cancel
Showing results for 
Search instead for 
Did you mean: 

Persist flow connections after a password change without having to manually update flows

In current design of workflow, when a user changes their password all the connection are lost. For example for a flow  that accesses a sheet, the flow will fail and user need to go into the flow, edit the link/connection to the sheet (for example list rows in a sheet and then apply to each) and save it.  per Microsoft's feedback this is per design. Many flows may run the in background at scheduled intervals.  For consumers this may not be a a huge concern as they may never change their passwords. However in a corporate setting where there are hundreds of user, using many flows, this current limitation where  IT security requirement requires users to often change passwords, this PA limitation is a major burden.

 

Per security policy this particular our organization, user passwords must be changed every 3 months

This  is a wise thing to reduce security risks.  Though this becomes a burden to edit every flow every 3 months the password changes.

 

Microsoft suggest as a  workaround is to enable MFA or a using a service account. In this particular organization does not allow 2FA.  Information can be confidential or per NDA, as such sharing service accounts is not an option as it would give users access to different departments data

 

The idea is to let PA to use an OAUTH2 flow with a refresh token. All workflows and connections, client ID, secrets, access tokens are already stored in the Microsoft secure cloud , not accessible to the user. In case the password is changed and in current design would cause a flow to be terminated, PA would use the session stored refresh token to continue the session w/o connection loss. (others  solution use preemptive session management by monitoring the access token expiry date and refresh in advance)

 

This "persistent sessions" option could be a setting per organization.   Organizations which  do not wish to have this feature won’t need to opt-in. As such, the default design of flow won't  need to change.

 

Status: New