web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Can users modify the p...
Power Apps
Suggested Answer

Can users modify the parameters been passed from Power Apps to Power Automate?

(0) ShareShare
ReportReport
Posted on by johnjohnPter 1,946 Season of Giving Solutions 2025
We have the following scenario: -
 
1) We have a SharePoint list named WorkOrders (WO), where all users have read-only permission on it, while only operation managers can edit/create items inside it
 
2) But we want the technician user to be able to close his own work order/s when they complete them. but if they directly update the WO status to "Closed" using their username from the Power Apps, they will get a permission error.
 
3) So, we implemented this scenario to have an elevated permission settings to be able to update the WO status by the technician, as follow: -
 
3.1) We created a power automate flow, that get called from Power Apps using the (Power Apps V2), where the flow gets the WorkOrderID as a parameter, then inside the flow we get the WO, check if the WorkOrderStatus = Assigned, then check if the user who called the flow (triggerOutputs()['headers']['x-ms-user-email']) = the work order technician
 
3.2) If so then we are fine to have the technician closing the work order
 
3.3) Here is the formula inside Power Apps that calls the flow:-
 
UpdateContext({Status: 'CloseWorkOrder(Elevated)'.Run(varWorkOrder.ID).status});
 
 
3.4) and we define the power automate flow to run as elevated privileges, by defining the service account inside the Run-Only user permission for the SharePoint connection, instead of the Run-only user option as follow: -
 
 
 
Here is the power automate flow related steps, where we are getting the WO, check if the WO technician is the same as the user who called the flow using the (triggerOutputs()['headers']['x-ms-user-email']) property, if so to update the WO status to "Closed":-
 
 
 
so based on the above i have those questions:-
 
1) From a security perspective, can a user who use the Power Apps modify the parameters passed from Power Apps to Power Automate? either the explicit parameter which is the WorkOrderID (WOID), or the implicit parameters such as the "triggerOutputs()['headers']['x-ms-user-email']"?? using browser developer tools for example?
 
2) Is my approach of doing the check inside the workflow, to check if the WorkOrderStatus = Assigned and the WorkOrder technician = the user who called the flow, before closing it ,, a robust approach? and does it mimic doing server-side validation?
 
Thanks 
Categories:
Building Power Apps
I have the same question (0)
  • Suggested answer
    FatihDagdelen Profile Picture
    FatihDagdelen 55 on at
    Hello! :)

    I couldn't resist because they are great questions and as I said, these are just my knowledge, I hope it helps :)
     

    1) Can a user modify the parameters passed from Power Apps to Power Automate using browser developer tools?

    Yes, a user with sufficient knowledge of browser developer tools and network inspection techniques (such as using Chrome DevTools or Fiddler) can potentially modify the parameters being passed from Power Apps to Power Automate. Here’s how:

    • Explicit Parameter Manipulation (WorkOrderID - WOID):

      • Since Power Apps calls Power Automate using HTTP requests, a user can intercept and modify the WorkOrderID parameter before it reaches Power Automate.
      • If no validation is done inside Power Automate, a technician could attempt to close someone else’s work order by modifying the ID.

    • Implicit Parameter Manipulation (triggerOutputs()['headers']['x-ms-user-email']):

      • This is more difficult to manipulate, as the header containing the user's email is automatically passed by Microsoft authentication services.
      • However, an attacker could use another authenticated session or attempt to spoof headers if they have advanced knowledge.
      • If the Power Automate flow is not checking the user identity strictly, there could be a risk.

    How to Mitigate This Risk?

    • In Power Automate, verify both:
      1. The WorkOrderID received from Power Apps is associated with the requesting user (i.e., does this technician own this work order?).
      2. The email from triggerOutputs()['headers']['x-ms-user-email'] matches the assigned technician for that WorkOrder.
    • Consider adding logging to detect suspicious changes.
    • Use Dataverse Security Roles instead of SharePoint lists for better control.

    2) Is my approach of doing the check inside Power Automate a robust security approach?

    Your current approach does provide a level of security by checking:

    • If the Work Order Status = "Assigned" before allowing closure.
    • If the technician calling the flow matches the Work Order's assigned technician.

    However, a few improvements are needed to make it fully robust:

    Strengthening the Security:

    1. Prevent WorkOrderID Tampering

      • Instead of passing WorkOrderID directly from Power Apps, retrieve the user's work orders from SharePoint inside the flow itself.
      • This way, a user cannot inject another WorkOrderID they don’t own.

    2. Use Role-Based Access Control (RBAC)

      • Instead of relying on SharePoint list permissions, use Dataverse Security Roles or Azure AD-based authentication to enforce user-level access.

    3. Log and Monitor Activity

      • Implement logging in Power Automate to track when and by whom a Work Order is closed.
      • Send alerts if multiple work orders are closed in a short period.

    4. Consider Using Service Account for API Calls

      • Your Run-Only User configuration using an elevated service account is good.
      • However, ensure that this service account is only executing validated requests.
  • johnjohnPter Profile Picture
    johnjohnPter 1,946 Season of Giving Solutions 2025 on at
    ok thanks for the reply,,, but are we sure that a user can modify the triggerOutputs()['headers']['x-ms-user-email']  ?? i am not talking about stealing/hacking another session,, i am talking about doing this using his credentials by using browser develop tool for example??

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
Vish WR Profile Picture

Vish WR 834

#2
Valantis Profile Picture

Valantis 533

#3
Haque Profile Picture

Haque 410

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans