I'm hoping someone has encountered the situation I'm in and were able to come up with a successful solution.
I currently have a PowerApps application that uploads a file to a Sharepoint document library using MS Flow. The Flow was also set up to use a service account when accessing SharePoint. However, whenever the Flow is triggered, the file is uploaded using the credential of the user that was logged into the PowerApps app. I need to lock down the Sharepoint document library so the same user only has read-only access to it. The file needs to be uploaded by the Flow author (service account) instead of the user.
If anyone has any suggestions that I can try to get this to work, it'd be greatly appreciated.
You could look into using a Flow triggered via HTTP Request and configuring it to use the SharePoint app model for authentication.
The article linked below discusses setting permissions, but the key steps for you would be registering a SharePoint App, the Get Access Token piece and then using the bearer token in Flow to upload the document via a REST call.
The http request was first thing that came to my mind but it’s a pita :). I guess the question is do you make use of the files in the powerapp or is it just a submission form? If you aren’t getting return data immediately in the app you could just rig it up where you dump the file to a temporary file location and just have another flow owned by the system account with a “new item” trigger moves the files into the final destination library.
While that method still applied, the SharePoint HTTP action makes things considerably simpler. You still use the HTTP trigger as described, but the service account will use the SharePoint HTTP action and no more app principles/secret/token config needed