cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Vidanaw
Helper IV
Helper IV

Create a Flow with Service account

Hi All,

I m building a Flow as follows.

  1. Flow triggers when an Item is added to the SharePoint online list.
  2. Flow will send approval to the selected manager in the SP list.
  3. Flow will send an email notification to the requester with the approval status.
  4. Update the SP list item with approver approval status.

Can someone please tell me what are the best practice of creating this Flow based on the following areas. 

1. Flow ownership is it better to create MS FLow with a service account ( normal O365 user account with a generic name)

2. Give Service account contributor permission to the SP list.

3. If I m sending email using a shared mailbox, give send as permission to the service account.

4. If the organization has 90 days password expiry policy, how that will affects on this service account.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Pstork1
Multi Super User
Multi Super User

1) using a service account to won Flows is a common best practice in large enterprises because it protects you from issues if the original Maker leaves the company.  But it will cost you an additional license since the service account needs full licensing.

2) In general yes, the service account will need permissions on the list just like a user.  Depending on the trigger there is a way to add the list itself as a RunOnly user.  But that only works for specific triggers.

3) It depends on the email action you use.  Many Flow actions that send email, like the Approval actions, send the email from a Microsoft mailbox and that can't be changed.  For the actions where you can specify the From then yes the account running the Flow must have Send As permissions to the mailbox.

4) I would normally recommend setting up the service account as exempt from the 90 day password change policy. Otherwise someone will need to login as that account every 90 days and change the password. But remember the Flow runs connections using an OAUTH connection. That isn't dependent on the account password until it needs to be renewed.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

View solution in original post

18 REPLIES 18
Pstork1
Multi Super User
Multi Super User

1) using a service account to won Flows is a common best practice in large enterprises because it protects you from issues if the original Maker leaves the company.  But it will cost you an additional license since the service account needs full licensing.

2) In general yes, the service account will need permissions on the list just like a user.  Depending on the trigger there is a way to add the list itself as a RunOnly user.  But that only works for specific triggers.

3) It depends on the email action you use.  Many Flow actions that send email, like the Approval actions, send the email from a Microsoft mailbox and that can't be changed.  For the actions where you can specify the From then yes the account running the Flow must have Send As permissions to the mailbox.

4) I would normally recommend setting up the service account as exempt from the 90 day password change policy. Otherwise someone will need to login as that account every 90 days and change the password. But remember the Flow runs connections using an OAUTH connection. That isn't dependent on the account password until it needs to be renewed.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Thank you  Pstork1.

Hi @Pstork1 ,

Do you have any recommendations on number of service accounts.

I am trying to build close to 400 flows uses commonly Sharepoint,outlook and Approval connectors.

Pstork1
Multi Super User
Multi Super User

Unless you start running into capacity issues with the number of API calls you are making, you can normally do it with just one account.  I would start there and add a second account if you have to scale up your capacity.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

So as to the number of service accounts.  Isn't it a security issue to have a single account having access to many different databases, SharePoint lists, etc.?  If for some reason that one account is hacked/used by someone they have access to a lot of data.  On the other hand as mentioned on this thread, creating a service account for each and ever application created is racking up the number of licenses used.   There ought to be some middle ground.

Yes, it would be a concern.  But since its a service account you would limit the number of people who have access to it and set a very difficult password for it (like a 12-16 character nonsense string).  Then audit access to it and look for potential issues.  IF it gets hacked its a bigger issue, but you can put much more stringent controls and auditing on it than you generally would a normal account.  Its a concern, but not an insurmountable risk.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

@Pstork1 @Vidanaw 

 

I have the same requirements as @Vidanaw where a user can add a new record in a Sharepoint list and then manually triggers a flow using a button on the form. The flow sends an email, starts an approval process, then creates a new record in a different list which the initiating user does not have permissions to do so, so the flow fails on 'Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))'.

 

I am new to power automate so are still learning some of the basics.

 

As i created the flow, the connections are using my office365 account so all works ok for me. The flow is also a 'team flow' which i assume lets anyone who has access to the Sharepoint list use the flow, but with their account, not mine, which is why the flow fails when it tries to update the sharepoint list.

 

I've read creating a service account should resolve my issue where users do not have sharepoint permissions for the list that the flow updates. I should give the service account the correct permissions in sharepoint to update the list.

 

The thing i don't fully understand, is how i get the flow to run every time using the service account and not the account of the person who initiates the flow? Any advice to help me understand how to setup would be much appreciated. thanks.

 

 

flow1.jpg

 
 

 

 

 

The problem is that flows which are triggered using a button run in the context of the person who presses the button, not the original maker.  Flows that are triggered automatically by an event in the list will run in the context of the maker.  That's why you are getting the access denied error when someone else runs the flow. Creating a flow using a service account won't change that.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

@Pstork1 thanks for the quick reply, any suggestions on how i can resolve my issue? without given all end users edit access to the sharepoint list?

The easiest way to fix it is to change the trigger.  If the flow is kicked off automatically when the record is created or modified then it will run in the context of the maker.  Then only the maker, or a service account if you use that to make the flow, needs access to the second SharePoint list.  There really is no way to do it if the user's start the flow themselves.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

@stujol80 like @Pstork1 mentioned you have to change the trigger which you can easily done based on the Form submission. 

@Vidanaw @Pstork1 thanks for your feedback. I've split my flow into 2, the first being triggered from the pushbutton and the second is triggered on new / change of record. All seems to work ok now. thanks.

SA3
New Member

what is the recommendation around MFA for these service accounts? 

Pstork1
Multi Super User
Multi Super User

Since security is actually based on OAuth I don't think it really matters.  The only point where MFA will enter into it is when you log in as the Service Account to edit the flow.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

We've set a conditional access policy requiring MFA after 24h, so we're experiencing problems with users having to login to continue their Flows and Power BI data refreshes. Creating a service account for these apps with MFA would result in the same problem, as the token keeps expiring. Is there any other way to keep a service account with MFA, or make it more secure in another way?

Anonymous
Not applicable

would PowerAutomate Service Account Password rotation break the work flows if so how can we address the issue and have password rotation in place? Also can Service Account be replaced by Managed Identities?

Every time your service account resets its password you will need to re-authenticate each connection using that account.  I have not found a way to do that programmatically.  Nor do I think you can use managed Identities at this point to authenticate connections.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Anonymous
Not applicable

Hoping you can have a look at my post here:

https://powerusers.microsoft.com/t5/General-Power-Automate/Service-Accounts-and-Dashboard-Alerts/m-p...

 

Service Accounts and Dashboard Alerts

 

Thx

Helpful resources

Announcements

Announcing Power Apps Copilot Cookbook Gallery

We are excited to share that the all-new Copilot Cookbook Gallery for Power Apps is now available in the Power Apps Community, full of tips and tricks on how to best use Microsoft Copilot as you develop and create in Power Apps. The new Copilot Cookbook is your go-to resource when you need inspiration--or when you're stuck--and aren't sure how to best partner with Copilot while creating apps.   Whether you're looking for the best prompts or just want to know about responsible AI use, visit Copilot Cookbook for regular updates you can rely on--while also serving up some of your greatest tips and tricks for the Community. Our team will be reviewing posts using the new "Copilot" label to ensure we highlight and amplify the most relevant and recent content, so you're assured of high-quality content every time you visit. If you share a post that gets featured in the curated gallery, you'll get a PM in the Community to let you know!The curated gallery is ready for you to experience now, so visit the new Copilot Cookbook for Power Apps today: Copilot Cookbook - Power Platform Community. We can't wait to see what you "cook" up!    

Tuesday Tips: Getting Started in the Community

TUESDAY TIPS is back!   This weekly series of posts is our way of sharing helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! The original run of Tuesday Tips was a highlight of last year, and these all-new Tips will hopefully prove to be just as informative as helpful. We will cover some basics about the Community, a few "insider tips" to make your experience even better, and sharing best practices gleaned from our most active community members and Super Users. Make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!   THIS WEEK: I'm Brand New! What Do I Do? The number of new community members we have each week is pretty amazing, and we are so glad to welcome all of you to the Community! You may be wondering. "What do I do? Where do I get started? Will anyone be willing to help me? What I have a question? Help!"   Let's start with this: Welcome to the low-code revolution, and more importantly, welcome to the Power Platform Community! This is a great place to start. Whether you're busy with Power Apps, getting familiar with Power Automate, engaging Copilot Studio, or building in Power Pages, there are a few key places you should check out as you begin your journey: FORUMS: The forums are THE place to ask questions, look at questions asked by other Community members—and see answers and solutions from our Super Users and other helpful people in the Community. Power Apps ForumsPower Automate ForumsCopilot Studio ForumsPower Pages Forums   NEWS & ANNOUNCEMENTS: Our News & Announcements section highlights the newest and greatest updates in the Community, news from the product team, and so much more. It’s updated a few times each week and will also help you find ways to connect with what’s going on in the ever-growing world of Power Platform. Power Apps News & AnnouncementsPower Automate News & AnnouncementsCopilot Studio News & AnnouncementsPower Pages News & Announcements   GALLERIES: The Galleries section of the Community features tons of tips and tricks, features and benefits, and more—through videos created by our Super Users, product teams, and other helpful members of the Community. Power Apps GalleriesPower Automate Galleries Copilot Studio GalleriesPower Pages Galleries BLOGS: The community blogs section is full of handy step-by-step tips from members of the Community—and some of them include detailed answers to some of the questions most frequently asked questions, as well as how they solved a problem they faced. Power Apps Community BlogPower Automate Community BlogCopilot Studio Community BlogPower Pages Community Blog POWER UP PROGRAM: If you’d like to really take a huge step forward in your journey, we recommend checking out the Power Up Program, a Microsoft-sponsored initiative that trains new Power Platform users and has been a huge success since it launched a little over a year ago. There’s a waiting list, so definitely apply soon if you’re interested! Find out more here: Microsoft Power Up Program for career switchers.   There's so much more you'll discover in your Power Platform experience, and this Community is here for YOU! We are glad you've discovered us and can't wait to see where you grow! If you're new to the Community and just getting started, make sure to give this post a kudo and introduce yourself so we can welcome you!

Super User of the Month | Drew Poggemann

As part of a new monthly feature in the Community, we are excited to share that Drew Poggemann is our featured Super User for the month of February 2024. If you've been in the Community for a while, we're sure Drew's name is familiar to you, as he is one of our most active contributors--he's been a Super User for five consecutive seasons!   Since authoring his first reply 5 years ago to his 514th solution authored, Drew has helped countless Community members with his insights and expertise. In addition to being a Super User, Drew is also a User Group leader and a Microsoft MVP. His contributions to our Super User sessions and to the new SUIT program are always welcome--as well as his sense of humor and fun-loving way of sharing what he knows with others.   When Drew is not solving problems and authoring solutions, he's busy overseeing the Solution Architecture team at HBS, specializing in application architecture and business solution strategy--something he's been doing for over 30 years. We are grateful for Drew and the amazing way he has used his talent and skills to help so many others in the Community. If you are part of the SUIT program, you got to hear some great tips from Drew at the first SUIT session--and we know he still has much more to share!You can find him in the Community and on LinkedIn. Thank you for all you do, Drew!

Super Users 2024 Season One is Here!

   We are excited to announce the first season of our 2024 Super Users is here! Our kickoff to the new year welcomes many returning Super Users and several new faces, and it's always exciting to see the impact these incredible individuals will have on the Community in 2024! We are so grateful for the daily difference they make in the Community already and know they will keep staying engaged and excited for all that will happen this year.   How to Spot a Super User in the Community:Have you ever written a post or asked for help in the Community and had it answered by a user with the Super User icon next to their name? It means you have found the actual, real-life superheroes of the Power Platform Community! Super Users are our heroes because of the way they consistently make a difference in the Community. Our amazing Super Users help keep the Community a safe place by flagging spam and letting the Community Managers know about issues. They also make the Community a great place to find answers, because they are often the first to offer solutions and get clarity on questions. Finally, Super Users share valuable insights on ways to keep the Community growing, engaging, and looking ahead!We are honored to reveal the new badges for this season of Super Users! Congratulations to all the new and returning Super Users!     To better answer the question "What is a Super User?" please check out this article: Power Apps: What is A Super User? - Power Platform CommunityPower Automate: What is A Super User? - Power Platform Community Copilot Studio: What is A Super User? - Power Platform Community Power Pages: What is A Super User? - Power Platform Community

Microsoft Power Platform | 2024 Release Wave 1 Plan

Check out the latest Microsoft Power Platform release plans for 2024!   We have a whole host of exciting new features to help you be more productive, enhance delegation, run automated testing, build responsive pages, and so much more.    Click the links below to see not only our forthcoming releases, but to also try out some of the new features that have recently been released to market across:     Power Apps  Power Automate  Copilot Studio   We can’t wait to share with you all the upcoming releases that will help take your Power Platform experience to the next level!    Check out the entire Release Wave: Power Platform Complete Release Planner 

It's Time to S.U.I.T. Up! Season One Begins This Week

        After its initial announcement met with such resounding success at the Microsoft Power Platform Conference last fall, the Super User In Training Program's first season is about to kick off! We are so excited to welcome hundreds of potential new Super Users who have signed up for our inaugural program.Not sure what a Super User is yet? Keep reading:Have you ever been exploring the community and come across a user with this unique icon next to their name? It means you have found the actual, real-life superheroes of the Power Platform Community! Super Users are our heroes because of the way they are consistently helpful with everything from solutions to flagging spam, offering insight on the community, and so much more!If you've ever wondered exactly what a Super User does and how they earn that special badge, please check out this article: Power Apps: What is A Super User? - Power Platform CommunityPower Virtual Agents: What is A Super User? - Power Platform Community Power Automate: What is A Super User? - Power Platform CommunityPower Pages: What is A Super User? - Power Platform CommunityIf you missed this season of S.U.I.T., don't worry! We have a whole new season coming soon, so watch our News & Announcements for updates on when you can sign up and get your Super User SUIT on!

Users online (3,872)