Is there any security holes if we create an action inside a cloud flow using the Office 365 service account, which have full permsion on the sharepoint site

john john 926 Reputation points
2022-06-03T01:28:17.083+00:00

We have created a new power automate cloud flow using a service account which have full permission on the SharePoint site (the service account is defines as the site collection admin). the flow do the following:-

1) the user enters a new item inside a custom list >> define the manager inside a field>>save the form

2) the flow will run automatically upon creating the item >> and the flow will break the item permissions grant the creator read-only and the manager contribute.

so my question, can the user, login to Power automate >> create a new flow >> reuse the connection created using the service account and modify the item , even if the user only have read-only permission on it ? is this scenario possible? if the answer is yes, then how we can secure it? am asking this as when i connected to the SharePoint list inside the cloud flow, the connection get added under the connection tab, which means it can be re-used by any user (in other words any user can connect to SharePoint using the service account and do whatever they want using a new cloud flow),, am i correct and is my concern valid?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,594 questions
SharePoint Server Development
SharePoint Server Development
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Development: The process of researching, productizing, and refining new or existing technologies.
1,571 questions
SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,796 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Geddes 651 Reputation points
    2022-06-03T15:07:45.09+00:00

    No the worklow will take their user account (the account they're logged in with) by default. If they have another account they can change connections to that, assuming they have the credentials. But, there is no way for them to reuse a connection like you're asking. You have to have the creds to the account you're trying to authorize with.

    2 people found this answer helpful.
  2. Andrew Geddes 651 Reputation points
    2022-06-03T04:17:57.147+00:00

    John, I may be misunderstanding here but I don't believe you have any security issues. Connectors will be invoked when running flows, we use service accounts to run most of our flows as an example without issue. However, when creating flows - users can only leverage accounts they have credentials/authorization for. You're clear to proceed with how you've set it up.

    We've got similar permission change actions where we've Power Apped the front end of the list. Then we enact security through obscurity, either permissioning via Teams Channel or embedding somewhere. Users have no idea about the data storage on the back end. food for thought