cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
dgillespie
Advocate II
Advocate II

Flow Ownership and SharePoint - Best practices

‎10-23-2017 10:59 AM

Just getting started with Flow in our company and before a few of us make a ton of them, I'd like to know the best practices when it comes to SharePoint.  A typical scenario would be:

  1. UserA makes a flow which requires certain permissions on SP doc libraries and lists
  2. UserA leaves company
  3. Ownership of flow changes to new hire UserB
  4. Flow won't run because of permissions

So UserB will not always get the same permissions that UserA had.  What are the best practices then?

  • create an office 365 account just for making flows?  This user would have to have a lot of SP permissions then!
  • redo the flows with UserB in mind?

Thanks for you help!

Labels:
Message 1 of 15
37,263 Views
1 ACCEPTED SOLUTION

Accepted Solutions
dgillespie
Advocate II
Advocate II

‎11-03-2017 08:06 AM

Thanks everyone for your replies.

 

Here is what we settled with: I created a Flow Admin account and assigned it a Business Premium license.  UserA creates the flow and adds me as an Owner.  I assign the Flow Admin permissions to that SP site/library.  Finally, I add the Flow Admin as an owner to the Flow and change the SP credentials on the Flow to the Flow Admins.

View solution in original post

Message 9 of 15
40,722 Views
14 REPLIES 14
v-monli-msft
Community Support
Community Support

‎10-25-2017 02:19 AM

Hi @dgillespie,

 

It seems that there is no easy way to solve this issue. The 2 ways you told are all the way I could think of to solve this. I think the first one would be the better way as this will avoid the following issue that if UserB also left later.

 

Sorry for the inconvenience.

 

Regards,

Mona

Community Support Team _ Mona Li
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 15
37,242 Views
sergeluca
MVP

‎10-25-2017 06:38 AM

we create a dedicated account (we call that a "Flow service account")

 

Message 3 of 15
37,236 Views
Mike2500
Solution Sage
Solution Sage

‎10-25-2017 10:54 AM

Permissions in SharePoint are often handled via groups. In that case, if UserB is simply put into the same groups as UserA, then the transfer should work fine. If UserB shouldn't have the same permissions as UserA, then why are they getting the ownership of the Flow? Perhaps the concern is that there are multliple flows, at which point each flow should be reviewed to determine if it should be kept or transferred. Of course, this is a huge challenge as there's no way to know which flows are the mission critical flows vs flows that were created as an experiment, unless each flow is reviewed by a knowledgable user.

 

It's been mentioned here and elsewhere to use a service account. This sounds good, but there seems to be a lot of permissions issues with this:

 

1. Do we give users the username/pwd of the service account? I hope not, as this would violate best practices for accounts

2. Do we have an admin switch the connections to use the service account? Sounds good, but then the user could go back, modify the flow, and via that connection they then have access to content in libraries they normally wouldn't have access.

 

Or, perhaps having to do anything means that the IT dept has already failed, as perhaps mission critical flows should have been recreated as a logic app and deployed to Azure, which brings other benefits such as proper source control.

Message 4 of 15
37,229 Views
dgillespie
Advocate II
Advocate II
In response to sergeluca

‎10-25-2017 11:03 AM

Thank you for the reply.  There may be an issue with logging in as the Service Account to create the flows.

 

So the administration may look like this?

  1. Flow Service account, UserA, UserB are all in same SP group
  2. FlowA is created by UserA and also owned by Flow Service Account and UserB
  3. UserA leaves and his/her account is deleted
  4. FlowA still works?
Message 5 of 15
37,222 Views
0 Kudos
Mike2500
Solution Sage
Solution Sage
In response to dgillespie

‎10-25-2017 11:13 AM

My understanding is that the flow will still run. (this is pretty critical info, I wish the docs were clear). However: if the workflow connected to a SharePoint list, for example, then the flow will have a data connection for that list. If the data connection is using UserA's credentials, then the flow will fail because UserA no longer has permission to the SharePoint list.

 

So there are two questions:

1. who owns the flow?

2. what accounts are used in the data connections in the flow?

 

#1 Doesn't seem to be the critical piece, as again, I think the flow will still run even if the owner left. We just need to transfer ownership for maintenance reasons. (please double-check me on this).

#2 is critical, as if a user's account is disabled/deleted, then any data connection using that account should immediately fail the very next time the flow is run. (At which point, a different owner will need to sign in to flow and modify the data connections to use a different account).

 

So in your scenario, there's not enough info to know if the flow will work. It's my understanding that the flow will try to run, but if UserA created a connection using their own credentials, then the flow will fail on that step due to their account being disabled/deleted.

 

So, another scenario is that UserA could create a flow, and then when connecting to a SharePoint list in the flow, they could use the credentials of a service account. When UserA left, the flow would continue to run, as the credentials for the list are still good. (But again, giving users a username/password of a different account is not a best practice)

Message 6 of 15
37,217 Views
dgillespie
Advocate II
Advocate II
In response to Mike2500

‎10-25-2017 11:22 AM

Yes, Mike, this gets to the detail of the issue: what account to use for the SP connector?  Using the Flow Service account seems to be the best practice but you are right about sharing credentials; also, the user would always have to make sure he/she was logged in as the Flow Service Account. 

 

Either way, it seems like a lot of manual administration here: keeping track of who has access to the Flow Service Account, changing the password when a member user left, and what about setting up a Flow Service account per dept.?

Message 7 of 15
37,208 Views
0 Kudos
Mike2500
Solution Sage
Solution Sage
In response to dgillespie

‎10-25-2017 11:37 AM

The user doesn't have to be logged in as that account, per se, as they can specify whichever credentials when they create the data connection. So, UserA logs into Flow.microsoft.com, and they create a flow (which means that UserA is the Owner).When they connect to SharePoint, the connection might default to use their account, but they could just click a little drop-down menu and select to use a different set of credentials, at which point they could enter the username/pwd of the service account.

 

I certainly agree that any system is going to be a hassle. Even having a service account isn't necessarily better than just having the new owner sign in and update the credentials. The non-service account method also has the benefit of getting someone from the dept to look at the flows and get rid of unnecessary ones. While flows that use service accounts will always run successfully, the downside is that they will keep running successfully for years, even when they're no longer needed or useful.

 

In my first reply, I mentioned logic apps. To bring that subject up again, if you check out Microsoft's guidance around this, they clearly state that Flow is for "Self-service", while Logic Apps are for "Mission Critical" scenarios.  And, one can take an existing flow, export it as a logic app and then import it into the azure service.

 

So, perhaps the workable scenario is that UserA leaves, and ManagerA compains that UserA's flow is failing. IT then converts UserA's flow to a Logic App and configures it to run via a service account. No further issues are experienced with that particular flow.

 

After all, another scenario is that ownership is given to UserB, who goes to update the Flow, but doesn't really know how to use flow, and in the process they break the flow. Since Flow has no undo capabilities and no version history, UserB calls IT and asks them to rebuild the flow, despite the fact there is no documentation and no one else really knew exactly what it did. Both ManagerA and UserB then spend the next 6 months compaining that IT isn't very helpful.

Message 8 of 15
37,204 Views
dgillespie
Advocate II
Advocate II

‎11-03-2017 08:06 AM

Thanks everyone for your replies.

 

Here is what we settled with: I created a Flow Admin account and assigned it a Business Premium license.  UserA creates the flow and adds me as an Owner.  I assign the Flow Admin permissions to that SP site/library.  Finally, I add the Flow Admin as an owner to the Flow and change the SP credentials on the Flow to the Flow Admins.

Message 9 of 15
40,723 Views
anka
Helper II
Helper II
In response to dgillespie

‎02-07-2019 03:31 PM

Question- We have a Flow that sends outbound emails using the account of the user who created the flow. What would happen if the person leaves the organization, how will the outbound emails o when the mailbox is no longer active? I know that in the 'Send Email' action a "From" account can be specified for sending an email, but is it a good practice to do so or should we have a dedicated account(with an attached mailbox) for flows?

 

The information I am seeking- 

 

1. In terms of best practice, should we be creating a dedicated service account for flows? If yes, should the flows created by users be shared with this service account so they can be managed using one account?

2. What license should be assigned to the service account, E3 or E5?

3.  Should this account be assigned the global admin privileges?

 

Thank you.

Message 10 of 15
30,994 Views
0 Kudos
andeeh1974
Frequent Visitor

‎03-21-2019 05:35 AM

Has anyone from Microsoft replied to this thread?   Some clarity on what options we have in Flow would be helpful 

 

We have items that are created by UserA but then when the flow runs, it shows modified by FlowUser.  

 

Really what I would want is the flow to keep the original created by user as the modified by user.  

 

Message 11 of 15
29,987 Views
DeeTronSEAM
Kudo Collector
Kudo Collector
In response to andeeh1974

‎05-01-2019 09:25 AM

@andeeh1974,  I wholeheartedly agree that clarification from Microsoft on user accounts would be VERY helpful (either here or in the docs....though from the PowerApps learning-curve I've pretty much given up on my old-school mindset that official docs will ever again be up-to-date. Time and tech marches on!).

 

Yo, Microsoftians!
Specifically tricky is dealing with automation flows that use the O365 User connector/object and the Outlook.com connector.    All my years of using service accounts as Best Practice seem meaningless for Flow.  If, as another commented, that MS's perspective is that Flow is for "self-service" and we need to use Azure Logic Apps for enterprise-managed automation/workflows, it would be nice for them to be more explicit about that.  In my opinion their Flow demos sure fail to make that distinction.  If Flow is simply an MS-flavored answer to IFTTT, so be it (just say so).  But I'm still hoping it is the powerful enterprise-grade automation tool our organization needs (and which our IT team needs to be able to manage).

I hate to hear myself saying this, but SharePoint Designer (FOR Christ's sake!) was clearer and more capable (it seems) for handling user impersonation/user-context-switching.  I'm sure hoping that impression is wrong.  I know many things in PowerApps that were impossible a year ago now are possible...yet remain widely discussed online as if the old was still current.  It isn't that the official docs are not kept updated...it's just that they are too sparse in their details regarding real-world usage.  PowerApps and Flow would be impossible to learn, IMO, if not for these forums and other community-generated content (shout out to Shane Young!).


Message 12 of 15
28,896 Views
DanyElHoyek
Advocate IV
Advocate IV

‎03-09-2020 10:31 AM

What are you using as Names for the service accounts?

Message 13 of 15
15,956 Views
0 Kudos
Anonymous
Not applicable

‎04-20-2020 05:26 AM

I have the same question - as it is an old post, is it the same solution today?  

 

If someone could point me in the direction to how i can identify which part of the flow is linked to a spesific useraccount i would appreciate it.

 

We have the case where a creator quit the company, the flow was moved to a new owner, but it does not run. And i am finding it hard to shift the ownership within the flow. 

 

 

Message 14 of 15
14,939 Views
0 Kudos
DeeTronSEAM
Kudo Collector
Kudo Collector
In response to Anonymous

‎04-21-2020 07:22 AM

Yes, @Anonymous , you need to go through the flow and look at each action that has a user-based connection (e.g. newer SQL Server connections, O365 actions such as Send Email, Word Online, OneDrive) and select a new connection which is using a current user (ideally a service account instead of an actual user's account).  This is done using the ellipses on the right side of the actions in Flow.  Here is a thread that provides some screenshots and better detail:  https://powerusers.microsoft.com/t5/General-Power-Automate/Need-to-use-another-User-s-connections-on-a-Flow/m-p/509441#M47881

Message 15 of 15
14,887 Views
0 Kudos

Helpful resources

Announcements
Back to Basics Tuesday Tip #10: Community Support

Back to Basics Tuesday Tip #10: Community Support

This is the TENTH post in our ongoing series dedicated to helping the amazing members of our community--both new members and seasoned veterans--learn and grow in how to best engage in the community! Each Tuesday, we feature new content that will help you best understand the community--from ranking and badges to profile avatars, from Super Users to blogging in the community. Our hope is that this information will help each of our community members grow in their experience with Power Platform, with the community, and with each other!   This Week: All About Community Support   Whether you're a seasoned community veteran or just getting started, you may need a bit of help from time to time! If you need to share feedback with the Community Engagement team about the community or are looking for ways we can assist you with user groups, events, or something else, Community Support is the place to start.   Community Support is part of every one of our communities, accessible to all our community members.     Power Apps: https://powerusers.microsoft.com/t5/Community-Support/ct-p/pa_community_support Power Automate: https://powerusers.microsoft.com/t5/Community-Support/ct-p/mpa_community_support Power Pages: https://powerusers.microsoft.com/t5/Community-Support/ct-p/mpp_community_support Copilot Studio: https://powerusers.microsoft.com/t5/Community-Support/ct-p/pva_community-support   Within each community's Community Support page, you'll find three distinct areas, each with a different focus to help you when you need support from us most.     Community Accounts & Registration is the go-to source for any and all information related to your account here in the community. It's full of great knowledge base articles that will help you manage your community account and know what steps to take if you wish to close your account.  ●  Power Apps  ●  Power Automate  ●  Power Pages, ●  Copilot Studio      Using the Community is your source for assistance with everything from Community User Groups to FAQ's and more. If you want to know what kudos are, how badges work, how to level up your User Group or something else, you will probably find the answers here. ●  Power Apps   ● Power Automate    ●  Power Pages  ●  Copilot Studio      Community Feedback is where you can share opportunities, concerns, or get information from the Community Engagement team. It's your best place to post a question about an issue you're having in the community, a general question you need answered. Whatever it is, visit Community Feedback to get the answers you need right away. Our team is honored to partner with you and can't wait to help you!   ●  Power Apps  ● Power Automate   ● Power Pages   ● Copilot Studio  

Microsoft Ignite 2023: The Recap

Microsoft Ignite 2023: The Recap

What an amazing event we had this year, as Microsoft showcased the latest advancements in how AI has the potential to reshape how customers, partners and developers strategize the future of work. Check out below some of our handpicked videos and Ignite announcements to see how Microsoft is driving real change for users and businesses across the globe.   Video Highlights Click the image below to check out a selection of Ignite 2023 videos, including the "Microsoft Cloud in the era of AI" keynote from Scott Guthrie, Charles Lamanna, Arun Ulag, Sarah Bird, Rani Borkar, Eric Boyd, Erin Chapple, Ali Ghodsi, and Seth Juarez. There's also a great breakdown of the amazing Microsoft Copilot Studio with Omar Aftab, Gary Pretty, and Kendra Springer, plus exciting sessions from Rajesh Jha, Jared Spataro, Ryan Jones, Zohar Raz, and many more.     Blog Announcements Microsoft Copilot presents an opportunity to reimagine the way we work—turning natural language into the most powerful productivity tool on the planet. With AI, organizations can unearth value in data across productivity tools like business applications and Microsoft 365. Click the link below to find out more.     Check out the latest features in Microsoft Power Apps that will help developers create AI-infused apps faster, give administrators more control over managing thousands of Microsoft Power Platform makers at scale, and deliver better experiences to users around the world. Click the image below to find out more.     Click below to discover new ways to orchestrate business processes across your organization with Copilot in Power Automate. With its user-friendly interface that offers hundreds of prebuilt drag-and-drop actions, more customers have been able to benefit from the power of automation.     Discover how Microsoft Power Platform and Microsoft Dataverse are activating the strength of your enterprise data using AI, the announcement of “plugins for Microsoft Copilot for Microsoft 365”, plus two new Power Apps creator experiences using Excel and natural language.       Click below to find out more about the general availability of Microsoft Fabric and the public preview of Copilot in Microsoft Fabric. With the launch of these next-generation analytics tools, you can empower your data teams to easily scale the demand on your growing business.     And for the rest of all the good stuff, click the link below to visit the Microsoft Ignite 2023 "Book of News", with over ONE HUNDRED announcements across infrastructure, data, security, new tools, AI, and everything else in-between!        

Back to Basics Tuesday Tip #9: All About the Galleries

Back to Basics Tuesday Tip #9: All About the Galleries

This is the ninth post in our series dedicated to helping the amazing members of our community--both new members and seasoned veterans--learn and grow in how to best engage in the community! Each Tuesday, we feature new content that will help you best understand the community--from ranking and badges to profile avatars, from Super Users to blogging in the community. Our hope is that this information will help each of our community members grow in their experience with Power Platform, with the community, and with each other!     Today's Tip: All About the Galleries Have you checked out the library of content in our galleries? Whether you're looking for the latest info on an upcoming event, a helpful webinar, or tips and tricks from some of our most experienced community members, our galleries are full of the latest and greatest video content for the Power Platform communities.   There are several different galleries in each community, but we recommend checking these out first:   Community Connections & How-To Videos Hosted by members of the Power Platform Community Engagement  Team and featuring community members from around the world, these helpful videos are a great way to "kick the tires" of Power Platform and find out more about your fellow community members! Check them out in Power Apps, Power Automate, Power Pages, and Copilot Studio!         Webinars & Video Gallery Each community has its own unique webinars and videos highlighting some of the great work being done across the Power Platform. Watch tutorials and demos by Microsoft staff, partners, and community gurus! Check them out: Power Apps Webinars & Video Gallery Power Automate Webinars & Video Gallery Power Pages Webinars & Video Gallery Copilot Studio Webinars & Video Gallery   Events Whether it's the excitement of the Microsoft Power Platform Conference, a local event near you, or one of the many other in-person and virtual connection opportunities around the world, this is the place to find out more about all the Power Platform-centered events. Power Apps Events Power Automate Events Power Pages Events Copilot Studio Events   Unique Galleries to Each Community Because each area of Power Platform has its own unique features and benefits, there are areas of the galleries dedicated specifically to videos about that product. Whether it's Power Apps samples from the community or the Power Automate Cookbook highlighting unique flows, the Bot Sharing Gallery in Copilot Studio or Front-End Code Samples in Power Pages, there's a gallery for you!   Check out each community's gallery today! Power Apps Gallery Power Automate Gallery Power Pages Gallery Copilot Studio Gallery

Unlocking the Power of Community: A Journey with Featued User Group leaders Geetha Sivasailam and Ben McMann

Unlocking the Power of Community: A Journey with Featued User Group leaders Geetha Sivasailam and Ben McMann

In the bustling world of technology, two dynamic leaders, Geetha Sivasailam and Ben McMann, have been at the forefront, steering the ship of the Dallas Fort Worth Power Platform User Group since its inception in February 2019. As Practice Lead (Power Platform | Fusion Dev) at Lantern, Geetha brings a wealth of consulting experience, while Ben, a key member of the Studio Leadership team at Lantern, specializes in crafting strategies that leverage Microsoft digital technologies to transform business models.   Empowering Through Community Leadership Geetha and Ben's journey as user group leaders began with a simple yet powerful goal: to create a space where individuals across the DFW area could connect, grow their skills, and add value to their businesses through the Power Platform. The platform, known for its versatility, allows users to achieve more with less code and foster creativity.   The Power of Community Impact Reflecting on their experiences, Geetha and Ben emphasize the profound impact that community engagement has had on both their professional and personal lives. The Power Platform community, they note, is a wellspring of resources and opportunities, fostering continuous learning, skill enhancement, and networking with industry experts and peers.   Favorite Moments and Words of Wisdom The duo's favorite aspect of leading the user group lies in witnessing the transformative projects and innovations community members create with the Power Platform. Their advice to aspiring user group leaders? "Encourage diverse perspectives, maintain an open space for idea-sharing, stay curious, and, most importantly, have fun building a vibrant community."   Building Bridges, Breaking Barriers Geetha and Ben encourage others to step into the realm of user group leadership, citing the rewarding experience of creating and nurturing a community of like-minded individuals. They highlight the chance to influence, impact, and positively guide others, fostering connections that extend beyond mere technology discussions.   Joining a User Group: A Gateway to Growth The leaders stress the importance of joining a user group, emphasizing exposure to diverse perspectives, solutions, and career growth opportunities within the Power Platform community. "Being part of such a group provides a supportive environment for seeking advice, sharing experiences, and navigating challenges."   A Year of Milestones Looking back at the past year, Geetha and Ben express pride in the group's growth and global participation. They recount the enriching experience of meeting members in person at the Microsoft Power Platform conference, showcasing the diverse range of perspectives and guest speakers that enriched the community's overall experience.   Continuous Learning on the Leadership Journey As user group leaders, Geetha and Ben recognize the continuous learning curve, blending interpersonal skills, adaptability, and dedication to foster a vibrant community. They highlight the importance of patience, persistence, and flexibility in achieving group goals, noting the significance of listening to the needs and suggestions of group members.They invite all tech enthusiasts to join the Dallas Fort Worth Power Platform User Group, a thriving hub where the power of community propels individuals to new heights in the dynamic realm of technology.

Visit the Community Lounge at Microsoft Ignite!

Visit the Community Lounge at Microsoft Ignite!

Are you attending Microsoft Ignite in Seattle this week? If so, we'd love to see you at the Community Lounge! Hosted by members of our Community team, it's a great place to connect, meet some Microsoft executives, and get a sticker or two. And if you're an MVP there are some special opportunities to meet up!     The Community Lounge is more than just a space—it's a hub of activity, collaboration, and camaraderie. So, dive in, explore, and make the most of your Microsoft Ignite experience by immersing yourself in the vibrant and dynamic community that awaits you.Find out the schedule and all the details here: Community Lounge at Ignite! See you at #MSIgnite!    

Back to Basics Tuesday Tip #8: Subscriptions & Notifications

Back to Basics Tuesday Tip #8: Subscriptions & Notifications

This is the eighth post in our series dedicated to helping the amazing members of our community--both new members and seasoned veterans--learn and grow in how to best engage in the community! Each Tuesday, we feature new content that will help you best understand the community--from ranking and badges to profile avatars, from Super Users to blogging in the community. Our hope is that this information will help each of our community members grow in their experience with Power Platform, with the community, and with each other!   This Week: All About Subscriptions & Notifications Subscribing to a CategorySubscribing to a TopicSubscribing to a LabelBookmarksManaging & Viewing your Subscriptions & BookmarksA Note on Following Friends on Mobile   Subscriptions ensure that you receive automated messages about the most recent posts and replies. There are multiple ways you can subscribe to content and boards in the community! (Please note: if you have created an AAD (Azure Active Directory) account you won't be able to receive e-mail notifications.)   Subscribing to a Category  When you're looking at the entire category, select from the Options drop down and choose Subscribe.   You can then choose to Subscribe to all of the boards or select only the boards you want to receive notifications. When you're satisfied with your choices, click Save.   Subscribing to a Topic You can also subscribe to a single topic by clicking Subscribe from the Options drop down menu, while you are viewing the topic or in the General board overview, respectively.   Subscribing to a Label You can find the labels at the bottom left of a post.From a particular post with a label, click on the label to filter by that label.          This opens a window containing a list of posts with the label you have selected. Click Subscribe.   Note: You can only subscribe to a label at the board level. If you subscribe to a label named 'Copilot' at board #1, it will not automatically subscribe you to an identically named label at board #2. You will have to subscribe twice, once at each board.   Bookmarks Just like you can subscribe to topics and categories, you can also bookmark topics and boards from the same menus! Simply go to the Topic Options drop down menu to bookmark a topic or the Options drop down to bookmark a board.   The difference between subscribing and bookmarking is that subscriptions provide you with notifications, whereas bookmarks provide you a static way of easily accessing your favorite boards from the My subscriptions area.   Managing & Viewing Your Subscriptions & Bookmarks To manage your subscriptions, click on your avatar and select My subscriptions from the drop-down menu. From the Subscriptions & Notifications tab, you can manage your subscriptions, including your e-mail subscription options, your bookmarks, your notification settings, and your email notification format.     You can see a list of all your subscriptions and bookmarks and choose which ones to delete, either individually or in bulk, by checking multiple boxes.     A Note on Following Friends on Mobile Adding someone as a friend or selecting Follow in the mobile view does not allow you to subscribe to their activity feed. You will merely be able to see your friends’ biography, other personal information, or online status, and send messages more quickly by choosing who to send the message to from a list, as opposed to having to search by username.              

Users online (2,759)