). Sandbox environments do not receive audit log data, which cripples your usage analytics.
• Name: Something obvious like “CoE Starter Kit” or “Power Platform CoE”. You will be looking at this name in the admin centre regularly.
• Region: Same region as your default environment. Cross-region setups add latency to sync flows and can cause timeout issues.
• Database: Yes, create a Dataverse database. The CoE Kit stores everything in Dataverse.
• Security group: Restrict access to your CoE admin team. There is no reason for general users to access this environment directly.

Wait for the environment to finish provisioning before proceeding. This typically takes five to ten minutes.

Create Azure AD App Registrations

You need two app registrations in Azure Active Directory (Entra ID). These are how the CoE sync flows authenticate to Microsoft APIs.

App Registration 1: Microsoft Graph API

This app reads user profiles, group memberships, and audit log data.

1. Go to Azure Active Directory, then App registrations, then New registration.
2. Name it something identifiable, such as “CoE Starter Kit - Graph”.
3. Set the redirect URI to https://global.consent.azure-apim.net/redirect (Web type).
4. After creation, go to API permissions and add:
   • Microsoft Graph: User.Read.All (Application)
   • Microsoft Graph: Group.Read.All (Application)
   • Microsoft Graph: AuditLog.Read.All (Application — only if you want sign-in data)
5. Click “Grant admin consent” — this requires Global Administrator privileges.
6. Go to Certificates & secrets, create a new client secret, and save the value immediately. You cannot retrieve it later.

Note down the Application (client) ID, the Directory (tenant) ID, and the client secret. You will need all three.

App Registration 2: Power Platform Admin

This app is used for some of the admin API calls. In newer versions of the CoE Kit, some flows use the built-in Power Platform connector instead, but the app registration is still needed for certain operations.

1. Create another app registration named “CoE Starter Kit - Admin”.
2. Same redirect URI: https://global.consent.azure-apim.net/redirect.
3. API permissions: PowerApps-Advisor and PowerApps Service with appropriate delegated permissions as documented in the CoE Kit release notes.
4. Grant admin consent.
5. Create a client secret and save it.

Set Up the Service Account

The CoE sync flows need to run under a specific account. You have two options:

Option A: Dedicated service account (recommended)

Create a new user account in Azure AD specifically for CoE operations. This approach is recommended because:

• You can assign the minimum required licences to this account only
• If the account gets throttled, it does not affect a real user
• When someone leaves the organisation, the CoE flows keep running

Option B: Use your own admin account

Faster to set up, but creates a dependency on your personal account. If you leave the organisation or change roles, the CoE Kit breaks.

Whichever option you choose, the account needs:

• Power Apps Per User licence (or Power Apps Premium). The Developer Plan is not sufficient.
• Power Platform Administrator role (or Global Administrator, or Dynamics 365 Service Administrator).
• System Administrator security role in the CoE Dataverse environment.

Verify Unified Audit Logging

The CoE Kit pulls usage data from the unified audit log. If this is not enabled, your dashboard will show inventory data but no usage metrics.

1. Go to the Microsoft Purview compliance portal.
2. Navigate to Audit.
3. If you see a banner saying “Start recording user and admin activity”, click it and enable auditing.
4. Audit data takes up to 24 hours to start appearing after you enable it.

If your organisation is on a GCC (Government Community Cloud) tenant, the audit log endpoint is different. You will configure this in the environment variables later, but be aware of it now.

Step 2: Download and Import the Solution

Do not install the CoE Starter Kit from AppSource. The GitHub release is more current and gives you more control over versioning.

1. Go to the CoE Starter Kit GitHub repository (search for “microsoft/coe-starter-kit” on GitHub).
2. Navigate to Releases and download the latest stable release. You want the managed solution files — they will be named something like CenterOfExcellenceCoreComponents_x_x_x_managed.zip.
3. Do not extract the ZIP files. Import them as-is.

Import Process

1. Go to make.powerapps.com and select your CoE environment.
2. Navigate to Solutions, then Import solution.
3. Browse to the Core components ZIP file and click Next.
4. The import wizard will ask you to configure connections. Create new connections for each connector listed:
   • Power Apps for Admins
   • Power Automate for Admins
   • Power Platform for Admins
   • Microsoft Dataverse
   • Office 365 Outlook (for notification emails)
   • HTTP with Azure AD (for Graph API calls)
   • Approvals (if prompted)
5. Sign in with your service account for each connection.
6. Click Import and wait.

The import typically takes 10 to 30 minutes. During this time:

• Do not navigate away from the page. The import can appear to hang at 0% for several minutes — this is normal.
• Do not import a second time if you think it stalled. Check the solution import history before retrying.
• Expect warnings. Some warnings about missing dependencies or deprecated components are normal and do not prevent the kit from functioning.

If the import fails, see the troubleshooting section at the end of this guide before retrying.

Step 3: Configure Environment Variables

After the import succeeds, you need to set the environment variables that tell the sync flows how to connect to your APIs.

1. In the Solutions list, open the CoE Core solution.
2. Filter by “Environment variable” to see all variables.
3. Set each of the following:

Essential variables:

• Admin Email — The email address that receives admin notifications. Use a shared mailbox or distribution list, not a personal email.
• Azure AD App - Client ID — The Application ID from your Graph API app registration.
• Azure AD App - Client Secret — The secret value from your Graph API app registration.
• Azure AD App - Tenant ID — Your Azure AD tenant ID.
• Power Platform Admin Email — Can be the same as Admin Email, or a different address for platform-specific notifications.

Cloud-specific variables (if applicable):

• Graph URL Environment Variable — Leave as default for commercial cloud. Set to https://graph.microsoft.us for GCC, or https://graph.microsoft.de for Germany cloud.
• Audit Log URL — Leave as default for commercial. GCC tenants need the government-specific endpoint.

Important: the environment variable caching gotcha.

This catches everyone at least once. When a cloud flow reads an environment variable, it caches the value. If you change an environment variable while flows are turned on, the flows continue using the old value until they are restarted.

The safe process is:

1. Turn off all CoE flows first.
2. Update the environment variables.
3. Turn the flows back on.

If you set the variables before turning on any flows (which you should, since they are off by default after import), you will not hit this issue on initial setup. But remember it for future updates.

Step 4: Set Up Run Only Users

This is the single most common setup mistake with the CoE Starter Kit. If you skip this step, child flows will fail with connection errors and your inventory tables will be empty.

The CoE Kit uses a parent-child flow architecture. The parent flow (the “driver”) triggers multiple child flows. By default, child flows run with the connections of the user who triggers them — but since they are triggered by another flow, not a user, they need explicit connection configuration.

Here is how to set this up:

1. In the CoE solution, find the child flows. They typically have names containing “Sync” but are not the main driver flows. Examples include flows that sync individual environments, apps, or flows.
2. Open each child flow.
3. Click the three dots (ellipsis) menu, then “Run only users”.
4. For each connection listed, change the dropdown from “Provided by run-only user” to “Use this connection” and select the connection you created during import.
5. Save and close.

You need to do this for every child flow in the solution. There are typically 10 to 15 of them in the Core module. Yes, it is tedious. No, there is no bulk way to do it.

A quick way to verify you have not missed any: after you turn on the sync flows and they complete a run, check the flow run history of each child flow. If any show “Failed” with a connection-related error, you missed that one.

Step 5: Start the Sync Flows

Now you are ready to turn on the sync flows and populate your inventory.

Turn On Flows in the Correct Order

1. Start with the Setup Wizard flow (if your version includes one). This flow performs initial configuration and creates required Dataverse records. Run it once and wait for it to complete.

2. Turn on the inventory sync driver flows — These are the main flows that orchestrate the sync:

   • Admin | Sync Template v4 (Driver) — This is the main orchestrator
   • Admin | Sync Template v4 (Check Deleted) — Identifies resources that have been deleted
   • Admin | Sync Template v4 (Audit Logs) — Pulls usage data from audit logs

3. Do not turn on governance or notification flows yet. Get the inventory sync working cleanly first. You do not want to send inactivity notifications based on incomplete data.

What to Expect During the First Sync

The first sync is the slowest because it needs to inventory your entire tenant from scratch.

• Small tenant (under 100 environments): 2 to 6 hours
• Medium tenant (100 to 500 environments): 6 to 24 hours
• Large tenant (500+ environments): 24 to 72 hours

The driver flow calls the Power Platform admin APIs, which are throttled. In very large tenants, you may see the flow pause and retry as it hits API limits. This is expected behaviour, not an error.

You can monitor progress by:

1. Checking the flow run history — look for active runs of the driver and child flows.
2. Querying the Dataverse tables directly — open the Admin View app and check if environments, apps, and flows are appearing.
3. Watching the environment count. If your tenant has 200 environments and the Admin View shows 50, the sync is roughly 25% complete.

Common Issue: Sync Never Completes

If the sync flow has been running for more than 72 hours without completing, or keeps failing and retrying:

1. Check the child flow run history for failures. Identify the specific error.
2. Verify your service account still has the Power Platform admin role.
3. Check if the Azure AD app secret has expired.
4. In very large tenants, consider splitting the sync by enabling the “batch” configuration in environment variables.

Step 6: Verify the Installation

Once the first sync completes (or is at least partially complete), verify that data is flowing correctly.

Open the Admin View App

1. Go to make.powerapps.com, select your CoE environment.
2. Open the “Admin View” model-driven app.
3. Navigate to Environments. You should see a list of all environments in your tenant.
4. Check the app inventory. Compare the count with what you see in the Power Platform admin centre.
5. Check the flow inventory similarly.

Verification Checklist

Check	Where to Look	Expected Result
Environments listed	Admin View > Environments	Count matches admin centre
Apps inventoried	Admin View > Apps	Apps from multiple environments appear
Flows inventoried	Admin View > Flows	Both cloud flows and desktop flows listed
Makers identified	Admin View > Makers	User records with display names populated
Connectors catalogued	Admin View > Connectors	Both standard and custom connectors listed
Last sync date	Admin View > Sync Logs	Shows today’s date with “Success” status

If any of these checks fail, refer to the troubleshooting section below.

Connect the Power BI Dashboard

Once inventory data is confirmed:

1. Download the Power BI template file (.pbit) from the CoE Kit release.
2. Open it in Power BI Desktop.
3. When prompted, enter your CoE environment URL (the Dataverse URL, which looks like https://yourenv.crm.dynamics.com).
4. Authenticate with your CoE admin account.
5. Wait for the data to refresh — this can take 10 to 30 minutes depending on data volume.
6. Publish to the Power BI service if you want to share with leadership.

Common Setup Failures and Fixes

Import Error 80040224: “An item with the same key has already been added”

Cause: You have unmanaged customisations in the environment that conflict with the managed solution. This usually happens when someone manually created a table or column with the same name as one in the CoE Kit, or when a previous unmanaged version of the kit was installed.

Fix:

1. In the Solutions list, look for any unmanaged solution layers that reference CoE components.
2. Select the conflicting component and click “Remove active customisation”.
3. If you previously had an unmanaged version of the CoE Kit, you need to remove it entirely before importing the managed version.
4. Retry the import.

Sync Flow Never Completes

Cause: Usually API throttling in large tenants, or the service account losing permissions mid-sync.

Fix:

1. Check flow run history for specific error messages.
2. Verify the service account has Power Platform admin role — this can get removed by other admins unknowingly.
3. Check if the environment variable for “Delay between API calls” exists and increase it (adding a longer delay reduces throttling).
4. For very large tenants, contact your Microsoft account team about increasing API limits.

Empty Inventory Tables After Sync Completes

Cause: Almost always a Run Only Users configuration issue. The driver flow runs successfully but the child flows fail silently because they cannot authenticate.

Fix:

1. Go to each child flow’s run history and look for failures.
2. Open the failed run to see the error — it will typically mention a connection issue.
3. Reconfigure Run Only Users for the affected child flows (see Step 4).
4. Re-run the driver flow.

401 Errors on Graph API Calls

Cause: Azure AD app consent not granted, the client secret has expired, or you are using the wrong cloud endpoint.

Fix:

1. Go to Azure AD > App registrations > your Graph app > API permissions.
2. Verify that “Grant admin consent” shows green checkmarks for all permissions.
3. Go to Certificates & secrets and check if the secret has expired. If so, create a new one and update the environment variable.
4. For GCC tenants: verify you have set the Graph URL environment variable to the government endpoint.

Environment Variable Changes Not Taking Effect

Cause: Cloud flows cache environment variable values. Updating the variable while flows are running has no effect until flows are restarted.

Fix:

1. Turn off all CoE flows.
2. Update the environment variables.
3. Wait two minutes (allow the cache to clear).
4. Turn the flows back on.

Next Steps

Once Core is running cleanly and you have verified the inventory data:

1. Let it run for a week before adding more modules. This ensures the sync is stable and you have enough historical data for meaningful dashboards.
2. Review the Power BI dashboard to understand your tenant landscape.
3. Deploy the Governance module next — it builds directly on the Core inventory data.
4. Read the error troubleshooting guide for operational issues that may arise after the initial setup.

The CoE Starter Kit is a living system, not a one-time installation. Plan to spend at least an hour per week reviewing sync health, acting on governance alerts, and keeping the kit updated to the latest release.