You’re offline. This is a read only version of the page.
76
Hello everybody,
I write this topic to learn better the use of the Connection Reference, in terms of Security/Licencing (the concept of the utility, I get it).
I'm currently busy with my customer which works exclusively in "low code" approach, and there is a lot of small apps (model driven or canvas app) to do. In other terms, we have a lot of different solutions which have a lot of Power Automates....
At the beginning, the connection reference was settled with a personal account from someone of the team. Ofc, we've understood quickly the problem about the maintenability and the security with a configuration like that. So now, we try to put in place a more secure and oob approach about these connections reference.
- For the "Dataverse steps" (inside the power automate), it's "easy" because we created some application users in Azure/Dataverse (one for each app and for each env. with a security role dedied to avoid to work with an application user which is "Admin") so it seems ok (from our point of view).
- For the "Sharepoint steps", if I follow the logic from the "Dataverse steps", I should create one technical user for each of my app (by env.) to be sure that I don't create an unique technical user which is owner of all of my sharepoint sites. Like that, I've a segregation against the database stored in the sharepoint sites (so, it's more secure...).
Any advice/remark is more than welcome here 🙂
- and I made this for each type of steps inside of my power automate (when it's justified ofc).
For example, the steps which are linked to a shared mailbox will be linked to the technical user of the shared mailbox, etc
Another reflexion (which is directly linked to the previous one) is about the licencing to use when we use different technical users (behind the connection reference) within the Power Automate.
For example, I've an app, called "Lunch order". And for this app, I've a Power Automate which :
- Creates a record in a table in Dataverse
- Populates a Microsoft Word template (from a template present on the Sharepoint Site)
- Stores the Microsoft Word document (which has been edited from the template) in a folder present in the Sharepoint Site
So, I've 2 application/technical users dedicated to 2 connection reference for this Power Automate
1) "TechUser_Sharepoint_PRD" which has the adequate privilege on the target Sharepoint Site
2) "AppUser_Dataverse_PRD" which has the adequate security role on the right env. of Dataverse (and where no licence is required...)
Questions :
- Does "TechUser_Sharepoint_PRD" must have to a Office (E1 or E3 or E5) licence because he is linked to a sharepoint step ?
- Does "TechUser_Sharepoint_PRD" must have to a Dynamics licence because he is linked to a Word step (which is a premium connector) ?
Sorry if it's something already asked and responded (but I don't find something about this topic) and It's very unclear for me here 😕
I also wish that Microsoft would allow you to rename all your connections for every type of connector they support so you can identify which account you're using and make cleanup easier. For example, you can rename a FileSystem connection, but not the Office 365 connection. This is really annoying!!!!
I want to piggy-back on this topic raised by @R4isin. I feel like this topic needs to be expanded and I really wish I knew some best practices for using connection references and type of accounts early on in my Power Automate journey. I've run into a similar situation and over time I have multiple environments, way too many solutions and I didn't segregate the connection references between solutions. I made the mistake of reusing the connection reference between solutions. I realize now that it's not ideal. But I'd like everyone's opinion about this.
It took me a while to figure out how to properly use connection references. But now I have some cleanup to do because I started putting connection reference standards a little after the fact.
Here's my architecture: I have three PA environments (DEV, QA, PROD) and a half dozen solutions that keep growing fast (Solution 1, n). Some solutions are purely cloud-based and only use Power Automate cloud flows, but some do call Desktop Flows running on on-prem VMs (internal network). Usually, the flows connect to Office 365 shared inboxes, DataVerse, Sharepoint and the internal filesystem.
Initially I didn't even know about connection references because as soon as you use a connector/add an action that requires connection, Power Automate will get your credentials and automatically wrap it in a conn reference with a cryptic description. But once I learned about them, I started created my own and called them something like 'DataVerse Connection Reference - ENVNAME' and that seemed be more meaningful. I then used that conn reference across multiple solutions, which Power Automate lets you do. It didn't take me too long to realize that it becomes confusing because now, I have a web of dependencies amongst all my solutions. To make things worse, I have used my personal work email to make the connections early on. So when you open the connection reference property window and click the connections dropdown, you'd see 3,4,5 or more connections that are all named the same (especially for outlook 365) and the names appear as 'NETWORKID@MYCOMPANY.COM'. I'm sure some of you already see where this is going. Yes. When your password changes, you have to make sure you've updated all 3 or 5 connections.
So here's what I've decided to do and have been implementing in my new solutions, and slowly cleaning up the old solutions:
1- Create a service account that has access to Sharepoint, O365 shared inboxes, DataVerse, and the FilySystem.
2- Create a connection reference for each type of connector that is only used in one solution (with a naming convention of 'SOLUTIONPREFIX CONNECTORTYPE CONN REFERENCE'. Ex: "ABCSOL DataVerse Connection Ref")
3- Create a connection using the service accout to the type of connector.
4- Select the connection in (3) as the connection for the connection reference in (2).
Using this approach, I only have one connection for each type of connector. Whenever the service account's pwd changes, I only need to change it once for each type of connection in the "Connections" tab.
I hope this is helpful to some. I'm interested in hearing your opinions and if you have better suggestions/tips.
Thanks!
Hi @R4isin ,
If you use the premium connector, the office license may not meet your needs.
Per app license, per usr license and dynamic license can use premium connector.
Best Regards,
Wearsky
#1
Michael E. Gernaey
9
Super User 2025 Season 1
#2
bscarlavai33
5
Super User 2025 Season 1
#3
getsplash
2
Share
Report
All responses (
Answers (
