cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
MarkPP
Helper II
Helper II

Limiting the use of Azure AD Connector in Power Automate

Hi

 

I wanted to clarify something in regards to the Azure AD Connector in Power Automate. If users want to use this a Global admin (GA) needs to consent on behalf of the organisation. The privileges behind this connector are very high E.g. Group.ReadWrite.All, User.ReadWrite.All, Directory.ReadWrite.All. Therefore i absolutely don't want all users making use of this connector. I have read some articles around not consenting on behalf of the organisation and trying to grant access to individuals instead but it all seems a bit long winded. Therefore is the below the way to do this now?

 

A GA consents on behalf of the organisation for this connector and then goes to the underlying Enterprise Application "MSFT Power Platform - Azure AD" in Azure AD. In the properties for the Enterprise Application set User assignment required to Yes and then under the Users and groups add the limited number of people in there that you want to use the connector as per the picture below?

 

UserAssignment.png

 

Thanks

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
rimatos
Community Support
Community Support

Hi @MarkPP,

 

Yes, this would be one way to restrict users access to the application, since the users would need to be inserted in the group of that Enterprise application to access it.

 

However, in order for them to be able to access it you also need to make sure they have the correct roles assigned to them, since the connector only allows them to do actions to the same level they can do both in the UI and via REST API.

You have her a in depth guide on the different admin roles available. 

 

Additionally, you also have a article on how to achieve granular access to this connector here


Hope this information was useful!

 

Regards,

Ricardo

View solution in original post

2 REPLIES 2
rimatos
Community Support
Community Support

Hi @MarkPP,

 

Yes, this would be one way to restrict users access to the application, since the users would need to be inserted in the group of that Enterprise application to access it.

 

However, in order for them to be able to access it you also need to make sure they have the correct roles assigned to them, since the connector only allows them to do actions to the same level they can do both in the UI and via REST API.

You have her a in depth guide on the different admin roles available. 

 

Additionally, you also have a article on how to achieve granular access to this connector here


Hope this information was useful!

 

Regards,

Ricardo

ValentinMazhar
Advocate II
Advocate II

Hello @MarkPP ,

I know that this thread is marked as resolved, and the methods to grant access of this connector to specific users work.

However I just thought it worth mentioning that the permissions granted to the App "MSFT Power Platform - Azure AD" are delegated. It means that even after a global admin has granted consent to the app, users will not be able to do anything with the connector that they are not already able to do of they connect to the Azure AD portal.

Hope it helps and clarifies!

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

May UG Leader Call Carousel 768x460.png

June User Group Leader Call

Join us on June 28 for our monthly User Group leader call!

MPA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

Learn to digitize and optimize business processes and connect all your applications to share data in real time.

Power Automate Designer Feedback_carousel.jpg

Help make Flow Design easier

Are you new to designing flows? What is your biggest struggle with Power Automate Designer? Help us make it more user friendly!

Top Solution Authors
Users online (3,458)