cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Vidanaw
Helper IV
Helper IV

Create a Flow with Service account

Hi All,

I m building a Flow as follows.

  1. Flow triggers when an Item is added to the SharePoint online list.
  2. Flow will send approval to the selected manager in the SP list.
  3. Flow will send an email notification to the requester with the approval status.
  4. Update the SP list item with approver approval status.

Can someone please tell me what are the best practice of creating this Flow based on the following areas. 

1. Flow ownership is it better to create MS FLow with a service account ( normal O365 user account with a generic name)

2. Give Service account contributor permission to the SP list.

3. If I m sending email using a shared mailbox, give send as permission to the service account.

4. If the organization has 90 days password expiry policy, how that will affects on this service account.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Pstork1
Most Valuable Professional
Most Valuable Professional

1) using a service account to won Flows is a common best practice in large enterprises because it protects you from issues if the original Maker leaves the company.  But it will cost you an additional license since the service account needs full licensing.

2) In general yes, the service account will need permissions on the list just like a user.  Depending on the trigger there is a way to add the list itself as a RunOnly user.  But that only works for specific triggers.

3) It depends on the email action you use.  Many Flow actions that send email, like the Approval actions, send the email from a Microsoft mailbox and that can't be changed.  For the actions where you can specify the From then yes the account running the Flow must have Send As permissions to the mailbox.

4) I would normally recommend setting up the service account as exempt from the 90 day password change policy. Otherwise someone will need to login as that account every 90 days and change the password. But remember the Flow runs connections using an OAUTH connection. That isn't dependent on the account password until it needs to be renewed.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

View solution in original post

18 REPLIES 18
Pstork1
Most Valuable Professional
Most Valuable Professional

1) using a service account to won Flows is a common best practice in large enterprises because it protects you from issues if the original Maker leaves the company.  But it will cost you an additional license since the service account needs full licensing.

2) In general yes, the service account will need permissions on the list just like a user.  Depending on the trigger there is a way to add the list itself as a RunOnly user.  But that only works for specific triggers.

3) It depends on the email action you use.  Many Flow actions that send email, like the Approval actions, send the email from a Microsoft mailbox and that can't be changed.  For the actions where you can specify the From then yes the account running the Flow must have Send As permissions to the mailbox.

4) I would normally recommend setting up the service account as exempt from the 90 day password change policy. Otherwise someone will need to login as that account every 90 days and change the password. But remember the Flow runs connections using an OAUTH connection. That isn't dependent on the account password until it needs to be renewed.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Thank you  Pstork1.

Hi @Pstork1 ,

Do you have any recommendations on number of service accounts.

I am trying to build close to 400 flows uses commonly Sharepoint,outlook and Approval connectors.

Pstork1
Most Valuable Professional
Most Valuable Professional

Unless you start running into capacity issues with the number of API calls you are making, you can normally do it with just one account.  I would start there and add a second account if you have to scale up your capacity.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

So as to the number of service accounts.  Isn't it a security issue to have a single account having access to many different databases, SharePoint lists, etc.?  If for some reason that one account is hacked/used by someone they have access to a lot of data.  On the other hand as mentioned on this thread, creating a service account for each and ever application created is racking up the number of licenses used.   There ought to be some middle ground.

Pstork1
Most Valuable Professional
Most Valuable Professional

Yes, it would be a concern.  But since its a service account you would limit the number of people who have access to it and set a very difficult password for it (like a 12-16 character nonsense string).  Then audit access to it and look for potential issues.  IF it gets hacked its a bigger issue, but you can put much more stringent controls and auditing on it than you generally would a normal account.  Its a concern, but not an insurmountable risk.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Anonymous
Not applicable

@Pstork1 @Vidanaw 

 

I have the same requirements as @Vidanaw where a user can add a new record in a Sharepoint list and then manually triggers a flow using a button on the form. The flow sends an email, starts an approval process, then creates a new record in a different list which the initiating user does not have permissions to do so, so the flow fails on 'Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))'.

 

I am new to power automate so are still learning some of the basics.

 

As i created the flow, the connections are using my office365 account so all works ok for me. The flow is also a 'team flow' which i assume lets anyone who has access to the Sharepoint list use the flow, but with their account, not mine, which is why the flow fails when it tries to update the sharepoint list.

 

I've read creating a service account should resolve my issue where users do not have sharepoint permissions for the list that the flow updates. I should give the service account the correct permissions in sharepoint to update the list.

 

The thing i don't fully understand, is how i get the flow to run every time using the service account and not the account of the person who initiates the flow? Any advice to help me understand how to setup would be much appreciated. thanks.

 

 

flow1.jpg

 
 

 

 

 

Pstork1
Most Valuable Professional
Most Valuable Professional

The problem is that flows which are triggered using a button run in the context of the person who presses the button, not the original maker.  Flows that are triggered automatically by an event in the list will run in the context of the maker.  That's why you are getting the access denied error when someone else runs the flow. Creating a flow using a service account won't change that.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Anonymous
Not applicable

@Pstork1 thanks for the quick reply, any suggestions on how i can resolve my issue? without given all end users edit access to the sharepoint list?

Pstork1
Most Valuable Professional
Most Valuable Professional

The easiest way to fix it is to change the trigger.  If the flow is kicked off automatically when the record is created or modified then it will run in the context of the maker.  Then only the maker, or a service account if you use that to make the flow, needs access to the second SharePoint list.  There really is no way to do it if the user's start the flow themselves.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

@Anonymous like @Pstork1 mentioned you have to change the trigger which you can easily done based on the Form submission. 

Anonymous
Not applicable

@Vidanaw @Pstork1 thanks for your feedback. I've split my flow into 2, the first being triggered from the pushbutton and the second is triggered on new / change of record. All seems to work ok now. thanks.

SA3
New Member

what is the recommendation around MFA for these service accounts? 

Pstork1
Most Valuable Professional
Most Valuable Professional

Since security is actually based on OAuth I don't think it really matters.  The only point where MFA will enter into it is when you log in as the Service Account to edit the flow.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

We've set a conditional access policy requiring MFA after 24h, so we're experiencing problems with users having to login to continue their Flows and Power BI data refreshes. Creating a service account for these apps with MFA would result in the same problem, as the token keeps expiring. Is there any other way to keep a service account with MFA, or make it more secure in another way?

Anonymous
Not applicable

would PowerAutomate Service Account Password rotation break the work flows if so how can we address the issue and have password rotation in place? Also can Service Account be replaced by Managed Identities?

Pstork1
Most Valuable Professional
Most Valuable Professional

Every time your service account resets its password you will need to re-authenticate each connection using that account.  I have not found a way to do that programmatically.  Nor do I think you can use managed Identities at this point to authenticate connections.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Anonymous
Not applicable

Hoping you can have a look at my post here:

https://powerusers.microsoft.com/t5/General-Power-Automate/Service-Accounts-and-Dashboard-Alerts/m-p...

 

Service Accounts and Dashboard Alerts

 

Thx

Helpful resources

Announcements

Check out the Copilot Studio Cookbook today!

We are excited to announce our new Copilot Cookbook Gallery in the Copilot Studio Community. We can't wait for you to share your expertise and your experience!    Join us for an amazing opportunity where you'll be one of the first to contribute to the Copilot Cookbook—your ultimate guide to mastering Microsoft Copilot. Whether you're seeking inspiration or grappling with a challenge while crafting apps, you probably already know that Copilot Cookbook is your reliable assistant, offering a wealth of tips and tricks at your fingertips--and we want you to add your expertise. What can you "cook" up?   Click this link to get started: https://aka.ms/CS_Copilot_Cookbook_Gallery   Don't miss out on this exclusive opportunity to be one of the first in the Community to share your app creation journey with Copilot. We'll be announcing a Cookbook Challenge very soon and want to make sure you one of the first "cooks" in the kitchen.   Don't miss your moment--start submitting in the Copilot Cookbook Gallery today!     Thank you,  Engagement Team

Tuesday Tip | How to Report Spam in Our Community

It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   As our community family expands each week, we revisit our essential tools, tips, and tricks to ensure you’re well-versed in the community’s pulse. Keep an eye on the News & Announcements for your weekly Tuesday Tips—you never know what you may learn!   Today's Tip: How to Report Spam in Our Community We strive to maintain a professional and helpful community, and part of that effort involves keeping our platform free of spam. If you encounter a post that you believe is spam, please follow these steps to report it: Locate the Post: Find the post in question within the community.Kebab Menu: Click on the "Kebab" menu | 3 Dots, on the top right of the post.Report Inappropriate Content: Select "Report Inappropriate Content" from the menu.Submit Report: Fill out any necessary details on the form and submit your report.   Our community team will review the report and take appropriate action to ensure our community remains a valuable resource for everyone.   Thank you for helping us keep the community clean and useful!

Hear what's next for the Power Up Program

Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram, including a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the link below to sign up today! https://aka.ms/PowerUp  

February 2024 Community Newsletter

Welcome to our February Newsletter, where we highlight the latest news, product releases, upcoming events, and the amazing work of our outstanding Community members. If you're new to the Community, please make sure to follow the latest News & Announcements and check out the Community on LinkedIn as well! It's the best way to stay up-to-date in 2024 with all the news from across Microsoft Power Platform and beyond. Are you ready to "Leap" in to all we've got to share today?   COMMUNITY HIGHLIGHTS Check out the most active community members of the last month! These hardworking members post regularly, answer questions, kudos, and provide top solutions in their communities. We are so thankful for all your great work in January, and we can't wait to see who will be our most active members next month!   Power AppsPower AutomateCopilot StudioPower PagesWarrenBelzWarrenBelzPstork1saudali_25LaurensMPstork1stephenrobertLucas001AARON_ClbendincpaytonSurendran_RANBNived_NambiarMariamPaulachanNikhil2JmanriqueriosANBJupyter123rodger-stmmbr1606Agniusstevesmith27mandelaPhineastrice602AnnaMoyalanOOlashynBCLS776grantjenkinsExpiscornovusJcookSpongYeAARON_CManishSolankiapangelesPstork1ManishSolankiSanju1Fubar   There was a lot of activity in the Community in February! Did you miss anything? Here are just a few of the announcements and updates we shared: Super User Season 1 is HereFebruary 2024 User Group Update: Welcoming New GroupsCelebrating a New Season of Super UsersCheck out the February 2024 Dynamics NewsletterAnnouncing Copilot Cookbook GallerySuper User of the Month D. PoggemannTuesday Tips: Getting Started in the Community The best way to not miss them is to make sure you're subscribed to your community's News & Announcements. Subscribe today and don't miss anything next month! Power Apps News, Power Automate News, Copilot Studio News, Power Pages News Copilot Cookbook for Power Apps The all-new Copilot Cookbook is now available in the #PowerApps Community - offering a wide array of best practices on how to use Microsoft Copilot to develop and create in Power Apps.   The #CopilotCookbook is your new go-to resource when you need inspiration (or when you're stuck!) and aren't sure how to best partner with Copilot. So, whether you're looking for the best prompts or just want to know about responsible AI use, you can visit the Copilot Cookbook for regular, high-quality content that you can rely on. Our team will be reviewing posts using the new "Copilot " label to ensure we highlight and amplify the most relevant and recent content, so you're assured of high-quality content every time you visit. If you share a post that gets featured in the curated gallery, you'll get a PM in the Community to let you know!   The curated gallery is now ready for you to experience, so click the image below and check out the all-new Copilot Cookbook for Power Apps today. We can't wait to see what you "cook" up! 👨🍳       Power Platform Dev Weekly Celebrate 200th Episode Congratulations to Danish Naglekar, Anwesha Sharma, Matt Beard, Mark Carrington Carl Cookson and the team, as they celebrated the 200th episode of Power Platform Dev Weekly in February!   Click the image below to check out this landmark episode, featuring content from the likes of Nati Turtledove, Matthew Devaney, Inogic, Mohamed Ashiq Faleel, Mike Hartley, Nishant Rana, James Yumnam, Carl Cookson, Yannick Reekmans, Deepesh Somani, and many more.       "Get Started With" Power Platform Shorts Series This month we launched our new 'Get Started With' series on YouTube - a selection of sweet snapshots to keep you in the loop with all the latest Copilot trends that you can try out through advice at Microsoft Learn. Click the image below to check out the entire playlist so far, and don't forget to subscribe to our YouTube channel for all the latest updates.     UPCOMING EVENTS Canadian Power Platform Summit - Vancouver - 16th March 2024 Check out the first ever Canadian Power Platform Summit, which takes place at Microsoft Vancouver office on Saturday 16th March 2024! Get ready to immerse yourself in the ultimate Power Platform experience at the #CPPS24. This event is tailored for makers, developers, students and tech enthusiasts eager to explore the depths of Power Platform technologies. With sessions ranging from beginner-friendly to advanced-intermediate, this event offers a diverse range of insights for attendees of all levels.   There's a great range of speakers, including the likes of Lisa Crosbie, Matthew Devaney, Ulrikke Akerbæk, Oleksandr Olashyn, Mark Smith, Jake Harvey, Manju Gurjar, Adam Tobias, Mats Necker, Natasza Kosakowska, Linn Zaw Win, Salim Adamon, Tomas Prokop, Maxim Nikonov, and many more.   Great work by Chris Piasecki, Éric Sauvé, Nick Doelman, Scott Durow, Victor Dantas and the team for putting this amazing event together. So, whether you're a seasoned pro or a rising star, click the image below to join the Microsoft Community in Canada to gain practical insights, discover real-world examples, and take away actionable skills to boost your expertise.   Business Applications Launch Event - Virtual - 10th April 2024 Registration is now open for the Microsoft Business Applications Launch event which kicks off at 9am PST on Wednesday 10th April 2024. Join Microsoft product leaders and engineers for an in-depth look at the latest news and AI capabilities in Power Platform and #Dynamics365, featuring the likes of Charles Lamanna, Sangya Singh, Julie Strauss, Donald Kossmann, Lori Lamkin, Georg Glantschnig, Mala Anand, Jeff Comstock, and Mike Morton.     Microsoft Fabric - Las Vegas - 26-28th March 2024 Exciting times ahead for the inaugural #MicrosoftFabric Community Conference on March 26-28 at the MGM Grand in Las Vegas! The conference will cover all the latest in analytics, AI, databases, and governance across 150+ sessions, with guest speakers including Arun Ulag, Amir Netz, Jessica Hawk, Eric Boyd, Kim Manis, Adam Saxton, Patrick LeBlanc, Bob Ward, Wangui McKelvey, Wee Hyong T., Justyna Lucznik, Priya Sathy, Mehrnoosh Sameki, Rachel Shepard, Karthik Ravindran, Jason Himmelstein, and many more.   On-site there will be a special Community Lounge, interactive learning labs, plus you'll be able to 'Ask the Experts' all your questions to get help from data, analytics, and AI specialists, including community members and the Fabric Customer Advisory Team. Click the image below to find out more about the ultimate learning event for Microsoft Fabric!   If you'd like to learn how the latest advances in AI and how #MicrosoftCopilot can help you streamline your processes, click the image below to register today!       LATEST COMMUNITY BLOG ARTICLES Power Apps Community Blog Power Automate Community Blog Copilot Studio Community Blog Power Pages Community Blog Check out 'Using the Community' for more helpful tips and information: Power Apps, Power Automate, Copilot Studio, Power Pages

Super User of the Month | Drew Poggemann

As part of a new monthly feature in the Community, we are excited to share that Drew Poggemann is our featured Super User for the month of February 2024. If you've been in the Community for a while, we're sure Drew's name is familiar to you, as he is one of our most active contributors--he's been a Super User for five consecutive seasons!   Since authoring his first reply 5 years ago to his 514th solution authored, Drew has helped countless Community members with his insights and expertise. In addition to being a Super User, Drew is also a User Group leader and a Microsoft MVP. His contributions to our Super User sessions and to the new SUIT program are always welcome--as well as his sense of humor and fun-loving way of sharing what he knows with others.   When Drew is not solving problems and authoring solutions, he's busy overseeing the Solution Architecture team at HBS, specializing in application architecture and business solution strategy--something he's been doing for over 30 years. We are grateful for Drew and the amazing way he has used his talent and skills to help so many others in the Community. If you are part of the SUIT program, you got to hear some great tips from Drew at the first SUIT session--and we know he still has much more to share!You can find him in the Community and on LinkedIn. Thank you for all you do, Drew!

Super Users 2024 Season One is Here!

   We are excited to announce the first season of our 2024 Super Users is here! Our kickoff to the new year welcomes many returning Super Users and several new faces, and it's always exciting to see the impact these incredible individuals will have on the Community in 2024! We are so grateful for the daily difference they make in the Community already and know they will keep staying engaged and excited for all that will happen this year.   How to Spot a Super User in the Community:Have you ever written a post or asked for help in the Community and had it answered by a user with the Super User icon next to their name? It means you have found the actual, real-life superheroes of the Power Platform Community! Super Users are our heroes because of the way they consistently make a difference in the Community. Our amazing Super Users help keep the Community a safe place by flagging spam and letting the Community Managers know about issues. They also make the Community a great place to find answers, because they are often the first to offer solutions and get clarity on questions. Finally, Super Users share valuable insights on ways to keep the Community growing, engaging, and looking ahead!We are honored to reveal the new badges for this season of Super Users! Congratulations to all the new and returning Super Users!     To better answer the question "What is a Super User?" please check out this article: Power Apps: What is A Super User? - Power Platform CommunityPower Automate: What is A Super User? - Power Platform Community Copilot Studio: What is A Super User? - Power Platform Community Power Pages: What is A Super User? - Power Platform Community

Users online (4,409)