Power Automate and the Power Apps trigger – part 3 – Impersonation

This blog series will cover the Power Apps trigger in Power Automate. I will describe how you can trigger a flow from your Power App, how you can provide parameters from your Power App to your flow and how to impersonate actions.

This is part 3 of this blog series, which will cover impersonation of your Power Apps triggered flow.
Part 1 will cover triggering a flow from your Power App.
Part 2 will cover passing parameters to and from your flow

Impersonating your Power Apps triggered flow run

By default, all flows that have been triggered from a Power App will be run under the credentials of the user who triggered the flow. This means these users should have access to the resources provided in the flow (e.g. SharePoint lists, shared mailboxes, etc.). Or don’t they?

Run only users

In order to make use of impersonation, you should configure the Run only users on the Details page of your flow. You may have seen this on the For a selected item or For a selected file SharePoint trigger trigger previously.

Wait, Run only users?!…

If you don’t see the Run only users section on your Details page of your flow, you are probably using the PowerApps trigger instead of the PowerApps (V2) trigger (see also part 1 of this blog series).

The ‘old’ PowerApps trigger didn’t allow you to use impersonation, but with the introduction of the PowerApps (V2) trigger, this has been made available.

So, if you want to use impersonation, you need to make sure to use the PowerApps (V2) trigger.

Configuration of the Run only users section

The configuration is pretty straight forward.

First, you need to click the Edit link within the Run only users section on the Details page.

A pop-out will appear in which you can configure a few things:

  • Invite users or groups; this allows you to determine who can actually run your flow
  • Connections used; this is where you can determine which connections to use

The configure impersonation, we need to configure the connections in the Connections used section.

Use this connection

By default, all connections will be set to Provided by run-only user. This means this connection will run under the credentials of the user who triggered the flow. If you don’t want to give those users access to a certain SharePoint list or if you want to use a shared mailbox for sending a confirmation email, you can change this setting to use a specific account (that already has access) instead.

You can do this by clicking the dropdown underneath the connection and selecting the account that should run the connection (with the Use this connection option):

Please note that you can select any connection that is connected to your account or a connection that has already been configurated within this flow. (e.g. when another owner has edited the flow with its own connections; these connections will also be available).

After selecting the Use this connection option, you will be prompted that users will not be able to use this connection outside of the flow and do not have edit rights to the flow.

That’s fine, so you can just click OK. After this, you may want to configure more Run only permissions. If you’re done, simply click Save and your flow will use these settings from now on.

Flow error

Sometimes, your flow will not run after configuring Run only permissions and will throw an error. This is mostly caused by the selected connections not yet being ‘connected’ to the flow. You can fix this by manually running the flow once from the Details page. It will prompt you for accepting these connections to be used with this flow. After accepting this, your flow will run successfully and can be triggered from your Power App also.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This site uses Akismet to reduce spam. Learn how your comment data is processed.