cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

Create a Flow with Service account

Hi All,

I m building a Flow as follows.

  1. Flow triggers when an Item is added to the SharePoint online list.
  2. Flow will send approval to the selected manager in the SP list.
  3. Flow will send an email notification to the requester with the approval status.
  4. Update the SP list item with approver approval status.

Can someone please tell me what are the best practice of creating this Flow based on the following areas. 

1. Flow ownership is it better to create MS FLow with a service account ( normal O365 user account with a generic name)

2. Give Service account contributor permission to the SP list.

3. If I m sending email using a shared mailbox, give send as permission to the service account.

4. If the organization has 90 days password expiry policy, how that will affects on this service account.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Pstork1
Most Valuable Professional
Most Valuable Professional

1) using a service account to won Flows is a common best practice in large enterprises because it protects you from issues if the original Maker leaves the company.  But it will cost you an additional license since the service account needs full licensing.

2) In general yes, the service account will need permissions on the list just like a user.  Depending on the trigger there is a way to add the list itself as a RunOnly user.  But that only works for specific triggers.

3) It depends on the email action you use.  Many Flow actions that send email, like the Approval actions, send the email from a Microsoft mailbox and that can't be changed.  For the actions where you can specify the From then yes the account running the Flow must have Send As permissions to the mailbox.

4) I would normally recommend setting up the service account as exempt from the 90 day password change policy. Otherwise someone will need to login as that account every 90 days and change the password. But remember the Flow runs connections using an OAUTH connection. That isn't dependent on the account password until it needs to be renewed.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

View solution in original post

18 REPLIES 18
Pstork1
Most Valuable Professional
Most Valuable Professional

1) using a service account to won Flows is a common best practice in large enterprises because it protects you from issues if the original Maker leaves the company.  But it will cost you an additional license since the service account needs full licensing.

2) In general yes, the service account will need permissions on the list just like a user.  Depending on the trigger there is a way to add the list itself as a RunOnly user.  But that only works for specific triggers.

3) It depends on the email action you use.  Many Flow actions that send email, like the Approval actions, send the email from a Microsoft mailbox and that can't be changed.  For the actions where you can specify the From then yes the account running the Flow must have Send As permissions to the mailbox.

4) I would normally recommend setting up the service account as exempt from the 90 day password change policy. Otherwise someone will need to login as that account every 90 days and change the password. But remember the Flow runs connections using an OAUTH connection. That isn't dependent on the account password until it needs to be renewed.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Thank you  Pstork1.

Hi @Pstork1 ,

Do you have any recommendations on number of service accounts.

I am trying to build close to 400 flows uses commonly Sharepoint,outlook and Approval connectors.

Pstork1
Most Valuable Professional
Most Valuable Professional

Unless you start running into capacity issues with the number of API calls you are making, you can normally do it with just one account.  I would start there and add a second account if you have to scale up your capacity.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

So as to the number of service accounts.  Isn't it a security issue to have a single account having access to many different databases, SharePoint lists, etc.?  If for some reason that one account is hacked/used by someone they have access to a lot of data.  On the other hand as mentioned on this thread, creating a service account for each and ever application created is racking up the number of licenses used.   There ought to be some middle ground.

Pstork1
Most Valuable Professional
Most Valuable Professional

Yes, it would be a concern.  But since its a service account you would limit the number of people who have access to it and set a very difficult password for it (like a 12-16 character nonsense string).  Then audit access to it and look for potential issues.  IF it gets hacked its a bigger issue, but you can put much more stringent controls and auditing on it than you generally would a normal account.  Its a concern, but not an insurmountable risk.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Anonymous
Not applicable

@Pstork1 @Vidanaw 

 

I have the same requirements as @Vidanaw where a user can add a new record in a Sharepoint list and then manually triggers a flow using a button on the form. The flow sends an email, starts an approval process, then creates a new record in a different list which the initiating user does not have permissions to do so, so the flow fails on 'Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))'.

 

I am new to power automate so are still learning some of the basics.

 

As i created the flow, the connections are using my office365 account so all works ok for me. The flow is also a 'team flow' which i assume lets anyone who has access to the Sharepoint list use the flow, but with their account, not mine, which is why the flow fails when it tries to update the sharepoint list.

 

I've read creating a service account should resolve my issue where users do not have sharepoint permissions for the list that the flow updates. I should give the service account the correct permissions in sharepoint to update the list.

 

The thing i don't fully understand, is how i get the flow to run every time using the service account and not the account of the person who initiates the flow? Any advice to help me understand how to setup would be much appreciated. thanks.

 

 

flow1.jpg

 
 

 

 

 

Pstork1
Most Valuable Professional
Most Valuable Professional

The problem is that flows which are triggered using a button run in the context of the person who presses the button, not the original maker.  Flows that are triggered automatically by an event in the list will run in the context of the maker.  That's why you are getting the access denied error when someone else runs the flow. Creating a flow using a service account won't change that.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Anonymous
Not applicable

@Pstork1 thanks for the quick reply, any suggestions on how i can resolve my issue? without given all end users edit access to the sharepoint list?

Pstork1
Most Valuable Professional
Most Valuable Professional

The easiest way to fix it is to change the trigger.  If the flow is kicked off automatically when the record is created or modified then it will run in the context of the maker.  Then only the maker, or a service account if you use that to make the flow, needs access to the second SharePoint list.  There really is no way to do it if the user's start the flow themselves.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

@Anonymous like @Pstork1 mentioned you have to change the trigger which you can easily done based on the Form submission. 

Anonymous
Not applicable

@Vidanaw @Pstork1 thanks for your feedback. I've split my flow into 2, the first being triggered from the pushbutton and the second is triggered on new / change of record. All seems to work ok now. thanks.

SA3
New Member

what is the recommendation around MFA for these service accounts? 

Pstork1
Most Valuable Professional
Most Valuable Professional

Since security is actually based on OAuth I don't think it really matters.  The only point where MFA will enter into it is when you log in as the Service Account to edit the flow.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

We've set a conditional access policy requiring MFA after 24h, so we're experiencing problems with users having to login to continue their Flows and Power BI data refreshes. Creating a service account for these apps with MFA would result in the same problem, as the token keeps expiring. Is there any other way to keep a service account with MFA, or make it more secure in another way?

Anonymous
Not applicable

would PowerAutomate Service Account Password rotation break the work flows if so how can we address the issue and have password rotation in place? Also can Service Account be replaced by Managed Identities?

Pstork1
Most Valuable Professional
Most Valuable Professional

Every time your service account resets its password you will need to re-authenticate each connection using that account.  I have not found a way to do that programmatically.  Nor do I think you can use managed Identities at this point to authenticate connections.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Anonymous
Not applicable

Hoping you can have a look at my post here:

https://powerusers.microsoft.com/t5/General-Power-Automate/Service-Accounts-and-Dashboard-Alerts/m-p...

 

Service Accounts and Dashboard Alerts

 

Thx

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Summer of Solutions | Week 3 Results | Win free tickets to the Power Platform Conference

We are excited to announce the Summer of Solutions Challenge!    This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Community MembersNumber SolutionsSuper UsersNumber Solutions Deenuji 9 @NathanAlvares24  17 @Anil_g  7 @ManishSolanki  13 @eetuRobo  5 @David_MA  10 @VishnuReddy1997  5 @SpongYe  9JhonatanOB19932 (tie) @Nived_Nambiar  8 @maltie  2 (tie)   @PA-Noob  2 (tie)   @LukeMcG  2 (tie)   @tgut03  2 (tie)       Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 2: Community MembersSolutionsSuper UsersSolutionsPower Automate  @Deenuji  12@ManishSolanki 19 @Anil_g  10 @NathanAlvares24  17 @VishnuReddy1997  6 @Expiscornovus  10 @Tjan  5 @Nived_Nambiar  10 @eetuRobo  3 @SudeepGhatakNZ 8     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 3:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji32ManishSolanki55VishnuReddy199724NathanAlvares2444Anil_g22SudeepGhatakNZ40eetuRobo18Nived_Nambiar28Tjan8David_MA22  

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Users online (4,236)