Flow execution ownership is important because understanding in whose name a Power Automate flows runs is crucial for both functionality and security. In this post, we will dive into the concepts of “Run-only users” for instant flows and explore the “Run as” options available in automated flows, as well as related subjects such as connection references.
Sharing Instant Flows with Run-only Users
Instant flows often have multiple users triggering them, for instance, where a flow is associated with a Power App available to multiple users. For this reason, instant flows are shared with users as Run-only.
To share an instant flow with a user or security group, select ‘Edit’ as below
You then specify in whose name the data will be updated and there are two options here.
Provided by Run-only users: It can be in the name of the user triggering the flow. In this case, each user will be asked to sign in and create their own connection reference when they first use the flow. If a flow is associated with a Power App, they will be asked to create a connection reference when they first use the app.
Use this connection: Records can be created or updated in the name of the person who is the primary owner of the flow. This is useful, if you want a record to be created in the name of a service account or service principal.
Run-as Automated Flows
By default, automated flows run in the name of the primary owner, and there isn’t an option to share these flows as Run-only.
However, for certain automated flow triggers, for example those triggered by a Dataverse event, Power Automate provides a “Run-as” option. This is available in the trigger action and allows you to specify under which identity the flow will trigger and run. This is a powerful feature that can provide additional flexibility and control over how the flow executes.
The “Run as” option is useful if the flow needs to interact with resources requiring specific access rights that the primary flow owner might not have.
The flow can be run as the Flow owner, the Modifying user, or the Row owner.
- Flow Owner: This is the default option. The flow runs under the credentials and permissions of the primary flow owner. This can be useful in providing consistency and control.
- Modifying User: The flow runs under the identity of the user who triggered the event, such as modifying a record in Dataverse. The actions performed in the flow reflect the user who initiated the change.
- Row Owner: The flow runs as the owner of the specific row that triggered the event. This means that any actions from the flow will be executed with the permissions of the row owner.
For triggers that don’t have a Run-as option, automated flows always run in the name of the primary flow owner.
Why There's no Run-only or Run-as Options for Scheduled Flows
Scheduled flows in Power Automate, unlike automated flows, do not have a “Run as” option. These flows always run under the identity of the flow’s primary owner. Scheduled flows are system triggered based on a predefined schedule, not by a specific user action. Since there is no user initiating the trigger, there’s no need for the flow to have an identity.
Additionally, scheduled flows often perform routine tasks that need to run consistently, such as data backups or report generation. Running these flows under the flow owner’s identity ensures that they have the necessary permissions and maintain a reliable execution context. A flow owner can be a service account or service principal, as well as an individual.
Connection References
Connection references are a powerful additional tool that allow individual actions to execute against a different account to the one running the flow. By default, connection references are created in the name of the person creating the flow. However, they can be changed to other users, service accounts or service principals.
To add or change a connection reference, click on the elipses of an action, and select ‘Change connection’.
Irrespective, of the connection references used for individual actions, for instant flows the user who triggers the flow will need to have access to, and be licensed for, any data sources, even though the records made in those data sources are made in the name of the connection reference.
Summary
Power Automate provides many options so that a flow can execute exactly as required.
Instant flows always run in the name of the user who triggered them because the flow is shared as a “Run-only” user.
Some automated flows, such as those with Dataverse triggers, can use the “Run-as” feature in the trigger to define in whose name the flow runs. Options are the flow owner, modifying user or row owner.
Scheduled flows always run in the name of the flow owner.
Connection references can be used to interact with data sources as specific users or service accounts.
I hope this summary has been useful. Feel free to add any thoughts or comments below.