Power Automate Security
When users create a flow in Power Automate (or an app in Power Apps), they must supply authentication credentials for any connector providing access to a third-party application or service. For example, when creating a flow that is triggered by the addition of an event to a Google calendar, the designer must provide the credentials needed to log on to the Google account containing the calendar to be monitored.
This fact raises a security concern that the designer must consider. Does the designer want users with whom the flow or app is shared to have access to those credentials? The answer depends on the circumstances, and designers sometimes have multiple options.
When creating and sharing canvas apps in Power Apps, designers will find that the credentials specified for some connectors are shared with the users receiving the app, whereas other connectors require the app users to specify their own credentials to gain access to a third-party application or service.
In the case of flows created with Power Automate, designers can share flows with other users in the following two ways:
■ Co-owners—Receive full access to all the connections configured in the flow. Running the flow as is utilizes the existing connection credentials. Co-owners can also modify the flow using the existing credentials or reconfigure connections to use different credentials. However, co-owners cannot use the shared credentials to create their own new flows. Adding a co-owner to a flow causes Power Automate to display a Connections Used warning like the one shown in Figure 1-44.
FIGURE 1-44 Connections Used window in Power Automate
■ Run-only users—An option only in manually triggered flows. When flow creators add run-only users, they must specify whether the connections in the flow will use the credentials provided by the creator or the run-only users must specify their own credentials, as shown in Figure 1-45.
FIGURE 1-45 Run-only user permissions
