Forum Discussion
Matthew Carter
Jan 04, 2022Iron Contributor
Best practices for Power Automate with service account
We had a colleague leave who had their work email address and account connected to MANY Power Automate flows, SharePoint, OneDrive, Forms, Excel, etc.
We are looking to create a recommendation / best practices for a single account that will be used by the I.T. department for use in Power Automate, etc.
We will have colleagues in the I.T. department have access to SharePoint sites (maybe a security issue? do we EACH get our OWN accounts then?) and Power Automate
We'd have to have it setup as an email enabled account so we'd have to pay instead of a service account.
Other thoughts?
- CSRPhotoCopper Contributor
Holy Crap! I just
googled[Binged] how to go about setting up a service account for my flow (that is used department wide) and was lead to this page...but my understanding now is that not only do I need a separate license (which is understandable for the service account), but I need one for EACH TIME my flow runs?!
In my mind the flow is the Power Automate I created, but it sounds like here that the flow is whenever it runs. So if one flow I create runs 5 times in a day that's FIVE LICENSES?! That's insane! Am I understanding this correctly, someone tell me I'm wrong and haven't lost my mind.- Julien_FremeauCopper Contributor
CSRPhoto you misunderstood it. Each flow needs a license: either the flow owner has to be licensed (per user license), or the flow itself (per flow license). Then your flow can run many times within the limits detailed at https://learn.microsoft.com/en-us/power-automate/limits-and-config.
The 5 licenses mentioned in this discussion is about the minimum quantity of "Power Automate per flow" license that you can order at a time. You can order just one license but 5 as a minimum. So even if you have only one flow to license, you still need to buy 5 licenses. 1 license you will use on your flow and the 4 left will be unused until you need them
- CSRPhotoCopper ContributorGreat, that makes much more sense. TY
- uk49spredictionsCopper Contributor
Matthew Carter Hi, we have bought it for our website and we are facing some problems. Can you please help us.
Following this topic:https://techcommunity.microsoft.com/t5/forums/https://uk49predictions.com/replypage/board-id/microsoft-365/message-id/44892
- WilliammickCopper Contributor
Hi Mathew Carter. You can try this one strategy:
1) Setup a Service Account and assign it an O365 License
2) Create new Flows or import existing Flows into the Service Account
3) Share the Flows with the Authors (so they can update the Flows from their own account but it continues to run as the Service Account)
4) email will come from the Service Accounts email address
More Ways:
https://docs.microsoft.com/en-us/power-automate/change-cloud-flow-owner?WT.mc_id=M365-MVP-9698
Author: https://gosloto.co.za/ - fnanfneCopper Contributor
We used one generic account called email address removed for privacy reasons for all "Power" related stuff, which initially only included PowerApps and PowerAutomate.
We later discovered that some flows with a conditional trigger do not run IF said item was updated using a PowerApp. The problem was that the owner (email address removed for privacy reasons) of the PowerApp was also the owner of the flow, and so when a staff member updated an item using the PowerApp, the flow would cease to run based on this conditional trigger, which is required (unlike how it worked in the past with SharePoint designer, where a flow can update fields and not trigger the flow again) to prevent all kind of chaos and infinite loops.
I'm sure there is a better way to scratch this cat, but for the time being, we've created another generic account called email address removed for privacy reasons. and have transferred ownership of all PowerApps to this account in order to avoid the scenario above.
- goslotoCopper Contributor
The Information you shared above is great. I have been reading all you shared here. In this you explained everything very well. If i want any further guideline we will contact you here https://techcommunity.microsoft.com/t5/office-365/best-practices-gosloto-for-power-automate-with-service-account/td-p/3052046
- markwoodland1585Copper Contributor
- jjdev-nzCopper Contributor
I can't see how MS can force us to use a the Per Flow licensing model instead of a Service account that has a Per User license assigned. In our scenario we create a few account with an E3/5 license and assigne them a Per User license. The accounts are then used by a select few to create any Automated or Scheduled Flows that have business impact. Flows that are for pure personal productivity, are created by the end users personal account. The hard part is keeping up with what flows have business impact vs personal flows.
- LimeLeafCopper Contributor
Hi jjdev-nz
We do exactly the same thing in our organisation. We created a normal user (not a service account in MS terms) equiped him with an E3, dynamics 365 license (for premium connectors) and a PA per user license. Then we migrated all business critical flows to this user and share the individual flow with the devs/owner of the flows for ajdustments. The user who owns the flows is managed centrally by a few users in the IT department.
This user only owns flows in a dedicated productiv environment where only he and the IT department is able to create any flows or apps.For power apps we use additonally power apps per app license.
We came up with this solution/idea after reading the following part of "Establish an environment strategy" documentation from microsoft: https://docs.microsoft.com/en-us/power-platform/guidance/adoption/environment-strategy
But I'm still confused if we are acting correlty in the boundarys of microsofts power automate licensing.
- jjdev-nzCopper Contributor
Hi LimeLeaf
MS is not very clear on the licensing and it's obvious from all the comments on the web.
I understand the reasoning for using a Per Flow license for business-critical Flows that uses Premium connectors that are triggered by many users and frequently per day. Flows that have a Per Flow license have an API limit of 250k per day. But if a Flow with Premium connectors is only triggered a few times in a day, then it's not cost effective to use a Per Flow license.
Regardless if one uses a Per User license connected to a real user or service account, that account can only do 40k API calls per day. Any automated or scheduled Flows always runs in the context of the Flow owner/creator. So if we are using an Per User license connected to a real user or service account, what is the difference, we are paying for the license and using it within the API limits of the day.
If you have a Flow that is exceeding 40k API calls, then its time to look at getting a Per Flow license in my opinion.
- RB_HLCopper ContributorI'm with you here. I don't think that Microsoft is forcing anybody.
The wording on their post is "[if] the service account is used by many users... it is recommended to assign a per flow license to the flow to ensure any new users adding to the account are automatically compliant."
"Recommended" and "required" have vastly different implications.- The licensing FAQ's have been updated in the last few days https://docs.microsoft.com/en-us/power-platform/admin/power-automate-licensing/faqs#i-have-multiple-flows-running-under-a-shared-service-account-what-licenses-do-i-need
- Just sharing this from LinkedIn - remember it is a draft document https://www.linkedin.com/posts/priyakodukula_licensing-flows-using-service-accounts-in-activity-6914470425523617792-41tC/
- The365GuyBrass ContributorWe had a long discussion with Microsoft on this topic. They are internally not clear what's the correct license - but after a lot of meetings - they are sure: You need a per flow license which is a minimum of 5 licenses รก 100$.
Please see the following documentation: https://docs.microsoft.com/en-us/power-automate/change-cloud-flow-owner- Julien_FremeauCopper ContributorThank you. do you confirm that it is 100$ each per flow license, with a minimum of 5 licenses to buy?
- uk49spredictionsCopper ContributorYes, that is correct. Each flow license costs $100 with a minimum of 5 licenses required to purchase.
- cunnijCopper Contributorsame question - we are starting to create more flows and they are all coming from my account, even when we use the 'send as' option. The 'approval' is routed corrected, shows the correct 'from' email but in the Teams approval tab, it shows sent from my name...is a mail-enabled, licensed user the only option?
- Try this : Setup a Service Account and assign it an O365 License
- Create new Flows or import existing Flows into the Service Account
- Share the Flows with the Authors (so they can update the Flows from their own account but it continues to run as the Service Account)
- email will come from the Service Accounts email address- shockoSteel ContributorSeems risky allowing users create arbitrary flows that will run under an account with likely a lot of access/privileges no?