web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Automate / Run a flow that get ca...
Power Automate
Suggested Answer

Run a flow that get called from Power App using elevated-like permission

(0) ShareShare
ReportReport
Posted on by johnjohnPter 1,950 Season of Giving Solutions 2025
We have 3 SharePoint lists to manage work orders, as follow: -
 
1) WorkOrder list, with ID, Status & Technician 
2) WorkOrderDetails list, with ID, Description
3) WOWOD list, which manage the related between the 2 lists
 
now from permission perspective, we want the technician to only manage the work order assigned to them, for this we did the follow:-
 
1) when creating workorders using a flow we define that, only admins can edit the WorkOrder list , as we do not want technicians to manage the Status or change the technician.
2) Also for the WorkOrderDetails list , we manage the item level-permission of the item to only be editable by the admin and Assigned-To technician.
3) now everything works well till now, but when the user finishes his/her work and want to close the work order. where technicians will not have permission to do so, as they can only view the WorkOrder items without been able to modify the status to closed. 
 
to fix this , i created a flow that get called from Power Apps using "Close" button, and do the following (where i will pass the workorder id):-
 
 
1)  check if the user who calls the WF is the assigned to technician (by comparing x-ms-user-email = the work order technician email)+ the work order status = Assigned, if so, to close the work order. 
2) i defined the Run Only user to be a service account:-
 
so i have those questions:-
 
1) is my above approach secure? or the technician can misuse the flow, to do things other than modifying the status from Assigned to Close? like changing the technician field?
 
2) can the technician benefit from the service account connection out site the flow?
 
3) any comment on my above approach will be highlight appreciated
 
Regards
 
 
Categories:
Using connectors
Building flows
General topics
Using flows
I have the same question (0)
  • Suggested answer
    Vish WR Profile Picture
    Vish WR 3,290 on at
     

    Your approach is correct and this is the recommended pattern for elevated permissions in Power Apps.

    On your questions 

    1. Is it secure? Yes. The flow only ever updates Status to Done — nothing else is exposed. The condition checking both the assigned technician email and the Assigned status means no one can abuse it to change other fields or close someone else's work order. One thing worth knowing — the x-ms-user-email check is safe within the Power Apps context, but the flow endpoint is technically accessible via URL directly. Your toLower() email comparison is a good defensive layer. To close this gap further, restrict the Run Only permission to a specific security group rather than leaving it open.

    2. Can the technician use the service account connection outside the flow? No. As shown in your screenshot, the connection is scoped to this flow only. Run-only users cannot extract or reuse it anywhere else.

    3. Any comments? The design is clean and well thought out. The only improvement worth making is restricting Run Only access to a defined security group instead of open access — that tightens the attack surface and is considered best practice for elevated permission flows

    Vishnu WR
     
    Please  Does this answer your question if my post helped you solve your issue. This will help others find it more readily. It also closes the item. If the content was useful in other ways, please consider answering Yes to Was this reply helpful? or give it a Like 
  • Suggested answer
    Kalathiya Profile Picture
    Kalathiya 2,163 Super User 2026 Season 1 on at
    Hello @johnjohnPter
     
    One suggestion though:
     
    When a flow is triggered directly from Power Apps, it still runs in the context of the current user for some connectors/actions. To make the design cleaner and avoid future permission related issues, you can use a Parent/Child flow pattern.
     
    Parent Automate - Trigger from PowerApps
    Child Automate - Trigger from Parent Automate (Trigger Manually) - Move all the logic to this automate
     
    Child flow should use the Manually trigger a flow trigger and run using flow created account. This way, all SharePoint updates always run under the flow owner/service account context instead of the technician context so you will not face any issue related to permissions.
     
    Reference Link:
     
     
    ---------------------------------------------------------------------------
    Glad it helped 🙂
    If this fixed your issue,     please click “Does this answer your question?” to mark it as verified so others can find the solution easily.
    A Like 👍 is always appreciated, and I’m around if you need more help @Kalathiya
     
     
  • johnjohnPter Profile Picture
    johnjohnPter 1,950 Season of Giving Solutions 2025 on at
    @Vish WR thanks for the detailed and helpful reply. but for point one, currently i am not sharing the flow with any user, so it is even more secure compared to sharing it with security group, am i correct? i mean the flow is not share with any user currently,..
     
  • Vish WR Profile Picture
    Vish WR 3,290 on at
    Thanks for clarification 

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Automate

#1
Vish WR Profile Picture

Vish WR 791

#2
Valantis Profile Picture

Valantis 582

#3
Haque Profile Picture

Haque 529

Last 30 days Overall leaderboard

Featured topics

Known issue with browser automation in Power Automate for Desktop on Google Chrome 146 and 147
Share your ideas and struggles with building Power Automate flows!
Survey: Power Automate mobile app
How to Ask for Help with Your Power Automate Workflow
Flows are not visible for users who sign in with their personal accounts
Start and wait for an approval action
Restore a deleted flow
List of actions cheat sheet for Power Automate Desktop
Welcome to the Power Automate forum!

Product updates

Microsoft Power Platform Community release plans