cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
johnjohn123
Super User
Super User

Is there any security holes if we create an action inside a cloud flow using the Office 365 service account, which have full permsion on the sharepoint site

We have created a new cloud flow using a service account which have full permission on the SharePoint site (the service ccount is defines as the site collection admin). the flow do the following:-

 

1) the user enters a new item inside a custom list >> define the manager inside a field>>save the form

2) the flow will run automatically upon creating the item >> and the flow will break the item permissions grant the creator read-only and the manager contribute.

 

 

so my question, can the user, login to Power automate >> create a new flow >> reuse the connection created using the service account and modify the item , even if he only have read permission on it ? is this scenario possible? if the answer is yes, then how we can secure it? am asking this as when i connected to the SharePoint list inside the cloud flow, the connection get added under the connection tab, which means it can be re-used by any user (in other words any user can connect to SharePoint using the service account using a new cloud flow),, am i correct and is my concern valid?

 

Thanks

2 REPLIES 2
v-xiaochen-msft
Community Support
Community Support

Hi  @johnjohn123 ,

 

Yes , you are correct. It has security implications and cannot be avoided if you add the service account connection to the user's connection tab.

So If you are concerned about security ,  you should not create a service account connection in user's connection list.

The workaround is that you could use service account connection in your flow if you are the flow developer.

The advantage of this is that you don't need to create a service account connection in the user connection list. So they can not be re-used.

 

vxiaochenmsft_0-1654569302104.png

vxiaochenmsft_1-1654569347732.png

 

Best Regards,

Wearsky

johnjohn123
Super User
Super User

@v-xiaochen-msft  thanks for the reply.. but i did not get your point,,, now i did not create or add the service account connection to the user's connection tab explicitly (i even do not know how to do it). But when i connect to SharePoint inside a Power Automate action >> then Power automate will automatically creates the connection using the login user (which is the service account that has full permission on the site)

 

So can this connection be used inside other flows ? so any user can connect to the SharePoint list/site using the service account credentials? If this is the case,, then for sure i will need to fix it.

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

New Ideas Forum MPA.jpg

A new place to submit your Ideas for Power Automate

Announcing a new way to share your feedback with the Power Automate Team.

MPA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

Learn to digitize and optimize business processes and connect all your applications to share data in real time.

MPA Licensing.jpg

Ask your licensing questions at the Power Automate AMA!

Join Priya Kodukula and the licensing team, super users and MVPs to find answers to your questions on Power Automate licensing.

Users online (1,783)