Forum Discussion

Matthew Carter's avatar
Matthew Carter
Iron Contributor
Jan 04, 2022

Best practices for Power Automate with service account

We had a colleague leave who had their work email address and account connected to MANY Power Automate flows, SharePoint, OneDrive, Forms, Excel, etc.

 

We are looking to create a recommendation / best practices for a single account that will be used by the I.T. department for use in Power Automate, etc.

 

We will have colleagues in the I.T. department have access to SharePoint sites (maybe a security issue? do we EACH get our OWN accounts then?) and Power Automate

 

We'd have to have it setup as an email enabled account so we'd have to pay instead of a service account.  

Other thoughts?

  • jjdev-nz's avatar
    jjdev-nz
    Copper Contributor

    I can't see how MS can force us to use a the Per Flow licensing model instead of a Service account that has a Per User license assigned. In our scenario we create a few account with an E3/5 license and assigne them a Per User license. The accounts are then used by a select few to create any Automated or Scheduled Flows that have business impact. Flows that are for pure personal productivity, are created by the end users personal account. The hard part is keeping up with what flows have business impact vs personal flows.

  • Williammick's avatar
    Williammick
    Copper Contributor

    Matthew Carter 

     

    Hi Mathew Carter. You can try this one strategy:

    1) Setup a Service Account and assign it an O365 License
    2) Create new Flows or import existing Flows into the Service Account
    3) Share the Flows with the Authors (so they can update the Flows from their own account but it continues to run as the Service Account)
    4) email will come from the Service Accounts email address


    More Ways:


    https://docs.microsoft.com/en-us/power-automate/change-cloud-flow-owner?WT.mc_id=M365-MVP-9698

    Author: https://gosloto.co.za/

     

    • LAA-IT's avatar
      LAA-IT
      Copper Contributor
      This is what I have done. The only issue is frequent re-authentication.
      • Sam-H12's avatar
        Sam-H12
        Copper Contributor

        LAA-IT Re-authentication is proving troublesome for us too. Does anyone have a solution for this other than disabling MFA and/or password changing policies?

  • cunnij's avatar
    cunnij
    Copper Contributor
    same question - we are starting to create more flows and they are all coming from my account, even when we use the 'send as' option. The 'approval' is routed corrected, shows the correct 'from' email but in the Teams approval tab, it shows sent from my name...is a mail-enabled, licensed user the only option?
    • Try this : Setup a Service Account and assign it an O365 License
      - Create new Flows or import existing Flows into the Service Account
      - Share the Flows with the Authors (so they can update the Flows from their own account but it continues to run as the Service Account)
      - email will come from the Service Accounts email address
      • shocko's avatar
        shocko
        Steel Contributor
        Seems risky allowing users create arbitrary flows that will run under an account with likely a lot of access/privileges no?
    • Julien_Fremeau's avatar
      Julien_Fremeau
      Copper Contributor
      Thank you. do you confirm that it is 100$ each per flow license, with a minimum of 5 licenses to buy?
      • The365Guy's avatar
        The365Guy
        Brass Contributor
        Yes, correct.
        Technically speaking, it is also working with just a per user license, but this is from a licensing perspective not correct.
  • fnanfne's avatar
    fnanfne
    Copper Contributor

    Matthew Carter 

     

    We used one generic account called email address removed for privacy reasons for all "Power" related stuff, which initially only included PowerApps and PowerAutomate.

     

    We later discovered that some flows with a conditional trigger do not run IF said item was updated using a PowerApp. The problem was that the owner (email address removed for privacy reasons) of the PowerApp was also the owner of the flow, and so when a staff member updated an item using the PowerApp, the flow would cease to run based on this conditional trigger, which is required (unlike how it worked in the past with SharePoint designer, where a flow can update fields and not trigger the flow again) to prevent all kind of chaos and infinite loops.

     

    I'm sure there is a better way to scratch this cat, but for the time being, we've created another generic account called email address removed for privacy reasons. and have transferred ownership of all PowerApps to this account in order to avoid the scenario above. 

     

  • CSRPhoto's avatar
    CSRPhoto
    Copper Contributor

    Holy Crap! I just googled [Binged] how to go about setting up a service account for my flow (that is used department wide) and was lead to this page...but my understanding now is that not only do I need a separate license (which is understandable for the service account), but I need one for EACH TIME my flow runs?!

    In my mind the flow is the Power Automate I created, but it sounds like here that the flow is whenever it runs. So if one flow I create runs 5 times in a day that's FIVE LICENSES?! That's insane! Am I understanding this correctly, someone tell me I'm wrong and haven't lost my mind.

    • Julien_Fremeau's avatar
      Julien_Fremeau
      Copper Contributor

      CSRPhoto you misunderstood it. Each flow needs a license: either the flow owner has to be licensed (per user license), or the flow itself (per flow license). Then your flow can run many times within the limits detailed at https://learn.microsoft.com/en-us/power-automate/limits-and-config.

      The 5 licenses mentioned in this discussion is about the minimum quantity of "Power Automate per flow" license that you can order at a time. You can order just one license but 5 as a minimum. So even if you have only one flow to license, you still need to buy 5 licenses. 1 license you will use on your flow and the 4 left will be unused until you need them

      • CSRPhoto's avatar
        CSRPhoto
        Copper Contributor
        Great, that makes much more sense. TY

Resources