The Problem: Permissions in Canvas App-Initiated Flows

When working with the Microsoft Power Platform, one common challenge is managing user permissions, especially in scenarios where users need to interact with resources like Entra security groups but shouldn’t be given elevated privileges.

Power Automate provides a powerful solution to this via child flows.

Consider a Canvas App designed to manage Entra security group membership, such as adding or removing users based on inputs. Naturally, Power Automate is used to handle these backend operations.

When an instant cloud flow is triggered directly from the Canvas App, it executes under the context of the user who launched it. This becomes a problem if that user isn’t an owner of the target security group because they’ll be blocked from making changes. Even if a connector in the flow is set up with the connection reference of a service account, the user’s context overrides the connection reference.

 

The Solution: Delegating to a Child Flow

To bypass this limitation, the main flow triggered by the app can call a child flow. Child flows are also instant flows that are triggered by another flow. They are configured to run with their own connection references, and importantly, child flows connection references are not over-ridden by the user who triggered the parent flow.

In this setup:

  • The Canvas App triggers a parent instant flow.
  • The parent flow passes parameters (like the user to add/remove and group ID) to a child flow.
  • The child flow is configured to use a service account connection referent. The service account is an owner of the security group.
  • Actions like 'Add user to group' or 'Remove user from group' are now executed successfully, regardless of who triggered the Canvas App.

Benefits

  • Security: End users don’t need direct privileges or group ownership.
  • Control: Admins retain control through the service account.
  • Scalability: The model supports broader delegation without expanding access rights.

Final Thoughts

Using child flows in Power Automate is a clean, secure way to delegate administrative actions without over-permissioning users. It’s a great example of how architecture choices in the Power Platform can balance usability and security.

Below are links to related articles on the sometimes complex subject of flow ownership

Using a Service Account and Service Principal with Flows

Flow Execution Ownership

Notes on Flow Ownership

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top