cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
dgillespie
Advocate II
Advocate II

Flow Ownership and SharePoint - Best practices

‎10-23-2017 10:59 AM

Just getting started with Flow in our company and before a few of us make a ton of them, I'd like to know the best practices when it comes to SharePoint.  A typical scenario would be:

  1. UserA makes a flow which requires certain permissions on SP doc libraries and lists
  2. UserA leaves company
  3. Ownership of flow changes to new hire UserB
  4. Flow won't run because of permissions

So UserB will not always get the same permissions that UserA had.  What are the best practices then?

  • create an office 365 account just for making flows?  This user would have to have a lot of SP permissions then!
  • redo the flows with UserB in mind?

Thanks for you help!

Labels:
Message 1 of 15
36,928 Views
1 ACCEPTED SOLUTION

Accepted Solutions
dgillespie
Advocate II
Advocate II

‎11-03-2017 08:06 AM

Thanks everyone for your replies.

 

Here is what we settled with: I created a Flow Admin account and assigned it a Business Premium license.  UserA creates the flow and adds me as an Owner.  I assign the Flow Admin permissions to that SP site/library.  Finally, I add the Flow Admin as an owner to the Flow and change the SP credentials on the Flow to the Flow Admins.

View solution in original post

Message 9 of 15
40,387 Views
14 REPLIES 14
v-monli-msft
Community Support
Community Support

‎10-25-2017 02:19 AM

Hi @dgillespie,

 

It seems that there is no easy way to solve this issue. The 2 ways you told are all the way I could think of to solve this. I think the first one would be the better way as this will avoid the following issue that if UserB also left later.

 

Sorry for the inconvenience.

 

Regards,

Mona

Community Support Team _ Mona Li
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 15
36,907 Views
sergeluca
MVP

‎10-25-2017 06:38 AM

we create a dedicated account (we call that a "Flow service account")

 

Message 3 of 15
36,901 Views
Mike2500
Impactful Individual
Impactful Individual

‎10-25-2017 10:54 AM

Permissions in SharePoint are often handled via groups. In that case, if UserB is simply put into the same groups as UserA, then the transfer should work fine. If UserB shouldn't have the same permissions as UserA, then why are they getting the ownership of the Flow? Perhaps the concern is that there are multliple flows, at which point each flow should be reviewed to determine if it should be kept or transferred. Of course, this is a huge challenge as there's no way to know which flows are the mission critical flows vs flows that were created as an experiment, unless each flow is reviewed by a knowledgable user.

 

It's been mentioned here and elsewhere to use a service account. This sounds good, but there seems to be a lot of permissions issues with this:

 

1. Do we give users the username/pwd of the service account? I hope not, as this would violate best practices for accounts

2. Do we have an admin switch the connections to use the service account? Sounds good, but then the user could go back, modify the flow, and via that connection they then have access to content in libraries they normally wouldn't have access.

 

Or, perhaps having to do anything means that the IT dept has already failed, as perhaps mission critical flows should have been recreated as a logic app and deployed to Azure, which brings other benefits such as proper source control.

Message 4 of 15
36,894 Views
dgillespie
Advocate II
Advocate II
In response to sergeluca

‎10-25-2017 11:03 AM

Thank you for the reply.  There may be an issue with logging in as the Service Account to create the flows.

 

So the administration may look like this?

  1. Flow Service account, UserA, UserB are all in same SP group
  2. FlowA is created by UserA and also owned by Flow Service Account and UserB
  3. UserA leaves and his/her account is deleted
  4. FlowA still works?
Message 5 of 15
36,887 Views
0 Kudos
Mike2500
Impactful Individual
Impactful Individual
In response to dgillespie

‎10-25-2017 11:13 AM

My understanding is that the flow will still run. (this is pretty critical info, I wish the docs were clear). However: if the workflow connected to a SharePoint list, for example, then the flow will have a data connection for that list. If the data connection is using UserA's credentials, then the flow will fail because UserA no longer has permission to the SharePoint list.

 

So there are two questions:

1. who owns the flow?

2. what accounts are used in the data connections in the flow?

 

#1 Doesn't seem to be the critical piece, as again, I think the flow will still run even if the owner left. We just need to transfer ownership for maintenance reasons. (please double-check me on this).

#2 is critical, as if a user's account is disabled/deleted, then any data connection using that account should immediately fail the very next time the flow is run. (At which point, a different owner will need to sign in to flow and modify the data connections to use a different account).

 

So in your scenario, there's not enough info to know if the flow will work. It's my understanding that the flow will try to run, but if UserA created a connection using their own credentials, then the flow will fail on that step due to their account being disabled/deleted.

 

So, another scenario is that UserA could create a flow, and then when connecting to a SharePoint list in the flow, they could use the credentials of a service account. When UserA left, the flow would continue to run, as the credentials for the list are still good. (But again, giving users a username/password of a different account is not a best practice)

Message 6 of 15
36,882 Views
dgillespie
Advocate II
Advocate II
In response to Mike2500

‎10-25-2017 11:22 AM

Yes, Mike, this gets to the detail of the issue: what account to use for the SP connector?  Using the Flow Service account seems to be the best practice but you are right about sharing credentials; also, the user would always have to make sure he/she was logged in as the Flow Service Account. 

 

Either way, it seems like a lot of manual administration here: keeping track of who has access to the Flow Service Account, changing the password when a member user left, and what about setting up a Flow Service account per dept.?

Message 7 of 15
36,873 Views
0 Kudos
Mike2500
Impactful Individual
Impactful Individual
In response to dgillespie

‎10-25-2017 11:37 AM

The user doesn't have to be logged in as that account, per se, as they can specify whichever credentials when they create the data connection. So, UserA logs into Flow.microsoft.com, and they create a flow (which means that UserA is the Owner).When they connect to SharePoint, the connection might default to use their account, but they could just click a little drop-down menu and select to use a different set of credentials, at which point they could enter the username/pwd of the service account.

 

I certainly agree that any system is going to be a hassle. Even having a service account isn't necessarily better than just having the new owner sign in and update the credentials. The non-service account method also has the benefit of getting someone from the dept to look at the flows and get rid of unnecessary ones. While flows that use service accounts will always run successfully, the downside is that they will keep running successfully for years, even when they're no longer needed or useful.

 

In my first reply, I mentioned logic apps. To bring that subject up again, if you check out Microsoft's guidance around this, they clearly state that Flow is for "Self-service", while Logic Apps are for "Mission Critical" scenarios.  And, one can take an existing flow, export it as a logic app and then import it into the azure service.

 

So, perhaps the workable scenario is that UserA leaves, and ManagerA compains that UserA's flow is failing. IT then converts UserA's flow to a Logic App and configures it to run via a service account. No further issues are experienced with that particular flow.

 

After all, another scenario is that ownership is given to UserB, who goes to update the Flow, but doesn't really know how to use flow, and in the process they break the flow. Since Flow has no undo capabilities and no version history, UserB calls IT and asks them to rebuild the flow, despite the fact there is no documentation and no one else really knew exactly what it did. Both ManagerA and UserB then spend the next 6 months compaining that IT isn't very helpful.

Message 8 of 15
36,869 Views
dgillespie
Advocate II
Advocate II

‎11-03-2017 08:06 AM

Thanks everyone for your replies.

 

Here is what we settled with: I created a Flow Admin account and assigned it a Business Premium license.  UserA creates the flow and adds me as an Owner.  I assign the Flow Admin permissions to that SP site/library.  Finally, I add the Flow Admin as an owner to the Flow and change the SP credentials on the Flow to the Flow Admins.

Message 9 of 15
40,388 Views
anka
Helper II
Helper II
In response to dgillespie

‎02-07-2019 03:31 PM

Question- We have a Flow that sends outbound emails using the account of the user who created the flow. What would happen if the person leaves the organization, how will the outbound emails o when the mailbox is no longer active? I know that in the 'Send Email' action a "From" account can be specified for sending an email, but is it a good practice to do so or should we have a dedicated account(with an attached mailbox) for flows?

 

The information I am seeking- 

 

1. In terms of best practice, should we be creating a dedicated service account for flows? If yes, should the flows created by users be shared with this service account so they can be managed using one account?

2. What license should be assigned to the service account, E3 or E5?

3.  Should this account be assigned the global admin privileges?

 

Thank you.

Message 10 of 15
30,659 Views
0 Kudos
andeeh1974
Frequent Visitor

‎03-21-2019 05:35 AM

Has anyone from Microsoft replied to this thread?   Some clarity on what options we have in Flow would be helpful 

 

We have items that are created by UserA but then when the flow runs, it shows modified by FlowUser.  

 

Really what I would want is the flow to keep the original created by user as the modified by user.  

 

Message 11 of 15
29,652 Views
DeeTronSEAM
Kudo Collector
Kudo Collector
In response to andeeh1974

‎05-01-2019 09:25 AM

@andeeh1974,  I wholeheartedly agree that clarification from Microsoft on user accounts would be VERY helpful (either here or in the docs....though from the PowerApps learning-curve I've pretty much given up on my old-school mindset that official docs will ever again be up-to-date. Time and tech marches on!).

 

Yo, Microsoftians!
Specifically tricky is dealing with automation flows that use the O365 User connector/object and the Outlook.com connector.    All my years of using service accounts as Best Practice seem meaningless for Flow.  If, as another commented, that MS's perspective is that Flow is for "self-service" and we need to use Azure Logic Apps for enterprise-managed automation/workflows, it would be nice for them to be more explicit about that.  In my opinion their Flow demos sure fail to make that distinction.  If Flow is simply an MS-flavored answer to IFTTT, so be it (just say so).  But I'm still hoping it is the powerful enterprise-grade automation tool our organization needs (and which our IT team needs to be able to manage).

I hate to hear myself saying this, but SharePoint Designer (FOR Christ's sake!) was clearer and more capable (it seems) for handling user impersonation/user-context-switching.  I'm sure hoping that impression is wrong.  I know many things in PowerApps that were impossible a year ago now are possible...yet remain widely discussed online as if the old was still current.  It isn't that the official docs are not kept updated...it's just that they are too sparse in their details regarding real-world usage.  PowerApps and Flow would be impossible to learn, IMO, if not for these forums and other community-generated content (shout out to Shane Young!).


Message 12 of 15
28,561 Views
DanyElHoyek
Advocate IV
Advocate IV

‎03-09-2020 10:31 AM

What are you using as Names for the service accounts?

Message 13 of 15
15,621 Views
0 Kudos
Anonymous
Not applicable

‎04-20-2020 05:26 AM

I have the same question - as it is an old post, is it the same solution today?  

 

If someone could point me in the direction to how i can identify which part of the flow is linked to a spesific useraccount i would appreciate it.

 

We have the case where a creator quit the company, the flow was moved to a new owner, but it does not run. And i am finding it hard to shift the ownership within the flow. 

 

 

Message 14 of 15
14,604 Views
0 Kudos
DeeTronSEAM
Kudo Collector
Kudo Collector
In response to Anonymous

‎04-21-2020 07:22 AM

Yes, @Anonymous , you need to go through the flow and look at each action that has a user-based connection (e.g. newer SQL Server connections, O365 actions such as Send Email, Word Online, OneDrive) and select a new connection which is using a current user (ideally a service account instead of an actual user's account).  This is done using the ellipses on the right side of the actions in Flow.  Here is a thread that provides some screenshots and better detail:  https://powerusers.microsoft.com/t5/General-Power-Automate/Need-to-use-another-User-s-connections-on-a-Flow/m-p/509441#M47881

Message 15 of 15
14,552 Views
0 Kudos

Helpful resources

Announcements
Announcement image

Announcing the MPPC's Got Power Talent Show at #MPPC23

Are you attending the Microsoft Power Platform Conference 2023 in Las Vegas? If so, we invite you to join us for the MPPC's Got Power Talent Show!      Our talent show is more than a show—it's a grand celebration of connection, inspiration, and shared journeys. Through stories, skills, and collective experiences, we come together to uplift, inspire, and revel in the magic of our community's diverse talents. This year, our talent event promises to be an unforgettable experience, echoing louder and brighter than anything you've seen before.    We're casting a wider net with three captivating categories:  Demo Technical Solutions: Show us your Power Platform innovations, be it apps, flows, chatbots, websites or dashboards... Storytelling: Share tales of your journey with Power Platform. Hidden Talents: Unveil your creative side—be it dancing, singing, rapping, poetry, or comedy. Let your talent shine!    Got That Special Spark? A Story That Demands to Be Heard? Your moment is now!  Sign up to Showcase Your Brilliance: https://aka.ms/MPPCGotPowerSignUp  Deadline for submissions: Thursday, Sept 28th    How It Works:  Submit this form to sign up: https://aka.ms/MPPCGotPowerSignUp  We'll contact you if you're selected. Get ready to be onstage!  The Spotlight is Yours: Each participant has 3-5 minutes to shine, with insightful commentary from our panel of judges. We’re not just giving you a stage; we’re handing you the platform to make your mark.     Be the Story We Tell: Your talents and narratives will not just entertain but inspire, serving as the bedrock for our community’s future stories and successes.    Celebration, Surprises, and Connections: As the curtain falls, the excitement continues! Await surprise awards and seize the chance to mingle with industry experts, Microsoft Power Platform leaders, and community luminaries. It's not just a show; it's an opportunity to forge connections and celebrate shared successes.    Event Details:  Date and Time: Wed Oct 4th, 6:30-9:00PM   Location: MPPC23 at the MGM Grand, Las Vegas, NV, USA  

Announcement image

September User Group Success Story: Reading Dynamics 365 & Power Platform User Group

The Reading Dynamics 365 and Power Platform User Group is a community-driven initiative that started in September 2022. It has quickly earned recognition for its enthusiastic leadership and resilience in the face of challenges. With a focus on promoting learning and networking among professionals in the Dynamics 365 and Power Platform ecosystem, the group has grown steadily and gained a reputation for its commitment to its members!   The group, which had its inaugural event in January 2023 at the Microsoft UK Headquarters in Reading, has since organized three successful gatherings, including a recent social lunch. They maintain a regular schedule of four events per year, each attended by an average of 20-25 enthusiastic participants who enjoy engaging talks and, of course, pizza.   The Reading User Group's presence is primarily spread through LinkedIn and Meetup, with the support of the wider community. This thriving community is managed by a dedicated team consisting of Fraser Dear, Tim Leung, and Andrew Bibby, who serves as the main point of contact for the UK Dynamics 365 and Power Platform User Groups.   Andrew Bibby, an active figure in the Dynamics 365 and Power Platform community, nominated this group due to his admiration for the Reading UK User Group's efforts. He emphasized their remarkable enthusiasm and success in running the group, noting that they navigated challenges such as finding venues with resilience and smiles on their faces. Despite being a relatively new group with 20-30 members, they have managed to achieve high attendance at their meetings.   The group's journey began when Fraser Dear moved to the Reading area and realized the absence of a user group catering to professionals in the Dynamics 365 and Power Platform space. He reached out to Andrew, who provided valuable guidance and support, allowing the Reading User Group to officially join the UK Dynamics 365 and Power Platform User Groups community.   One of the group's notable achievements was overcoming the challenge of finding a suitable venue. Initially, their "home" was the Microsoft UK HQ in Reading. However, due to office closures, they had to seek a new location with limited time. Fortunately, a connection with Stephanie Stacey from Microsoft led them to Reading College and its Institute of Technology. The college generously offered them event space and support, forging a mutually beneficial partnership where the group promotes the Institute and encourages its members to support the next generation of IT professionals.   With the dedication of its leadership team, the Reading Dynamics 365 and Power Platform User Group is poised to continue growing and thriving! Their story exemplifies the power of community-driven initiatives and the positive impact they can have on professional development and networking in the tech industry. As they move forward with their upcoming events and collaborations with Reading College, the group is likely to remain a valuable resource for professionals in the Reading area and beyond.  

Announcement image

A Celebration of What We've Achieved--And Announcing Our Winners

As the sun sets on the #SummerofSolutions Challenge, it's time to reflect and celebrate! The journey we embarked upon together was not just about providing answers – it was about fostering a sense of community, encouraging collaboration, and unlocking the true potential of the Power Platform tools.   From the initial announcement to the final week's push, the Summer of Solutions Challenge has been a whirlwind of engagement and growth. It was a call to action for every member of our Power Platform community, urging them to contribute their expertise, engage in discussions, and elevate collective knowledge across the community as part of the low-code revolution.   Reflecting on the Impact As the challenge ends, it's essential to reflect on the impact it’s had across our Power Platform communities: Community Resilience: The challenge demonstrated the resilience of our community. Despite geographical distances and diverse backgrounds, we came together to contribute, learn, and collaborate. This resilience is the cornerstone of our collective strength.Diverse Expertise: The solutions shared during the challenge underscore the incredible expertise within our community. From intricate technical insights to creative problem-solving, our members showcased their diverse skill sets, enhancing our community's depth.Shared Learning: Solutions spurred shared learning. They provided opportunities for members to grasp new concepts, expand their horizons, and uncover the Power Platform tools' untapped potential. This learning ripple effect will continue to shape our growth. Empowerment: Solutions empowered community members. They validated their knowledge, boosted their confidence, and highlighted their contributions. Each solution shared was a step towards personal and communal empowerment. We are proud and thankful as we conclude the Summer of Solutions Challenge. The challenge showed the potential of teamwork, the benefit of knowledge-sharing, and the resilience of our Power Platform community. The solutions offered by each member are more than just answers; they are the expression of our shared commitment to innovation, growth, and progress!     Drum roll, Please... And now, without further ado, it's time to announce the winners who have risen above the rest in the Summer of Solutions Challenge!   These are the top community users and Super Users who have not only earned recognition but have become beacons of inspiration for us all.   Power Apps Community:  Community User Winner: @SpongYe Super User Winner: Pending Acceptance Power Automate Community:  Community User Winner: @trice602 Super User Winner: @Expiscornovus  Power Virtual Agents Community: Community User Winner: Pending AcceptanceSuper User: Pending Acceptance Power Pages Community: Community User Winner: @OOlashyn Super User Winner: @ChristianAbata   We are also pleased to announced two additional tickets that we are awarding to the Overall Top Solution providers in the following communities:    Power Apps: @LaurensM   Power Automate: @ManishSolanki    Thank you for making this challenge a resounding success. Your participation has reaffirmed the strength of our community and the boundless potential that lies within each of us. Let's keep the spirit of collaboration alive as we continue on this incredible journey in Power Platform together.Winners, we will see you in Vegas! Every other amazing solutions superstar, we will see you in the Community!Congratulations, everyone!

Announcement image

September featured user group leader

 Ayonija Shatakshi, a seasoned senior consultant at Improving, Ohio, is a passionate advocate for M365, SharePoint, Power Platform, and Azure, recognizing how they synergize to deliver top-notch solutions. Recently, we asked Ayonija to share her journey as a user group leader, shedding light on her motivations and the benefits she's reaped from her community involvement.      Ayonija embarked on her role as a user group leader in December 2022, driven by a desire to explore how the community leveraged various Power Platform components. When she couldn't find a suitable local group, she decided to create one herself!    Speaking about the impact of the community on her professional and personal growth, Ayonija says, "It's fascinating to witness how everyone navigates the world of Power Platform, dealing with license constraints and keeping up with new features. There's so much to learn from their experiences.:        Her favorite aspect of being a user group leader is the opportunity to network and engage in face-to-face discussions with fellow enthusiasts, fostering deeper connections within the community. Offering advice to budding user group leaders, Ayonija emphasized the importance of communication and consistency, two pillars that sustain any successful community initiative.      When asked why she encourages others to become user group leaders, Ayonija said, "Being part of a user group is one of the best ways to connect with experienced professionals in the same field and glean knowledge from them. If there isn't a local group, consider starting one; you'll soon find like-minded individuals."      Her highlight from the past year as a user group leader was witnessing consistent growth within the group, a testament to the thriving community she has nurtured. Advocating for user group participation, Ayonija stated, "It's the fastest route to learning from the community, gaining insights, and staying updated on industry trends."   Check out her group: Cleveland Power Platform User Group

Announcement image

An MPPC23 Invitation from Charles Lamanna, CVP of Microsoft Business Applications & Platform

Hear from Corporate Vice President for Microsoft Business Applications & Platform, Charles Lamanna, as he looks ahead to the second annual Microsoft Power Platform Conference from October 3rd-5th 2023 at the MGM Grand in Las Vegas.Have you got your tickets yet? Register today at www.powerplatformconf.com  

Announcement image

August new user groups and September user group events

We wanted to take the time to celebrate and welcome the new user groups that have joined our community. Along with that take a look at the event that might be happening near you or virtually.   Please welcome:  Biz Apps Community User Group - Power Platform Community (microsoft.com) This user group is dedicated for all community members of all skill levels to learn how to get the most out of their community experience. East Michigan Power Platform User Group - Power Platform Community (microsoft.com) This is hopefully the beginning of a community, covering eastern Michigan, built around the Power Platform.  Biz Apps Community User Group This user group is dedicated for all community members of all skill levels to learn how to get the most out of their community experience.     Events to checkout:   In-Person: September 2023 Hybrid Philadelphia Dynamics 365 & Power Platform User Group MeetDynamics 365 and Power Platform Physical Meetup Hyderabad Power Platform User Group Meetup - Sept 2023 (In-Person)Manchester September 2023 In Person Meeting Virtual: Everything Dataverse, Do you know that Dataverse is more than just a Database!POWER PLATFORM MONTHLY DIGEST- SEPTEMBERBaltic Summit 2023PL-900 Power Platform Fundamentals TrainingHR and L&D transformation through Power PlatformDynamics 365 Marketing Experience User Groups - Use Cases and NetworkingPower Platform and Dual Write from Dynamics 365 F&O PerspectiveANZ D365 FinOps Team September 2023 meetup

Users online (4,612)