SOLVED

Security context for Flows

%3CLINGO-SUB%20id%3D%22lingo-sub-82309%22%20slang%3D%22en-US%22%3ESecurity%20context%20for%20Flows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82309%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20you%20create%20a%20new%20Flow%20and%20select%20the%20first%20action%20which%20connects%20to%20SharePoint%20it%20creates%20a%20connection%20before%20you%20can%20select%20lists%2C%20etc.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%2C%20under%20what%20security%20context%20will%20Flows%20execute%20when%20other%20users%20perform%20an%20action%20that%20triggers%20a%20Flow%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20concern%20is%20that%20if%20you%20have%20say%20Administrator1%20create%20all%20the%20original%20Flows%20and%20at%20some%20point%20leaves%20the%20organization%20and%20the%20account%20has%20to%20be%20disabled%2Fremoved.%20What%20happens%20to%20all%20the%20flows%20that%20were%20connected%20to%20that%20account%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-82309%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Flow%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85001%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20context%20for%20Flows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85001%22%20slang%3D%22en-US%22%3EMakes%20a%20good%20case%20for%20creating%20a%20generic%20role-based%20user%20account%20and%20doing%20this%20kind%20of%20work%20while%20logged%20in%20as%20that%20user%20(e.g.%20AppsNFlow%40%3CTENANT%3E.onmicrosoft.com)%3C%2FTENANT%3E%3CLINGO-SUB%20id%3D%22lingo-sub-83483%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20context%20for%20Flows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-83483%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20on%20all%20accounts%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-82322%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20context%20for%20Flows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82322%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%20I%20read%20about%20Team%20Flows.%20Are%20you%20saying%20this%20is%20the%20suggested%20and%20best%20solution%3F%20Pehaps%20the%20only%20solution%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-82320%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20context%20for%20Flows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82320%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20got%20updated%20in%20approx%20April%20time%20so%20that%20you%20can%20assign%20multiple%20owners%20to%20a%20flow%20to%20avoid%20this%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fflow.microsoft.com%2Fen-us%2Fblog%2Fteam-flows%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fflow.microsoft.com%2Fen-us%2Fblog%2Fteam-flows%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-BODY%3E
Contributor

When you create a new Flow and select the first action which connects to SharePoint it creates a connection before you can select lists, etc. 

 

My question is, under what security context will Flows execute when other users perform an action that triggers a Flow? 

 

My concern is that if you have say Administrator1 create all the original Flows and at some point leaves the organization and the account has to be disabled/removed. What happens to all the flows that were connected to that account? 

4 Replies
best response confirmed by Jacques van der Hoven (Contributor)
Solution

Hi

 

This got updated in approx April time so that you can assign multiple owners to a flow to avoid this issue.

 

https://flow.microsoft.com/en-us/blog/team-flows/

 

 

 

 

 

Yeah I read about Team Flows. Are you saying this is the suggested and best solution? Pehaps the only solution? 

Yes on all accounts

Makes a good case for creating a generic role-based user account and doing this kind of work while logged in as that user (e.g. AppsNFlow@<tenant>.onmicrosoft.com)