Power Platform Community Forum Thread Details

Hi Community,

We are implementing Power Platform (Power Apps + Power Automate) with SharePoint Server Subscription Edition (On-Premises).

Current Architecture

Data Source: SharePoint Server Subscription Edition (On-Prem)

Connectivity: On-Premises Data Gateway (Standard mode)

Authentication:
- Gateway configured using a dedicated AD service account
- SharePoint data connections use Windows Authentication
- Power Apps and Power Automate use the logged-in user’s credentials for identity-based record operations

Security Constraint

Our organization enforces an Active Directory 45-day password expiry policy for all accounts, including service accounts.

Issue

After password expiry and reset (service account or user account):

SharePoint connections in Power Apps and Power Automate break
Flows fail with authentication errors
Manual re-authentication / credential re-entry is required
This causes operational disruption

Questions

What is the recommended authentication pattern for SharePoint Server SE + Power Platform in environments with strict AD password rotation?
Is using a non-expiring managed service account (gMSA) supported for the On-Premises Data Gateway?
Should we:
- Use a single dedicated non-expiring service account for all SharePoint connections?
- Switch to Kerberos delegation?
- Use EffectiveUserName configuration?

What is the recommended enterprise-grade architecture to prevent connection failures after password changes?

We are looking for a secure and compliant design that avoids recurring manual intervention every 45 days.

Any guidance, architecture references, or field experience would be highly appreciated.

Thanks!

Categories:

Power Apps Pro Dev & ISV

Hi @shushantvikram,

Use a Non‑Expiring gMSA (Group Managed Service Account) for the Gateway
A gMSA password rotates automatically by AD and never requires you to update credentials, perfect for the On‑Prem Data Gateway.

Benefits:

No password expiry impact.
Fully supported for on‑prem Windows authentication scenarios (SharePoint SE supports modern auth + Kerberos improvements).
Reduces operational maintenance.

Note: Gateway documentation historically supports gMSA for gateway Windows services, and enterprises commonly use this model for on‑prem identity workloads.

High Level Steps to follow:

Create a gMSA in Active Directory
Assign SPN for SharePoint WebApp if Kerberos is used
Run the On‑Premiss Data Gateway service using the gMSA
Configure all SharePoint SE connections in Power Apps / Power Autmate using the Gateway + Windows Auth (gMSA)
Keep user identity for record‑level logic inside apps, but gate all SharePoint data access through the gateway’s gMSA

This aligns with SE’s modern authentication improvements and enterprise SharePoint service account best practices (SharePoint SE supports multiple specialized service accounts).

References:

https://learn.microsoft.com/en-us/sharepoint/what-s-new/new-and-improved-features-in-sharepoint-server-subscription-edition

https://andreasglaser.com/blog/sharepoint-server-subscription-edition-requirements

✅ If this answer helped resolve your issue, please mark it as Accepted so it can help others with the same problem.
👍 Feel free to Like the post if you found it useful.