Tenant restrictions for Power Automate desktop machine registration
This article provides guidelines for resolving tenant restrictions when you register a machine to a tenant in Power Automate for desktop.
Applies to: Power Automate
Original KB number: 5017807
Symptoms
When you try to register a machine to a tenant, the registration might fail with one of the following errors:
-
UnauthorizedTenantSwitching
-
UnauthorizedRegistrationToUnjoinedTenant
-
UnauthorizedRegistrationToNonAllowListedTenant
Cause
These registration errors occur when you try to register your machine to an unauthorized tenant or don't have the administrator privileges required to perform the action. Administrator privileges are required to:
- Change the tenant that a machine is registered to.
- Register a Microsoft Entra-joined machine to a tenant that's different from its Microsoft Entra ID tenant.
These tenant restrictions prevent malicious actors from using Power Automate for desktop to control a machine over the network. To allow non-administrators to perform these actions, you can configure Windows registry settings as described in the following section.
Resolution
An administrator can use Windows registry settings to control which tenants can run Power Automate desktop scripts on the machine. In addition, running the registration app as an administrator overrides the tenant restrictions.
Initial machine registration doesn't require administrator privileges but changing the registration restrictions does.
Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For protection, back up the registry before you modify it so that you can restore it if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.
Allow machine registration to specific tenants
We recommend that you define a list of allowed tenants that your machines can register to and add them to the registration tenants allowlist. Your machine will then always allow registration to the tenants in the allowlist and deny registration to any other tenant.
If you use connect with sign-in to perform an attended run, and the target machine is Active Directory (AD) domain-joined but not Microsoft Entra-joined, you're required to add the tenant to the AllowedRegistrationTenants allowlist. For more information, see Connect with sign-in security update on AD domain-joined machines.
Important
You can use the following steps to add your tenant to the allowlist on a single machine. However, we recommend consulting with your domain administrators to create a Group Policy Object (GPO) that applies the appropriate allowlist across all your machines. Creating such a GPO can centrally specify which tenants are trusted to use Power Automate for desktop on the machines in your tenant.
To define the allowlist:
Run the Registry Editor (regedit.exe).
Navigate to this key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Power Automate Desktop\Registration
.Select Edit > new > string value to create a new string value named AllowedRegistrationTenants.
Double-click the value and set its data field to a comma separated list of the tenant IDs to which the machine is allowed to register.
For example: 3EF1d993-CBD4-4DEA-A50E-939AEDB23F21,5B19777D-814C-43F3-9317-CDBAD0846ED8
Note
- To find your tenant ID from the Power Automate portal, see Allowlist tenants for registration and connect with sign-in connections.
- To find your tenant ID from the Power Apps portal, go to Settings and select Session details.
If setting up the tenant allowlist isn't possible for some reasons, see the following sections on how to allow registration to a tenant other than the machine joined Microsoft Entra tenant or allow switching to another tenant.
Validate machine registration when the service starts
The registration restrictions are only applied when you try to register the machine. Starting with version 2.31, you can configure Power Automate for desktop to check if the current machine registration is allowed when the Power Automate service (UIFlowService) starts. If the registration isn't allowed, the machine can't connect to Power Automate cloud services.
To enable continuous validation:
- Run the Registry Editor (regedit.exe).
- Navigate to this key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Power Automate Desktop\Registration
. - Select Edit > new > DWORD (32 bit) value to create a new DWORD value named EnforceRegistrationTenantRestrictionsOnServiceStart.
- Double-click the new value and set its data field to 1. Any value other than 1 disables this setting.
Disallow ability to override tenant restrictions
An administrator can override tenant restrictions and register machines regardless of the registry settings. To disable the ability for an administrator to override tenant restrictions:
- Run the Registry Editor (regedit.exe).
- Navigate to this key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Power Automate Desktop\Registration
. - Create a new DWORD value (Edit > new > DWORD (32 bit) value) named DisableTenantChangeRegistrationAdminOverride.
- Double-click the new value and set its data field to 1.
Allow machine registration to a tenant other than the machine joined Microsoft Entra tenant
- Run the Registry Editor (regedit.exe).
- Navigate to this key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Power Automate Desktop\Registration
. - Select Edit > new > DWORD (32 bit) value to create a new DWORD value named AllowRegisteringOutsideOfAADJoinedTenant.
- Double-click the new value and set its data field to 1. Any value other than 1 disables this setting.
Important
If you define the allowlist using AllowedRegistrationTenants registry setting (recommended method), that setting will override the AllowRegisteringOutsideOfAADJoinedTenant setting.
Allow switching machine registration to another tenant
- Run the Registry Editor (regedit.exe).
- Navigate to this key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Power Automate Desktop\Registration
. - Select Edit > new > DWORD (32 bit) value to create a new DWORD value named AllowTenantSwitching.
- Double-click the new value and set its data field to 1. Any value other than 1 disables this setting.
Important
If you define the allowlist using AllowedRegistrationTenants registry setting (recommended method), that setting will override the AllowTenantSwitching setting.