cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
dgillespie
Advocate II
Advocate II

Flow Ownership and SharePoint - Best practices

Just getting started with Flow in our company and before a few of us make a ton of them, I'd like to know the best practices when it comes to SharePoint.  A typical scenario would be:

  1. UserA makes a flow which requires certain permissions on SP doc libraries and lists
  2. UserA leaves company
  3. Ownership of flow changes to new hire UserB
  4. Flow won't run because of permissions

So UserB will not always get the same permissions that UserA had.  What are the best practices then?

  • create an office 365 account just for making flows?  This user would have to have a lot of SP permissions then!
  • redo the flows with UserB in mind?

Thanks for you help!

1 ACCEPTED SOLUTION

Accepted Solutions
dgillespie
Advocate II
Advocate II

Thanks everyone for your replies.

 

Here is what we settled with: I created a Flow Admin account and assigned it a Business Premium license.  UserA creates the flow and adds me as an Owner.  I assign the Flow Admin permissions to that SP site/library.  Finally, I add the Flow Admin as an owner to the Flow and change the SP credentials on the Flow to the Flow Admins.

View solution in original post

14 REPLIES 14
v-monli-msft
Community Support
Community Support

Hi @dgillespie,

 

It seems that there is no easy way to solve this issue. The 2 ways you told are all the way I could think of to solve this. I think the first one would be the better way as this will avoid the following issue that if UserB also left later.

 

Sorry for the inconvenience.

 

Regards,

Mona

Community Support Team _ Mona Li
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
sergeluca
Memorable Member
Memorable Member

we create a dedicated account (we call that a "Flow service account")

 

Mike2500
Super User
Super User

Permissions in SharePoint are often handled via groups. In that case, if UserB is simply put into the same groups as UserA, then the transfer should work fine. If UserB shouldn't have the same permissions as UserA, then why are they getting the ownership of the Flow? Perhaps the concern is that there are multliple flows, at which point each flow should be reviewed to determine if it should be kept or transferred. Of course, this is a huge challenge as there's no way to know which flows are the mission critical flows vs flows that were created as an experiment, unless each flow is reviewed by a knowledgable user.

 

It's been mentioned here and elsewhere to use a service account. This sounds good, but there seems to be a lot of permissions issues with this:

 

1. Do we give users the username/pwd of the service account? I hope not, as this would violate best practices for accounts

2. Do we have an admin switch the connections to use the service account? Sounds good, but then the user could go back, modify the flow, and via that connection they then have access to content in libraries they normally wouldn't have access.

 

Or, perhaps having to do anything means that the IT dept has already failed, as perhaps mission critical flows should have been recreated as a logic app and deployed to Azure, which brings other benefits such as proper source control.

Thank you for the reply.  There may be an issue with logging in as the Service Account to create the flows.

 

So the administration may look like this?

  1. Flow Service account, UserA, UserB are all in same SP group
  2. FlowA is created by UserA and also owned by Flow Service Account and UserB
  3. UserA leaves and his/her account is deleted
  4. FlowA still works?

My understanding is that the flow will still run. (this is pretty critical info, I wish the docs were clear). However: if the workflow connected to a SharePoint list, for example, then the flow will have a data connection for that list. If the data connection is using UserA's credentials, then the flow will fail because UserA no longer has permission to the SharePoint list.

 

So there are two questions:

1. who owns the flow?

2. what accounts are used in the data connections in the flow?

 

#1 Doesn't seem to be the critical piece, as again, I think the flow will still run even if the owner left. We just need to transfer ownership for maintenance reasons. (please double-check me on this).

#2 is critical, as if a user's account is disabled/deleted, then any data connection using that account should immediately fail the very next time the flow is run. (At which point, a different owner will need to sign in to flow and modify the data connections to use a different account).

 

So in your scenario, there's not enough info to know if the flow will work. It's my understanding that the flow will try to run, but if UserA created a connection using their own credentials, then the flow will fail on that step due to their account being disabled/deleted.

 

So, another scenario is that UserA could create a flow, and then when connecting to a SharePoint list in the flow, they could use the credentials of a service account. When UserA left, the flow would continue to run, as the credentials for the list are still good. (But again, giving users a username/password of a different account is not a best practice)

Yes, Mike, this gets to the detail of the issue: what account to use for the SP connector?  Using the Flow Service account seems to be the best practice but you are right about sharing credentials; also, the user would always have to make sure he/she was logged in as the Flow Service Account. 

 

Either way, it seems like a lot of manual administration here: keeping track of who has access to the Flow Service Account, changing the password when a member user left, and what about setting up a Flow Service account per dept.?

The user doesn't have to be logged in as that account, per se, as they can specify whichever credentials when they create the data connection. So, UserA logs into Flow.microsoft.com, and they create a flow (which means that UserA is the Owner).When they connect to SharePoint, the connection might default to use their account, but they could just click a little drop-down menu and select to use a different set of credentials, at which point they could enter the username/pwd of the service account.

 

I certainly agree that any system is going to be a hassle. Even having a service account isn't necessarily better than just having the new owner sign in and update the credentials. The non-service account method also has the benefit of getting someone from the dept to look at the flows and get rid of unnecessary ones. While flows that use service accounts will always run successfully, the downside is that they will keep running successfully for years, even when they're no longer needed or useful.

 

In my first reply, I mentioned logic apps. To bring that subject up again, if you check out Microsoft's guidance around this, they clearly state that Flow is for "Self-service", while Logic Apps are for "Mission Critical" scenarios.  And, one can take an existing flow, export it as a logic app and then import it into the azure service.

 

So, perhaps the workable scenario is that UserA leaves, and ManagerA compains that UserA's flow is failing. IT then converts UserA's flow to a Logic App and configures it to run via a service account. No further issues are experienced with that particular flow.

 

After all, another scenario is that ownership is given to UserB, who goes to update the Flow, but doesn't really know how to use flow, and in the process they break the flow. Since Flow has no undo capabilities and no version history, UserB calls IT and asks them to rebuild the flow, despite the fact there is no documentation and no one else really knew exactly what it did. Both ManagerA and UserB then spend the next 6 months compaining that IT isn't very helpful.

dgillespie
Advocate II
Advocate II

Thanks everyone for your replies.

 

Here is what we settled with: I created a Flow Admin account and assigned it a Business Premium license.  UserA creates the flow and adds me as an Owner.  I assign the Flow Admin permissions to that SP site/library.  Finally, I add the Flow Admin as an owner to the Flow and change the SP credentials on the Flow to the Flow Admins.

Question- We have a Flow that sends outbound emails using the account of the user who created the flow. What would happen if the person leaves the organization, how will the outbound emails o when the mailbox is no longer active? I know that in the 'Send Email' action a "From" account can be specified for sending an email, but is it a good practice to do so or should we have a dedicated account(with an attached mailbox) for flows?

 

The information I am seeking- 

 

1. In terms of best practice, should we be creating a dedicated service account for flows? If yes, should the flows created by users be shared with this service account so they can be managed using one account?

2. What license should be assigned to the service account, E3 or E5?

3.  Should this account be assigned the global admin privileges?

 

Thank you.

andeeh1974
Frequent Visitor

Has anyone from Microsoft replied to this thread?   Some clarity on what options we have in Flow would be helpful 

 

We have items that are created by UserA but then when the flow runs, it shows modified by FlowUser.  

 

Really what I would want is the flow to keep the original created by user as the modified by user.  

 

@andeeh1974,  I wholeheartedly agree that clarification from Microsoft on user accounts would be VERY helpful (either here or in the docs....though from the PowerApps learning-curve I've pretty much given up on my old-school mindset that official docs will ever again be up-to-date. Time and tech marches on!).

 

Yo, Microsoftians!
Specifically tricky is dealing with automation flows that use the O365 User connector/object and the Outlook.com connector.    All my years of using service accounts as Best Practice seem meaningless for Flow.  If, as another commented, that MS's perspective is that Flow is for "self-service" and we need to use Azure Logic Apps for enterprise-managed automation/workflows, it would be nice for them to be more explicit about that.  In my opinion their Flow demos sure fail to make that distinction.  If Flow is simply an MS-flavored answer to IFTTT, so be it (just say so).  But I'm still hoping it is the powerful enterprise-grade automation tool our organization needs (and which our IT team needs to be able to manage).

I hate to hear myself saying this, but SharePoint Designer (FOR Christ's sake!) was clearer and more capable (it seems) for handling user impersonation/user-context-switching.  I'm sure hoping that impression is wrong.  I know many things in PowerApps that were impossible a year ago now are possible...yet remain widely discussed online as if the old was still current.  It isn't that the official docs are not kept updated...it's just that they are too sparse in their details regarding real-world usage.  PowerApps and Flow would be impossible to learn, IMO, if not for these forums and other community-generated content (shout out to Shane Young!).


DanyElHoyek
Advocate IV
Advocate IV

What are you using as Names for the service accounts?

Anonymous
Not applicable

I have the same question - as it is an old post, is it the same solution today?  

 

If someone could point me in the direction to how i can identify which part of the flow is linked to a spesific useraccount i would appreciate it.

 

We have the case where a creator quit the company, the flow was moved to a new owner, but it does not run. And i am finding it hard to shift the ownership within the flow. 

 

 

Yes, @Anonymous , you need to go through the flow and look at each action that has a user-based connection (e.g. newer SQL Server connections, O365 actions such as Send Email, Word Online, OneDrive) and select a new connection which is using a current user (ideally a service account instead of an actual user's account).  This is done using the ellipses on the right side of the actions in Flow.  Here is a thread that provides some screenshots and better detail:  https://powerusers.microsoft.com/t5/General-Power-Automate/Need-to-use-another-User-s-connections-on-a-Flow/m-p/509441#M47881

Helpful resources

Announcements

February 2024 Community Newsletter

Welcome to our February Newsletter, where we highlight the latest news, product releases, upcoming events, and the amazing work of our outstanding Community members. If you're new to the Community, please make sure to follow the latest News & Announcements and check out the Community on LinkedIn as well! It's the best way to stay up-to-date in 2024 with all the news from across Microsoft Power Platform and beyond. Are you ready to "Leap" in to all we've got to share today?   COMMUNITY HIGHLIGHTS Check out the most active community members of the last month! These hardworking members post regularly, answer questions, kudos, and provide top solutions in their communities. We are so thankful for all your great work in January, and we can't wait to see who will be our most active members next month!   Power AppsPower AutomateCopilot StudioPower PagesWarrenBelzWarrenBelzPstork1saudali_25LaurensMPstork1stephenrobertLucas001AARON_ClbendincpaytonSurendran_RANBNived_NambiarMariamPaulachanNikhil2JmanriqueriosANBJupyter123rodger-stmmbr1606Agniusstevesmith27mandelaPhineastrice602AnnaMoyalanOOlashynBCLS776grantjenkinsExpiscornovusJcookSpongYeAARON_CManishSolankiapangelesPstork1ManishSolankiSanju1Fubar   There was a lot of activity in the Community in February! Did you miss anything? Here are just a few of the announcements and updates we shared: Super User Season 1 is HereFebruary 2024 User Group Update: Welcoming New GroupsCelebrating a New Season of Super UsersCheck out the February 2024 Dynamics NewsletterAnnouncing Copilot Cookbook GallerySuper User of the Month D. PoggemannTuesday Tips: Getting Started in the Community The best way to not miss them is to make sure you're subscribed to your community's News & Announcements. Subscribe today and don't miss anything next month! Power Apps News, Power Automate News, Copilot Studio News, Power Pages News Copilot Cookbook for Power Apps The all-new Copilot Cookbook is now available in the #PowerApps Community - offering a wide array of best practices on how to use Microsoft Copilot to develop and create in Power Apps.   The #CopilotCookbook is your new go-to resource when you need inspiration (or when you're stuck!) and aren't sure how to best partner with Copilot. So, whether you're looking for the best prompts or just want to know about responsible AI use, you can visit the Copilot Cookbook for regular, high-quality content that you can rely on. Our team will be reviewing posts using the new "Copilot " label to ensure we highlight and amplify the most relevant and recent content, so you're assured of high-quality content every time you visit. If you share a post that gets featured in the curated gallery, you'll get a PM in the Community to let you know!   The curated gallery is now ready for you to experience, so click the image below and check out the all-new Copilot Cookbook for Power Apps today. We can't wait to see what you "cook" up! 👨🍳       Power Platform Dev Weekly Celebrate 200th Episode Congratulations to Danish Naglekar, Anwesha Sharma, Matt Beard, Mark Carrington Carl Cookson and the team, as they celebrated the 200th episode of Power Platform Dev Weekly in February!   Click the image below to check out this landmark episode, featuring content from the likes of Nati Turtledove, Matthew Devaney, Inogic, Mohamed Ashiq Faleel, Mike Hartley, Nishant Rana, James Yumnam, Carl Cookson, Yannick Reekmans, Deepesh Somani, and many more.       "Get Started With" Power Platform Shorts Series This month we launched our new 'Get Started With' series on YouTube - a selection of sweet snapshots to keep you in the loop with all the latest Copilot trends that you can try out through advice at Microsoft Learn. Click the image below to check out the entire playlist so far, and don't forget to subscribe to our YouTube channel for all the latest updates.     UPCOMING EVENTS Canadian Power Platform Summit - Vancouver - 16th March 2024 Check out the first ever Canadian Power Platform Summit, which takes place at Microsoft Vancouver office on Saturday 16th March 2024! Get ready to immerse yourself in the ultimate Power Platform experience at the #CPPS24. This event is tailored for makers, developers, students and tech enthusiasts eager to explore the depths of Power Platform technologies. With sessions ranging from beginner-friendly to advanced-intermediate, this event offers a diverse range of insights for attendees of all levels.   There's a great range of speakers, including the likes of Lisa Crosbie, Matthew Devaney, Ulrikke Akerbæk, Oleksandr Olashyn, Mark Smith, Jake Harvey, Manju Gurjar, Adam Tobias, Mats Necker, Natasza Kosakowska, Linn Zaw Win, Salim Adamon, Tomas Prokop, Maxim Nikonov, and many more.   Great work by Chris Piasecki, Éric Sauvé, Nick Doelman, Scott Durow, Victor Dantas and the team for putting this amazing event together. So, whether you're a seasoned pro or a rising star, click the image below to join the Microsoft Community in Canada to gain practical insights, discover real-world examples, and take away actionable skills to boost your expertise.   Business Applications Launch Event - Virtual - 10th April 2024 Registration is now open for the Microsoft Business Applications Launch event which kicks off at 9am PST on Wednesday 10th April 2024. Join Microsoft product leaders and engineers for an in-depth look at the latest news and AI capabilities in Power Platform and #Dynamics365, featuring the likes of Charles Lamanna, Sangya Singh, Julie Strauss, Donald Kossmann, Lori Lamkin, Georg Glantschnig, Mala Anand, Jeff Comstock, and Mike Morton.     Microsoft Fabric - Las Vegas - 26-28th March 2024 Exciting times ahead for the inaugural #MicrosoftFabric Community Conference on March 26-28 at the MGM Grand in Las Vegas! The conference will cover all the latest in analytics, AI, databases, and governance across 150+ sessions, with guest speakers including Arun Ulag, Amir Netz, Jessica Hawk, Eric Boyd, Kim Manis, Adam Saxton, Patrick LeBlanc, Bob Ward, Wangui McKelvey, Wee Hyong T., Justyna Lucznik, Priya Sathy, Mehrnoosh Sameki, Rachel Shepard, Karthik Ravindran, Jason Himmelstein, and many more.   On-site there will be a special Community Lounge, interactive learning labs, plus you'll be able to 'Ask the Experts' all your questions to get help from data, analytics, and AI specialists, including community members and the Fabric Customer Advisory Team. Click the image below to find out more about the ultimate learning event for Microsoft Fabric!   If you'd like to learn how the latest advances in AI and how #MicrosoftCopilot can help you streamline your processes, click the image below to register today!       LATEST COMMUNITY BLOG ARTICLES Power Apps Community Blog Power Automate Community Blog Copilot Studio Community Blog Power Pages Community Blog Check out 'Using the Community' for more helpful tips and information: Power Apps, Power Automate, Copilot Studio, Power Pages

Microsoft Power Up program unveils new curriculum and more

  New engaging and cohesive Power Up curriculum The Microsoft Power Up Program – a self-paced upskilling program, launched in 2022 to help non-technical professionals gain marketable skills using the Microsoft Power Platform – takes learning to the next level with a cohesive video-based curriculum that spans only seven weeks. Recognizing the demand for multimedia content, we partnered with Microsoft MVPs Rory Neary and Charlie Phipps to create engaging videos that not only simplify complex concepts, but also make the learner experience more dynamic and immersive. Each course follows the same business through real-world scenarios with demos and hands-on exercises for learners to gain skills and build solutions using Power Apps, Power Automate and Power BI. This structured approach not only enhances comprehension but also equips learners with tangible skills that can be applied immediately in their professional endeavors. By focusing on key areas, the program has been shortened from 12 weeks to seven, saving valuable time without sacrificing quality. Special thanks go to Microsoft Power Platform advocates, April Dunnam and Renee Noble who shared their expertise and to Power Up Program champs who contributed with feedback and reviews over the last 1+ year to make this significant improvement.   Easy access to a comprehensive Development Environment In addition, the program now offers simplified and instant access to a comprehensive development environment for Power Up Program learners to explore and experiment with the Power Platform in a sandbox environment, fostering creativity and innovation.     Introducing App-In-A-Day (AIAD) workshops for Power Up learners As an added incentive, participants of the Microsoft Power Up Program can now sign up for partner-led “App in a Day” virtual workshops. These workshops, conducted by industry experts and Microsoft partners, provide invaluable insights and practical guidance to supplement the core curriculum. By attending these workshops, learners can gain deeper insights into application development and further enhance their skills in leveraging the Power Platform for business solutions. A big shout to our partners that are supporting the Power Up Program and delivering these AIAD workshops: Advaiya, Almato AG, Braintree, Kaispe, Koenig Solutions, PowerApps 911, Pragmatic Works, Smart Consulting.   These enhancements introduced to the Microsoft Power Up Program mark a significant milestone in the ongoing quest to empower individuals with the skills needed to thrive in today’s digital economy. By embracing video-based learning, streamlining the curriculum, and offering personalized experiences, the program continues to set new standards of excellence in virtual education. Sign up today to start your Power Up learning journey (https://aka.ms/PowerUp/)   by Dimpi Gandhi, Principal PM Lead, Power Up ProgramRepost from Microsoft Power Platform Product Blog

Announcing Power Apps Copilot Cookbook Gallery

We are excited to share that the all-new Copilot Cookbook Gallery for Power Apps is now available in the Power Apps Community, full of tips and tricks on how to best use Microsoft Copilot as you develop and create in Power Apps. The new Copilot Cookbook is your go-to resource when you need inspiration--or when you're stuck--and aren't sure how to best partner with Copilot while creating apps.   Whether you're looking for the best prompts or just want to know about responsible AI use, visit Copilot Cookbook for regular updates you can rely on--while also serving up some of your greatest tips and tricks for the Community. Our team will be reviewing posts using the new "Copilot" label to ensure we highlight and amplify the most relevant and recent content, so you're assured of high-quality content every time you visit. If you share a post that gets featured in the curated gallery, you'll get a PM in the Community to let you know!The curated gallery is ready for you to experience now, so visit the new Copilot Cookbook for Power Apps today: Copilot Cookbook - Power Platform Community. We can't wait to see what you "cook" up!    

Tuesday Tips: Getting Started in the Community

TUESDAY TIPS is back!   This weekly series of posts is our way of sharing helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! The original run of Tuesday Tips was a highlight of last year, and these all-new Tips will hopefully prove to be just as informative as helpful. We will cover some basics about the Community, a few "insider tips" to make your experience even better, and sharing best practices gleaned from our most active community members and Super Users. Make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!   THIS WEEK: I'm Brand New! What Do I Do? The number of new community members we have each week is pretty amazing, and we are so glad to welcome all of you to the Community! You may be wondering. "What do I do? Where do I get started? Will anyone be willing to help me? What I have a question? Help!"   Let's start with this: Welcome to the low-code revolution, and more importantly, welcome to the Power Platform Community! This is a great place to start. Whether you're busy with Power Apps, getting familiar with Power Automate, engaging Copilot Studio, or building in Power Pages, there are a few key places you should check out as you begin your journey: FORUMS: The forums are THE place to ask questions, look at questions asked by other Community members—and see answers and solutions from our Super Users and other helpful people in the Community. Power Apps ForumsPower Automate ForumsCopilot Studio ForumsPower Pages Forums   NEWS & ANNOUNCEMENTS: Our News & Announcements section highlights the newest and greatest updates in the Community, news from the product team, and so much more. It’s updated a few times each week and will also help you find ways to connect with what’s going on in the ever-growing world of Power Platform. Power Apps News & AnnouncementsPower Automate News & AnnouncementsCopilot Studio News & AnnouncementsPower Pages News & Announcements   GALLERIES: The Galleries section of the Community features tons of tips and tricks, features and benefits, and more—through videos created by our Super Users, product teams, and other helpful members of the Community. Power Apps GalleriesPower Automate Galleries Copilot Studio GalleriesPower Pages Galleries BLOGS: The community blogs section is full of handy step-by-step tips from members of the Community—and some of them include detailed answers to some of the questions most frequently asked questions, as well as how they solved a problem they faced. Power Apps Community BlogPower Automate Community BlogCopilot Studio Community BlogPower Pages Community Blog POWER UP PROGRAM: If you’d like to really take a huge step forward in your journey, we recommend checking out the Power Up Program, a Microsoft-sponsored initiative that trains new Power Platform users and has been a huge success since it launched a little over a year ago. There’s a waiting list, so definitely apply soon if you’re interested! Find out more here: Microsoft Power Up Program for career switchers.   There's so much more you'll discover in your Power Platform experience, and this Community is here for YOU! We are glad you've discovered us and can't wait to see where you grow! If you're new to the Community and just getting started, make sure to give this post a kudo and introduce yourself so we can welcome you!

Super User of the Month | Drew Poggemann

As part of a new monthly feature in the Community, we are excited to share that Drew Poggemann is our featured Super User for the month of February 2024. If you've been in the Community for a while, we're sure Drew's name is familiar to you, as he is one of our most active contributors--he's been a Super User for five consecutive seasons!   Since authoring his first reply 5 years ago to his 514th solution authored, Drew has helped countless Community members with his insights and expertise. In addition to being a Super User, Drew is also a User Group leader and a Microsoft MVP. His contributions to our Super User sessions and to the new SUIT program are always welcome--as well as his sense of humor and fun-loving way of sharing what he knows with others.   When Drew is not solving problems and authoring solutions, he's busy overseeing the Solution Architecture team at HBS, specializing in application architecture and business solution strategy--something he's been doing for over 30 years. We are grateful for Drew and the amazing way he has used his talent and skills to help so many others in the Community. If you are part of the SUIT program, you got to hear some great tips from Drew at the first SUIT session--and we know he still has much more to share!You can find him in the Community and on LinkedIn. Thank you for all you do, Drew!

Super Users 2024 Season One is Here!

   We are excited to announce the first season of our 2024 Super Users is here! Our kickoff to the new year welcomes many returning Super Users and several new faces, and it's always exciting to see the impact these incredible individuals will have on the Community in 2024! We are so grateful for the daily difference they make in the Community already and know they will keep staying engaged and excited for all that will happen this year.   How to Spot a Super User in the Community:Have you ever written a post or asked for help in the Community and had it answered by a user with the Super User icon next to their name? It means you have found the actual, real-life superheroes of the Power Platform Community! Super Users are our heroes because of the way they consistently make a difference in the Community. Our amazing Super Users help keep the Community a safe place by flagging spam and letting the Community Managers know about issues. They also make the Community a great place to find answers, because they are often the first to offer solutions and get clarity on questions. Finally, Super Users share valuable insights on ways to keep the Community growing, engaging, and looking ahead!We are honored to reveal the new badges for this season of Super Users! Congratulations to all the new and returning Super Users!     To better answer the question "What is a Super User?" please check out this article: Power Apps: What is A Super User? - Power Platform CommunityPower Automate: What is A Super User? - Power Platform Community Copilot Studio: What is A Super User? - Power Platform Community Power Pages: What is A Super User? - Power Platform Community

Users online (1,798)