Best practices for Power Automate with service account

Iron Contributor

We had a colleague leave who had their work email address and account connected to MANY Power Automate flows, SharePoint, OneDrive, Forms, Excel, etc.

 

We are looking to create a recommendation / best practices for a single account that will be used by the I.T. department for use in Power Automate, etc.

 

We will have colleagues in the I.T. department have access to SharePoint sites (maybe a security issue? do we EACH get our OWN accounts then?) and Power Automate

 

We'd have to have it setup as an email enabled account so we'd have to pay instead of a service account.  

Other thoughts?

36 Replies

Hi @LimeLeaf 

 

MS is not very clear on the licensing and it's obvious from all the comments on the web. 

I understand the reasoning for using a Per Flow license for business-critical Flows that uses Premium connectors that are triggered by many users and frequently per day. Flows that have a Per Flow license have an API limit of 250k per day. But if a Flow with Premium connectors is only triggered a few times in a day, then it's not cost effective to use a Per Flow license.  

Regardless if one uses a Per User license connected to a real user or service account, that account can only do 40k API calls per day. Any automated or scheduled Flows always runs in the context of the Flow owner/creator. So if we are using an Per User license connected to a real user or service account, what is the difference, we are paying for the license and using it within the API limits of the day.

If you have a Flow that is exceeding 40k API calls, then its time to look at getting a Per Flow license in my opinion.  

Yep, I have the same understanding here. As far as the flows are triggered in a moderate way and in sum they don't exceed a limit of 40k api calls per day and user there shouldn't be licensing issue.

So only for API intensive flows there should be used a per flow license.

To be honest it would be great to have a recommendation in the microsoft documentation that points into this direction.

@Steve Knutson In our security training we are instructed to never login using a service account. Is it my understanding that when you set up a Power Automate workflow you should use a service account and sign in using the service account? Sorry, I am new to all of this and trying to understand. We had a training yesterday with Microsoft and one of our people came unhinged when they suggested using a Service Account to set up our workflows. Can you explain to me how this would NOT be a security risk?

@Sharon_Sproul it is important to restrict who has access to the 'Service Account', if you create a Flow it can be exported and then imported into the 'Service Account' (someone has to login as the account to do this. It can have MFA). Once imported you can Share the Flow with the author who can make updates. It isn't perfect. See the reply from @LimeLeaf above.

@Matthew Carter 

 

We used one generic account called email address removed for privacy reasons for all "Power" related stuff, which initially only included PowerApps and PowerAutomate.

 

We later discovered that some flows with a conditional trigger do not run IF said item was updated using a PowerApp. The problem was that the owner (email address removed for privacy reasons) of the PowerApp was also the owner of the flow, and so when a staff member updated an item using the PowerApp, the flow would cease to run based on this conditional trigger, which is required (unlike how it worked in the past with SharePoint designer, where a flow can update fields and not trigger the flow again) to prevent all kind of chaos and infinite loops.

 

I'm sure there is a better way to scratch this cat, but for the time being, we've created another generic account called email address removed for privacy reasons. and have transferred ownership of all PowerApps to this account in order to avoid the scenario above. 

 

@The365Guy If I have a Service account with a M365 user account licence, as the owner of all the flows created in the environment, why can I not use the per user licence? Why does it become an issue?

@Matthew Carter 

 

Hi Mathew Carter. You can try this one strategy:

1) Setup a Service Account and assign it an O365 License
2) Create new Flows or import existing Flows into the Service Account
3) Share the Flows with the Authors (so they can update the Flows from their own account but it continues to run as the Service Account)
4) email will come from the Service Accounts email address


More Ways:


https://docs.microsoft.com/en-us/power-automate/change-cloud-flow-owner?WT.mc_id=M365-MVP-9698

Author: https://gosloto.co.za/

 

Hi Steve - Does this make it so you can provide the SA limited access, but the users the flow is shared with account is what is used to connect the tools?

@goslotoo I totally agree with you

Seems risky allowing users create arbitrary flows that will run under an account with likely a lot of access/privileges no?
This is what I have done. The only issue is frequent re-authentication.

@Matthew Carter Hi, we have bought it for our website and we are facing some problems. Can you please help us.


Following this topic:

https://techcommunity.microsoft.com/t5/forums/https://uk49predictions.com/replypage/board-id/microsoft-365/message-id/44892

Yes, that is correct. Each flow license costs $100 with a minimum of 5 licenses required to purchase.

Holy Crap! I just googled [Binged] how to go about setting up a service account for my flow (that is used department wide) and was lead to this page...but my understanding now is that not only do I need a separate license (which is understandable for the service account), but I need one for EACH TIME my flow runs?!

In my mind the flow is the Power Automate I created, but it sounds like here that the flow is whenever it runs. So if one flow I create runs 5 times in a day that's FIVE LICENSES?! That's insane! Am I understanding this correctly, someone tell me I'm wrong and haven't lost my mind.

@CSRPhoto you misunderstood it. Each flow needs a license: either the flow owner has to be licensed (per user license), or the flow itself (per flow license). Then your flow can run many times within the limits detailed at https://learn.microsoft.com/en-us/power-automate/limits-and-config.

The 5 licenses mentioned in this discussion is about the minimum quantity of "Power Automate per flow" license that you can order at a time. You can order just one license but 5 as a minimum. So even if you have only one flow to license, you still need to buy 5 licenses. 1 license you will use on your flow and the 4 left will be unused until you need them

Great, that makes much more sense. TY

@LAA-IT Re-authentication is proving troublesome for us too. Does anyone have a solution for this other than disabling MFA and/or password changing policies?