Overview
Managing permissions in Power Automate is essential for controlling who can create, edit, share, or run workflows while ensuring data security and compliance. Permissions in Power Automate are controlled through:
Flow ownership and sharing settings
Role-based access control (RBAC) using Microsoft Entra ID (Azure AD)
Power Platform Environment security settings
Data Loss Prevention (DLP) policies
Properly configuring permissions helps organizations prevent unauthorized access, protect sensitive data, and enforce governance policies.
1️⃣ Types of Permissions in Power Automate
🔹 Owner – Full control over the flow (can edit, delete, and share).
🔹 Co-owner – Can edit and share the flow but cannot remove the original owner.
🔹 Run-only User – Can trigger or run the flow but cannot edit or share it.
🔹 Environment Admin – Manages permissions at the environment level.
🔹 DLP Administrator – Controls data usage and security policies.
Example: A finance department flow can be shared with an accountant as a run-only user, while an IT admin remains the owner for maintenance.
2️⃣ Managing Flow Permissions in Power Automate
1. Assigning Flow Ownership and Co-Owners
Steps to add an owner or co-owner:
1️⃣ Open Power Automate > Go to My Flows.
2️⃣ Select the flow > Click on Share.
3️⃣ Enter the user’s email address.
4️⃣ Choose Co-owner or Run-only User.
5️⃣ Click Share to grant permissions.
Co-owners can:
✔️ Modify and update the flow.
✔️ View connections but not edit them.
✔️ Share the flow with others.
Example: An HR automation flow is managed by an HR manager (owner) and HR assistants (co-owners).
2. Managing Run-Only Users (Trigger-Based Permissions)
Steps to assign run-only permissions:
1️⃣ Open Power Automate > My Flows > Select a flow.
2️⃣ Click on Run-Only Users.
3️⃣ Choose users/groups who can run the flow.
4️⃣ Select authentication settings (e.g., use their own credentials or predefined connections).
5️⃣ Click Save to apply permissions.
Example: A sales report automation flow is shared with sales team members as run-only users, so they can trigger reports but not edit the workflow.
3️⃣ Managing Permissions at the Environment Level
🔹 Environment-level security determines who can create, manage, and access flows within an environment.
🔹 Managed via Power Platform Admin Center.
3.1 Assigning Security Roles in an Environment
Steps to assign environment roles:
1️⃣ Go to Power Platform Admin Center (admin.powerplatform.microsoft.com).
2️⃣ Select Environments > Choose the environment.
3️⃣ Click on Settings > Expand Users + permissions.
4️⃣ Select Environment roles and add users/groups.
5️⃣ Assign one of the following roles:
- Environment Admin – Full control over flows, apps, and settings.
- Environment Maker – Can create flows but cannot manage permissions.
Example: An IT admin is assigned as an Environment Admin to manage Power Automate flows, while business users are assigned Environment Maker roles.
4️⃣ Using Microsoft Entra ID (Azure AD) for Advanced Role Management
🔹 Microsoft Entra ID (Azure AD) enables group-based access control to Power Automate flows.
🔹 Permissions can be assigned to security groups instead of individual users.
4.1 Assigning Flow Access via Security Groups
Steps:
1️⃣ Open Microsoft Entra ID (Azure AD) > Groups.
2️⃣ Create a security group for Power Automate users.
3️⃣ Add members (e.g., HR team, finance team).
4️⃣ Assign the group to flows in Power Automate.
Example: A “Finance Automation” security group is created in Azure AD, and all members gain access to financial workflows.
5️⃣ Restricting Data Access with Data Loss Prevention (DLP) Policies
🔹 DLP policies prevent sensitive data from being exposed through unauthorized connectors (e.g., blocking data from SharePoint from being sent to Twitter).
5.1 Setting Up a DLP Policy
1️⃣ Open Power Platform Admin Center.
2️⃣ Navigate to Data Policies > Create a policy.
3️⃣ Define business connectors (approved apps) and non-business connectors (restricted apps).
4️⃣ Apply the policy to selected environments.
5️⃣ Click Save & Publish.
Example: A DLP policy prevents flows from sending customer data from Dynamics 365 to external email services like Gmail.
6️⃣ Managing Permissions for Power Automate Desktop (RPA Flows)
🔹 Power Automate Desktop (RPA) requires additional security due to screen recording, UI automation, and credential handling.
🔹 Secure robotic process automation (RPA) flows by:
✅ Restricting access to RPA bots via Azure AD security groups.
✅ Using Windows Credential Manager for storing bot login details securely.
✅ Enabling session-based permissions to limit RPA execution.
Example: An RPA bot is restricted to IT admins, preventing unauthorized users from executing sensitive automation tasks.
7️⃣ Monitoring and Auditing Flow Permissions
7.1 Reviewing Permissions & Activity Logs
🔹 Regularly review flow permissions in Power Automate Admin Center.
🔹 Enable audit logs in Microsoft Purview Compliance Center to track:
- Who created/modified a flow
- When flows were executed
- Any unauthorized access attempts
Example: An admin notices that an unauthorized user modified a finance approval workflow, triggering an investigation.