Forum Discussion

cprothero's avatar
cprothero
Iron Contributor
Mar 29, 2017

Flow Credentials: Best Practices?

I am just getting started with Flow and I want to try to do things with best practices in mind from the beginning. I would like to create a flow on a Sharepoint list which of course requires credentials. I don't really want to use my own credentials since I can't guarantee that I'll always be the one at this desk. Do others use service/dummy accounts created for this purpose?

 

Also what happens to a flow when a password changes? Does the person with that password have to go in and reauthenticate the flow?

 

TIA

    • cprothero's avatar
      cprothero
      Iron Contributor

      I didn't get an answer but we discussed it internally and decided the best option for us was to make a service account with a non-expiring password. I haven't had a chance to test this extensively yet but I'm also going to check out the team flows mentioned in this thread.

      • Clint Lechner's avatar
        Clint Lechner
        Steel Contributor

        I think that's the best bet, just to be on the safe side...... for now.  In a production environment, you don't want to be messing with accounts, etc.  That said, I'm very impressed with Flow and how it's worked so far.  With a little elbow grease and some time to figure it out, it's really useful and works well (and it's fast).  There's a lot of flexibility built in that's not obvious right away.  

         

        That said, I'd love to see more documentation and examples.  I know I can do quite a lot but I don't know HOW without extensive searching around sometimes.  That's life with new services though, especially something as robust as Flow.

    • Clint Lechner's avatar
      Clint Lechner
      Steel Contributor

      I'd love to know this too.  I have a couple flows setup where previously we would have used a sharepoint designer workflow or even a service account.  So far....................... they haven't choked because they've needed reathentication, but I've been waiting for that to possibly pop up.

  • Hi Courtney!

    Its totally ok to use your own credentials, as you can then share your Flow out with teammates so its not only owned by you, in case something were to happen or you were to leave.

     

    Also, when a password chages, Microsoft Flow is able to still persist. The only way that Flow connections will expire is if your environment admin were to kill your tokens. Not refresh them.. Kill them.

    If you want to get quick help on Flow related items, i would reccommend you join the official community at: https://powerusers.microsoft.com/t5/Microsoft-Flow-Community/ct-p/FlowCommunity

     

    Let me know if i can be of any more help! 

     

    - Jon

    • Joseph Boland's avatar
      Joseph Boland
      Brass Contributor

      I don't understand how it can be okay to use individual user accounts for production flows.  Flows typically require connectors.  For example, a flow may send an email via Outlook.  If the Outlook connector is defined using a personal account, when the person leaves and their account is disabled or deleted, the connector will no longer function, breaking the flow.  Right?  It wouldn't matter that the flow was a team (shared) one; the connector would still have to be rebuilt using a different (active) account.

       

      If, in contrast, a managed service account is used, the flow will continue to work as long as the account remains active.

    • Deleted's avatar
      Deleted
      I know this is an old post, but looking to finally create some production flows, and my test flows I've had have actually had "You need to fix your connections" pop up consistently on my account even thou I've never reset tokens. Unless resetting my password manually in AD causes that to happen :P.

      Anyway, seems service account is the safe bet just for future proofing if someone leaves the org.
      • Dean_Gross's avatar
        Dean_Gross
        Silver Contributor

        How Flow uses accounts is way more confusing than it should be. There is a lot of room for improvement and clarification in the documentation about exactly what account is going to be used, what perms are needed and how it going to show up. Sending emails is one area that needs a lot of attention.

    • anka's avatar
      anka
      Copper Contributor

      Jon Levesque 

      Question- We have a Flow that sends outbound emails using the account of the user who created the flow. What would happen if the person leaves the organization, how will the outbound emails o when the mailbox is no longer active? I know that in the 'Send Email' action a "From" account can be specified for sending an email, but is it a good practice to do so or should we have a dedicated account(with an attached mailbox) for flows?

       

      The information I am seeking- 

       

      1. In terms of best practice, should we be creating a dedicated service account for flows? If yes, should the flows created by users be shared with this service account so they can be managed using one account?

      2. What license should be assigned to the service account, E3 or E5?

      3.  Should this account be assigned the global admin privileges?

       

      Thank you.

      • Clint Lechner's avatar
        Clint Lechner
        Steel Contributor

        We use several flow accounts for everything. It's somewhat easier to manage but also takes the guess work out of who an email is going to come from or who has access to what.  It's also handy for troubleshooting because we know if those accounts pop up, it's specifically flow.

        Your flow account doesn't need to be global admin - it just needs access to whatever you are using it for. So if it is updating a list item, it needs that permission to the list/site. That said, often the flow account ends up with fairly beefed up perms. That's also another reason to think about centralizing the accounts you're using. I realize the context of the flow will run as whoever you add the connector as, but again, there's something to be said about knowing exactly which account to look for. I realize people will argue that a service account flow isn't as good for security but that really depends on how you implement it. I'd argue the other way, you know exactly which account does what and you be as granular as you need, knowing that account should always have access to specific areas and anything else is an anomaly to look at.

        Don't worry specifically about E3 vs. E5. In fact, go cheap there and out the extra money into Flow plan 1 or 2 (premium plans). You will find that the premium plans give you not only more flows but a few additional kinds of flows.