Forum Discussion

Matthew Carter's avatar
Matthew Carter
Iron Contributor
Jan 04, 2022

Best practices for Power Automate with service account

We had a colleague leave who had their work email address and account connected to MANY Power Automate flows, SharePoint, OneDrive, Forms, Excel, etc.   We are looking to create a recommendation / ...
admin
office 365
cunnij's avatar
cunnij
Copper Contributor
Jan 10, 2022
same question - we are starting to create more flows and they are all coming from my account, even when we use the 'send as' option. The 'approval' is routed corrected, shows the correct 'from' email but in the Teams approval tab, it shows sent from my name...is a mail-enabled, licensed user the only option?
SteveKnutson's avatar
SteveKnutson
MVP
Jan 24, 2022
Try this : Setup a Service Account and assign it an O365 License
- Create new Flows or import existing Flows into the Service Account
- Share the Flows with the Authors (so they can update the Flows from their own account but it continues to run as the Service Account)
- email will come from the Service Accounts email address
  • shocko's avatar
    shocko
    Iron Contributor
    Oct 16, 2022
    Seems risky allowing users create arbitrary flows that will run under an account with likely a lot of access/privileges no?
  • ncotela2325's avatar
    ncotela2325
    Copper Contributor
    Oct 13, 2022
    Hi Steve - Does this make it so you can provide the SA limited access, but the users the flow is shared with account is what is used to connect the tools?
  • Sharon_Sproul's avatar
    Sharon_Sproul
    Copper Contributor
    Apr 13, 2022

    SteveKnutson In our security training we are instructed to never login using a service account. Is it my understanding that when you set up a Power Automate workflow you should use a service account and sign in using the service account? Sorry, I am new to all of this and trying to understand. We had a training yesterday with Microsoft and one of our people came unhinged when they suggested using a Service Account to set up our workflows. Can you explain to me how this would NOT be a security risk?

    • SteveKnutson's avatar
      SteveKnutson
      MVP
      Apr 13, 2022

      Sharon_Sproul it is important to restrict who has access to the 'Service Account', if you create a Flow it can be exported and then imported into the 'Service Account' (someone has to login as the account to do this. It can have MFA). Once imported you can Share the Flow with the author who can make updates. It isn't perfect. See the reply from LimeLeaf above.

  • Julien_Fremeau's avatar
    Julien_Fremeau
    Copper Contributor
    Mar 23, 2022
    I've read here https://docs.microsoft.com/en-us/power-automate/change-cloud-flow-owner?WT.mc_id=M365-MVP-9698
    that going with service account to run flow requires us to acquire and assign per flow license. Is it correct?
    • SteveKnutson's avatar
      SteveKnutson
      MVP
      Mar 23, 2022
      As I understand it, yes 1 per flow license is required for each flow running under a service account.
      • RB_HL's avatar
        RB_HL
        Copper Contributor
        Apr 04, 2022

        SteveKnutson  I disagree here, Steve.

        The article states:
        "The service account is used by many users. In this case, it is recommended to assign a per flow license to the flow to ensure any new users adding to the account are automatically compliant."
        (Source: https://docs.microsoft.com/en-us/power-platform/admin/power-automate-licensing/faqs#i-have-multiple-flows-running-under-a-shared-service-account-what-licenses-do-i-need

         

        It looks like a recommendation to make Microsoft licence compliance easier but it doesn't seem like a strict functional requirement that will block you. 

        Meaning that it shouldn't break your flows if you don't follow it, it seems to be worded as a recommendation, not a rule.


        But I might be wrong, haven't traversed this yet. Keen to hear from someone who actually went down this path and has a solution in production that goes through this scenario

Resources