Home / News / Using Service Principals to Avoid Permissions Issues in Power Automate Cloud Flows
16 February 2023
By: Marwin Hogeterp

Using Service Principals to Avoid Permissions Issues in Power Automate Cloud Flows

A cloudflow without problems

If you are ever to work on Power Automate Cloud flows, you probably are aware of having connections and ownerships automatically set on these cloud flows. This will not immediately be an issue when you are working with an admin account or if your user has full admin rights on an environment. But what will happen when you or someone else who has created cloud flows in the past is leaving the company you are working for? Probably after a while your user account will lose the licenses and will be deactivated. This will result in errors on the cloud flow, since the connection and owner of the cloud flow no longer have the correct permissions.

In order to use cloud flows without running into these issues in the future, the cloud flows should make use of Service Principals. These are Azure Apps, which can (should) be used as the connection reference of your cloud flow.

In this blog I am not going to explain how to set this up. I am going to explain how you use service principal connection references in your flow and how you can set this same service principal as the owner of the flow.

 

Create your flow and add a service principal

The first step you should do, once your cloud flow is build is to add a Service Principal connection reference to one of the Dataverse actions in your cloud flow.

In order to do this, click on the ‘Connect with Service Principal’ link, which will result in a new page where the Azure App data should be filled in:

Create general Connection Reference

Once all fields are filled out correctly the connection reference is created as a Service Principal. The next step is to create a more generic connection reference which is the placeholder for all service principal accounts across the DTAP environment. This generic connection reference shell should be created from within in a solution.

This is necessary in order to be able to use the connection reference over different environments (DTAP) within the release process.

From make.powerautomate.com you should open the solution in the development environment and press ‘New’ > ‘More’ > ‘Connection Reference’.

Within the quick create form you can set a clear display name (I always use ‘D365-SA-PA’ stands for Dynamics 365, Service Account, Power Automate). For the connector I want to make a connection towards Dataverse, so I select ‘Microsoft Dataverse’ and select the earlier created Service Principal Account:

Set the generic Connection Reference as connection reference on the cloud flow

Now I can go back to my Power Automate and change all connection references on all Dataverse actions and select the newly created ‘D365-SA-PA’ connection reference on the Dataverse step.

Once the connection references for all Dataverse steps have been changed, the Power Automate flow should be saved again.

When checking the Cloud flow we can see that the connection reference is set to the correct one, but the owner is still not changed:

Change owner of a cloud flow to a service principal

A lot of people are still asking me why I like to do most customizations via the old Dynamics 365 interface. That is because still some functionalities can only be done via the old views. This also include changing the owner of a cloud flow.

In order to change the owner of a cloud flow to a service principal, we have to use the old Advanced search and look for the cloud flow in the ‘Processes’ entity.

In the search we need to remove all default criteria and set a custom criteria to ‘Category’ is equal to ‘Modern Flow’.

After pressing the ‘Results’ button, the results are given and the cloud flow can be selected. Now press the ‘Assign Processes’ button and select the service principal and press ‘Assign’

The cloud flow will now have the Service principal set as owner and as connection reference:

Update DTAP environments

The last step in the process is to update the other environments.

When importing the cloud flow solution for the first time to a different environment you will need to update the ‘D365-PA-SA’ connection reference once to the correct Service Principal of that environment, enable the cloud flow and change ownership of the cloud flow one more time. After you have done this on all environments, the cloud flows are ready to be used and will continue to work next times you are doing releases.

The biggest advantage is that it now doesn’t matter who is leaving your company, the cloud flows will remain working!