Beware When Sharing Power Automate Flows: User Access to Connections

Introduction

When you share a Power Automate flow with other users, especially flows that include actions like “Send an email”, you unintentionally grant them access to your personal connection.

If you share a flow that uses your Outlook connection, the other user can leverage your connection in their own flows. This means they could:

• Read your user profile
• Read, update, and delete your emails
• Send mail as you (the signed-in user)
• Create, read, update, and delete calendar events
• Create, read, update, and delete contacts

Security Risk

Sharing flows without considering connection permissions can expose your account to unintended actions or even compromise your data.

Recommended Solution

Always use a service account for actions like sending emails in shared flows. This approach ensures that no individual user’s account is exposed or at risk when flows are shared or co-owned.

Be mindful of connection sharing in Power Automate to protect your data and maintain security best practices.

• Power Automate
• Send an email
• Connections
• Security