Share via

Power Automate - What are the Azure VM prerequisites (firewall, service accounts, access) for running Unattended RPA ?

Suki Azure 111 Reputation points
2025-06-23T16:26:20.2233333+00:00

Hi Team,

We are planning to implement Unattended Robotic Process Automation (RPA) using Microsoft Hello All, We are planning to deploy the Power Automate Desktop hosted on an Azure VM. The VM will act as an RPA agent and run under a service/system account to automate user access activities in SAP Ariba (Not using Any API/Webservice here).

We Plan to perform the following activities:

  1. Register Azure VMs as Machines or Machine Groups in Power Automate.
  2. Create Desktop Flows using Power Automate Desktop.
  3. Create Cloud Flows in Power Automate Portal that are triggered by incoming Outlook emails.
  4. Configure the Cloud Flows to run the Desktop Flows in unattended mode on the Azure VM.

We are seeking clarification on the following prerequisites and configuration needs:

  1. Firewall & Network
  • What outbound/inbound ports and endpoints need to be open from the Azure VM to:
    • Power Automate / Power Platform services
    • M365 services (Outlook, SharePoint)
    • SAP Ariba (cloud-based)
    • Certificate revocation list and authentication endpoints
  1. Service Account
  • Can we use a domain-joined or local service account for unattended RPA?
  • What are the required permissions for this account (e.g., login, browser access)?
  1. Connectivity
  • Any specific configurations or network rules to ensure:
    • Secure access from Azure VM to SAP Ariba
    • Access to Microsoft Graph / Exchange Online APIs via Cloud Flows
  1. Platform Setup
  • Any best practices or scripts for registering machines to Power Platform using Machine Groups?
  • Is there any way to validate the connectivity between Desktop Flow agent and Power Automate services from the VM?

Appreciate any detailed guidance or links to Microsoft documentation covering this use case.

Thank you!

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,065 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mounika Reddy Anumandla 6,935 Reputation points Microsoft External Staff Moderator
    2025-06-24T06:05:50.2266667+00:00

    Hi Suki Azure,
    To ensure seamless connectivity between the Azure VM, Power Automate/Power Platform services, Microsoft 365 services, SAP Ariba, and certificate revocation list (CRL) endpoints, specific inbound and outbound ports and endpoints must be configured in the Azure VM's network security group (NSG) and any corporate firewalls.

    Ensure that you have added the required URLs to the allow list to ensure communication through firewalls and other security mechanisms. If you can't access a service or specific URLs fail to load, a proxy or firewall might be configured to prevent you from accessing server resources. Review your proxy settings and ensure that you add all the relevant URLs to the allowed list as per your service.

    Endpoints:

    • *.api.powerplatform.com (Power Platform APIs)
    • *.flow.microsoft.com (Power Automate services)
    • config.edge.skype.com (Microsoft 365 Enhanced Configuration Service, required for authentication)
    • *.microsoftonline.com (Microsoft Entra ID authentication)
    • *.azure-automation.net (if using Azure Automation for additional management) Please refer to this document for additional information:https://learn.microsoft.com/en-us/power-automate/ip-address-configuration#required-services Outbound: TCP 443 (HTTPS) for secure communication with Power Platform services.

    The following table in the document lists the services to which Power Automate connects. Ensure none of these services is blocked on your network.https://learn.microsoft.com/en-us/power-automate/ip-address-configuration#use-the-power-automate-web-portal

    SAP Ariba is a cloud-based service, and specific endpoints depend on your Ariba realm. Common domains include:

    • *.ariba.com
    • *.s1.ariba.com (or region-specific domains like *.eu.ariba.com for Europe)
    • Contact your SAP Ariba administrator or refer to SAP Ariba's documentation for your specific realm's endpoints (e.g., via SAP Ariba Connect or support).https://support.ariba.com/item/view/KB0550099
    • Since you're not using APIs, Power Automate Desktop will interact with SAP Ariba's web interface via browser automation (e.g., Edge or Chrome). Ensure the browser on the VM can access Ariba without network restrictions. Note: If you use an Azure virtual machine (VM) to run Power Automate for desktop, make sure the Microsoft.ServiceBus endpoint is turned off at the subnet level where the Azure VM is located. This is a known limitation. For more information, see Azure Relay doesn't support network service endpoints.

    Certificate Revocation List (CRL) and Authentication Endpoints.
    User's image User's image

    Domain vs. Local Account

    This article presents all the prerequisites and limitations you should consider before installing and using Power Automate on your desktop.

    https://learn.microsoft.com/en-us/power-automate/desktop-flows/requirements
    https://learn.microsoft.com/en-us/power-automate/desktop-flows/manage-machine-groups

    Validate Desktop Flow Agent Connectivity: On the Azure VM (logged in as service account):

    1. Open Power Automate Desktop
    2. Check Machine Status (should show “Connected”)
    3. Use Test Connection from the Power Automate Portal > Machines

    Log location (on VM): C:\ProgramData\Microsoft\Power Automate Desktop\Logs\

    Hope it helps!

    Let me know if you have any further queries!

    If the information is helpful, please click "upvote" to let us know!

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.