This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have created a new power automate cloud flow using a service account which have full permission on the SharePoint site (the service account is defines as the site collection admin). the flow do the following:-
1) the user enters a new item inside a custom list >> define the manager inside a field>>save the form
2) the flow will run automatically upon creating the item >> and the flow will break the item permissions grant the creator read-only and the manager contribute.
so my question, can the user, login to Power automate >> create a new flow >> reuse the connection created using the service account and modify the item , even if the user only have read-only permission on it ? is this scenario possible? if the answer is yes, then how we can secure it? am asking this as when i connected to the SharePoint list inside the cloud flow, the connection get added under the connection tab, which means it can be re-used by any user (in other words any user can connect to SharePoint using the service account and do whatever they want using a new cloud flow),, am i correct and is my concern valid?
No the worklow will take their user account (the account they're logged in with) by default. If they have another account they can change connections to that, assuming they have the credentials. But, there is no way for them to reuse a connection like you're asking. You have to have the creds to the account you're trying to authorize with.
Hi @john john
Is Andrew's answer helpful for you? Please feel free to reply.
@Andrew Geddes thanks a lot for the valuable info.. so users can not reuse the service account connection to SharePoint to misuse it ? i am correct?
Second question, but if the user is defined as an owner to the flow after creating it, then for sure the user can connect to the SharePoint using the service account? as the power automate flow were created using the service account. am i correct??
Only users who have the credentials to the service account can use it. They can have access to a workflow with a service account being used as connection - but if they don't have access to that service account and go to change the connection, it will map to an account they have - typically their personal account.
Like, I can be an owner on a workflow where I don't have access to the connecting being used, but I can't use that connection because I don't have access to it. If I touch the flow's connections it won't let me do anything with the service account
Hi @john john
Would you please provide some update of this issue? Please feel free to reply.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
John, I may be misunderstanding here but I don't believe you have any security issues. Connectors will be invoked when running flows, we use service accounts to run most of our flows as an example without issue. However, when creating flows - users can only leverage accounts they have credentials/authorization for. You're clear to proceed with how you've set it up.
We've got similar permission change actions where we've Power Apped the front end of the list. Then we enact security through obscurity, either permissioning via Teams Channel or embedding somewhere. Users have no idea about the data storage on the back end. food for thought
@Andrew Geddes so can the user, login to Power automate >> create a new flow >> reuse the connection created using the service account ? even if the user does not have access to the service account?
Thanks