Set up inventory components
This article helps you set up the inventory components of the Core solution of the Center of Excellence (CoE) Starter Kit. The inventory is the heart of the CoE. Your Microsoft Power Platform journey is most beneficial when you understand your apps, flows, and makers, and can lay the foundation to monitor new apps and flows being created.
The flows and dataflows in this solution sync all your resources into tables. This solution helps you build admin apps, flows, and dashboards on top of inventory. This setup gives you a holistic overview into the apps, flows, and makers that exist in your environment. Apps like DLP Editor and Set App Permissions help with daily admin tasks.
Prerequisites
- Complete the Get started article
- Set up your environment.
- Sign in with the correct identity.
Note
- If you are trying out Data Export for inventory, we recommend you don't depend on this feature just yet and test it in a dedicated test environment first. Trying out this feature helps us validate that the feature is what you need and that we're not introducing unintended side effects.
- Your feedback is critical to this process. Post your feedback by raising an issue on GitHub.
- Setting up the inventory components using Data Export is only supported through the setup wizard. Manual setup instructions are available after the experimental preview.
Import the Creator Kit and make connections
Import Creator Kit
The CoE Starter Kit requires the installation of the Creator Kit in the environment where you installed the CoE Starter Kit.
Install the Creator Kit before proceeding.
Create connections
Create these connections manually ahead of installing the kit to ensure they're correctly configured.
- Go to Power Automate.
- Select your CoE environment and go to Data > Connections > + New connection.
- Create a connection for HTTP with Microsoft Entra ID (preauthorized), and set Base Resource URL and Microsoft Entra ID Resource URI (Application ID URI) to https://graph.microsoft.com/ for commercial tenants. If your tenant is in GCC, GCC High, or DoD, check your service root endpoint for Microsoft Graph.
Import the core components solution
Download the CoE Starter Kit compressed file to your computer.
Extract the compressed zip file. The CoE Starter Kit compressed file contains all solution components in addition to the non–solution-aware components that make up the CoE Starter Kit.
Import the CenterOfExcellenceCoreComponents_x_x_x_xx_managed.zip solution file from the extracted folder.
For an environment in the commercial cloud, leave all environment variable values blank. For a GCC, GCC High, and DoD environment, check Microsoft Graph and Graph Explorer service root endpoints and enter the value for your cloud in the Graph URL Environment Variable environment variable.
The import can take up to an hour to be complete, and upgrades can take up to two hours.
Note
After importing your solution, you might see this warning: Solution "Center of Excellence - Core components" imported successfully with warnings: Flow client error returned with status code Bad Request. This warning message can be ignored, and you can proceed with opening the Setup Wizard app to continue the setup and configuration of the solution.
Set up the Inventory components using the Setup Wizard
Open the Setup Wizard to complete the configuration
- After the solution import is successful, open the Center of Excellence - Core Components solution.
- Open the CoE Setup and Upgrade Wizard app.
- This app guides you through the configuration steps.
Troubleshooting
If you see an Error Loading Control warning when opening the Setup Wizard app, it means some of the flows required to run the wizard couldn't be turned on automatically. Navigate to the solution and turn on the following flows manually:
- SetupWizard > GetCurrentEnvironment
- SetupWizard > GetTenantID
- SetupWizard > GetUserDetails
Once turned on, you can return to the Setup Wizard to continue the setup.
Choose data source
You can choose your data source for inventory. Cloud flows is the default and currently recommended path for gathering your inventory.
However, you might wish to experiment with the Data Export (Preview) data source. To experiment, use the Data Export setup instructions when you get to the Configure dataflows page.
Set up the CoE Admin Command Center app
Important
Only complete these steps if you want to review Power Platform–related Microsoft 365 Message Center updates in the CoE Admin Command Center canvas app. The CoE Admin Command Center app can be used without this configuration.
Create a Microsoft Entra app registration to connect to Microsoft Graph
The CoE Admin Command Center connects to Microsoft Graph API to get Microsoft 365 Message Center updates.
Using these steps, you set up the Entra app registration used in a cloud flow to connect to the Graph API. For more information, see Use the Microsoft Graph API.
- Sign in to the Azure portal.
- Go to Microsoft Entra ID > App registrations.
- Select + New Registration.
- Enter a name. For example, use the CoE Command Center name. Don't change any other settings and select Register.
- Select API Permissions > + Add a permission.
- Select Microsoft Graph and configure permissions as follows:
- Select Application permissions, and then select ServiceMessage.Read.All.
- Select Add permissions.
- Select Grant Admin Consent for (your organization).
- Select Certificates and secrets.
- Select + New client secret.
- Add a description and expiration (in line with your organization's policies), and then select Add.
- Copy and paste the Secret to a text document such as Notepad.
- Select Overview and copy and paste the application (client) ID value to the same text document. Be sure to make a note of which GUID is for which value.
Update environment variables
Update the environment variables that hold the client ID and secret, as shown in the following table.
You can store the client secret either in plain text in the Command Center - Client Secret environment variable (not recommended) or store the client secret in Azure Key Vault and reference it in the Command Center - Client Azure Secret environment variable (recommended). Review the required permissions to use Azure Key Vault secrets in environment variables.
Note
The flow using this environment variable is configured with a condition to expect either the Command Center - Client Secret or the Command Center - Client Azure Secret environment variable. You don't need to edit the flow or command center application to work with Azure Key Vault.
| Name | Description |
|---|---|
| Command Center - Application Client ID | The application client ID from the Create a Microsoft Entra app registration to connect to Microsoft Graph step. |
| Command Center - Client Secret | The application client secret from the Create a Microsoft Entra app registration to connect to Microsoft Graph step. Leave empty if you're using Azure Key Vault to store your client ID and secret. |
| Command Center - Client Azure Secret | The Azure Key Vault reference for the application client secret from the Create a Microsoft Entra app registration to connect to Microsoft Graph step. Leave empty if you're storing your client ID in plain text in the Command Center - Client Secret environment variable. This variable expects the Azure Key Vault reference, not the secret. For more information, see Use Azure Key Vault secrets in environment variables. |
Modify the Command Center app & get Microsoft 365 service messages flow for a GCC High or DoD tenant
Important
If your CoE Starter Kit is installed in a commercial or GCC tenant, you can skip this step.
If your CoE Starter Kit is installed in a GCC High or DoD tenant, update the Authority in HTTP action:
- Go to make.powerautomate.com, select Solutions, and then open the Center of Excellence - Core Components solution to view the flows.
- Edit the Command Center App > Get M365 Service Messages flow.
- Update the List serviceAnnouncements from Graph action and change the Authority to https://login.microsoftonline.us/ for a GCC High or DoD tenant.
- Save this flow.
Set up Audit Logs solution
Note
Only set up the Audit Log solution if you chose cloud flows as the mechanism for inventory and telemetry.
The Audit Log Sync flow connects to the Microsoft 365 audit log to gather telemetry data (unique users and launches) for apps. The CoE Starter Kit works without this flow. However, usage information, such as app launches and unique users, in the Power BI dashboard is blank. For more information, see Set up the audit log.
Set up the Power BI dashboard
The CoE Power BI dashboard provides a holistic view with visualizations and insights into resources in your tenant: environments, apps, Power Automate flows, connectors, connection references, makers, and audit logs. Telemetry from the audit log is stored from the moment you set up the CoE Starter Kit. Over time, you can identify trends longer than 28 days. For more information, see Set up the Power BI dashboard.
Share apps with other admins
The core components solution contains apps designed to give admins better visibility and overview of resources and usage in their environments.
Share these apps with other Power Platform admins and assign them the Power Platform Admin SR security role:
Take a look at the CoE Admin Command Center app, which is your central place to open all CoE Starter Kit apps.
For more information, see Share a canvas app in Power Apps.
Wait for flows to finish
After the sync flows finish running, you're ready to use many of the features of the CoE Starter Kit core solution.
The first run of the inventory can take many hours depending on the number of environments and resources in your tenants. Future runs are faster, because they look at new and modified resources.
To check the status of a flow
Select Admin > Sync Template v4 (Driver).
You see a new tab open to the Flow detail page.
View Runs.
What's next?
- Learn how to regularly upgrade and extend the CoE Starter Kit.
- Check out other components part of the core solution, and the governance and nurture solutions.
All environment variables
This section includes the full list of environment variables that affect the inventory sync flows, including environment variables with default values. You might need to update environment variables after you import.
Important
You don't have to change the values during setup. However, you can change an environment variable that you configured during import or when you want to change a default value. To make sure the latest values are picked up, restart all flows after you change environment variables.
Environment variables are used to store application and flow configuration data with data specific to your organization or environment.
| Name | Description | Default value |
|---|---|---|
| Admin eMail | CoE Admin eMail. Email address used in flows to send notifications to admins. This value should be either your email address or a distribution list. | Not applicable |
| Admin eMail Preferred Language | The preferred language for the emails sent to the admin email alias, which is specified in the Admin eMail environment variable. | en-US |
| Also Delete from CoE | When running the Admin: Sync Template v2 (Check Deleted) flow, delete the items from CoE (yes) or just mark deleted (no). | Yes |
| CoE System User ID | In the maker table, we store a user for a system with an ID. Storing the ID here gives you an easy reference, so you don't have to look up the ID often. | Not applicable |
| Command Center - Application Client ID | (optional) The application client ID from the Create a Microsoft Entra app registration to connect to Microsoft Graph step. Leave this ID empty if you want to use the Azure Key Vault to store your client ID and secret. | Not applicable |
| Command Center - Client Secret | (optional) The application client secret from the Create a Microsoft Entra app registration to connect to Microsoft Graph step. Leave this secret empty if you want to use Azure Key Vault to store your client ID and secret. | Not applicable |
| Command Center - Client Azure Secret | The Azure Key Vault reference for the application client secret from the Create a Microsoft Entra app registration to connect to Microsoft Graph step. Leave this secret empty if you want to store your client ID in plain text in the Command Center - Client Secret environment variable. For more information, see Use Azure Key Vault secrets in environment variables | Not applicable |
| CompanyName | The name of the company to be displayed in various apps and emails. Currently, this name is only used by the Video Hub app. | Not applicable |
| DelayInventory | If Yes, runs a delay step to assist with the Dataverse load balancing. Only set to No for debugging. | Yes |
| DelayObjectInventory | If Yes, runs a delay step in individual inventory flows to assist with data source throttling experienced by larger tenants. Set to Yes if you experience this type of throttling. | No |
| Disabled Users are Orphaned | If an AD user has property Account enabled as false, the user is orphaned. | No |
| eMail Header Style | The CSS / Style to use for eMails. | Default CSS |
| eMail Body Start | Starting HTML format for eMails. | Default style provided |
| eMail Body Stop | Ending HTML format for eMails. | Default style provided |
| FullInventory | Determines whether you want to update only changed objects or all objects. Switching to Yes causes the flows to inventory every single app, flow, and bot in the tenant every day. The Yes setting isn't recommended for large tenants. | No |
| Graph URL Environment Variable | The URL used to connect to Microsoft Graph. For an environment in the commercial cloud: https://graph.microsoft.com/ For a GCC, GCC High, and DoD environment, check Microsoft Graph and Graph Explorer service root endpoints. |
Not applicable |
| Host Domains | Domains to consider as local for cross domain identity reports. As a comma-separated string: myCo.onmicrosoft.com, partnerCo.onmicrosoft.com |
Not applicable |
| Individual Admin | Communications in the starter kit are sent to this email address. Communications can't be sent to a group. For more information, see How to communicate with your admins, makers, and users. | Not applicable |
| Inventory and Telemetry in Azure Data Storage account | Sets up data export in PPAC with your inventory and telemetry in an Azure Data Storage folder. This variable also represents a Bring your own Datalake / self-serve analytics feature. | No |
| InventoryFilter_DaysToLookBack | When not running a full inventory, we filter back a set number of days and see if the object needs to update. | 7 |
| is All Environments Inventory | If true (default), the CoE inventory tracks all environments. New environments added to the inventory have their Excuse from Inventory set to false. You can opt out of individual environments. If false, the CoE inventory tracks a subset of environments. New environments added to the inventory have their Excuse from Inventory set to true. You can opt in to individual environments. | Yes |
| Power Platform Maker Microsoft 365 Group | Get the ID of the Microsoft 365 group, which contains all your Power Platform makers. With this ID, you can communicate and share apps with makers. This ID is needed for the inventory setup in the Admin > Add Maker to Group flow. For more information, see How to communicate with your admins, makers, and users. | Not applicable |
| Power Platform User Microsoft 365 Group | Get the ID of the Microsoft 365 group, which contains all your Power Platform users, such as end users with your shared apps. You use this ID to communicate and share apps with users. For more information, see How to communicate with your admins, makers, and users. | Not applicable |
| Power Automate environment variable | The URL used by Power Automate for your cloud. For an environment in the commercial cloud: https://make.powerautomate.com/environments/ For a GCC, GCC High, or DoD environment: Power Automate US government service URLs. |
Not applicable |
| PowerApp Maker environment variable | The URL used by the Power Apps maker portal for your cloud, including a trailing slash /. For an environment in the commercial cloud: https://make.powerapps.com/ For a GCC, GCC High, or DoD environment: Power Apps US Government service URLs. |
Not applicable |
| PowerApp Player environment variable | The URL used by the Power Apps player for your cloud, including a trailing slash /.For an environment in the commercial cloud: https://apps.powerapps.com/ For a GCC environment: https://apps.gov.powerapps.us/ For a GCC High environment: https://apps.gov.powerapps.us/ For a DoD environment: https://play.apps.appsplatform.us/ |
Not applicable |
| ProductionEnvironment | Set to No if you're creating a development/test environment. This variable allows some flows to set target users to the admin instead of resource owners. | Yes |
| Sync Flow Errors Delete After X Days | Number of days back to store sync flow error records. Deletes records older than this number of days. | 7 |
| TenantID | Your Azure Tenant ID. For more information, see Find Tenant ID through the Azure portal. | Not applicable |
I found a bug with the CoE Starter Kit; where should I go?
To file a bug against the solution, go to aka.ms/coe-starter-kit-issues.