Move a Flow Connection to a Service Account: Governance Checklist

When a Microsoft Power Automate flow uses a user account as its connection, that flow breaks if the user leaves the organization or changes their password. You need to move the flow connection to a service account to keep the flow running without interruptions. This article explains the governance checklist for moving a flow connection to a service account. It covers the reasons for the move, the step-by-step process, and common pitfalls to avoid.

Why Move a Flow Connection to a Service Account

A service account is a non-human identity used to run automated processes. In Power Automate, a flow connection defines the credentials that the flow uses to access data sources such as SharePoint, Outlook, or SQL Server. When a flow uses a regular user account, the connection relies on that user’s identity and password. If the user’s account is disabled, password expires, or the user leaves the company, the flow stops working. Moving the connection to a service account decouples the flow from any single person. This ensures the flow continues to run even when personnel changes occur. Service accounts also simplify auditing because all flow activity is attributed to a single controlled identity.

Before moving a connection, you must create a service account in Microsoft Entra ID (formerly Azure Active Directory). The service account needs a Microsoft 365 license that includes Power Automate. For flows that access SharePoint, the service account must have at least read access to the relevant site. For flows that send email, the service account must have a mailbox or be granted Send As permissions. You also need Power Automate license assignments — either per-flow or per-user — depending on your organization’s licensing model. Plan to document the service account credentials securely, such as in a password manager or Azure Key Vault.

Steps to Move a Flow Connection to a Service Account

Follow this checklist to move a flow connection from a user account to a service account. Perform each step in the order shown.

1. Identify the flow and its current owner
   Go to Power Automate at make.powerautomate.com. In the left navigation, select My flows. Locate the flow that uses the user account connection. Open the flow details page and note the Owner field. This shows who currently owns the flow. If the owner is leaving, you must transfer ownership to the service account or another admin first.
2. Create the service account in Microsoft Entra ID
   Open the Microsoft Entra admin center at entra.microsoft.com. Select Users and then New user. Fill in the user name (for example, svc-flowname@yourcompany.com) and assign a strong password. Under Assignments, add the necessary licenses: a Microsoft 365 license and a Power Automate license. Click Create. Record the credentials in your secure password store.
3. Grant the service account access to data sources
   For each data source the flow uses, grant the service account the minimum required permissions. For SharePoint: add the service account to the site with Read or Contribute access. For Outlook: the service account must have a licensed mailbox. For SQL Server: grant the service account db_datareader or db_datawriter as needed. Test the account by signing in and accessing the data source manually.
4. Create a new connection in Power Automate
   In Power Automate, select Data > Connections. Click New connection. Choose the connector that the flow uses (for example, SharePoint). When prompted, sign in with the service account credentials. The new connection appears in your connection list. Name it clearly, such as “Service Account – SharePoint Connection”.
5. Edit the flow to use the new connection
   Open the flow in the designer. Select each action or trigger that uses the old connection. Click the ellipsis (…) on the action and choose Change connection. Select the new service account connection from the list. Repeat for every action in the flow. Save the flow.
6. Test the flow with the service account
   Run the flow manually by selecting Test in the top menu. Choose Manually and then Test. Verify that all actions succeed. Check the run history for any errors. If the flow uses triggers like “When an item is created”, create a test item and confirm the flow triggers.
7. Update the flow owner (if applicable)
   If the original owner is leaving, transfer ownership to the service account or another admin. Go to the flow details page. Select Manage sharing. Add the service account or another user as a co-owner. Remove the original owner only after confirming the flow works. Note: service accounts cannot own flows in all scenarios — check your tenant policy.

Common Mistakes and Limitations When Moving a Flow Connection

Service account does not have a Power Automate license

Without a license, the service account cannot use Power Automate connections. Assign a Power Automate per-user plan or a per-flow plan. If your organization uses per-flow plans, assign the plan to the flow itself rather than the account. Check the licensing section in the Power Automate admin center.

Flow uses a premium connector that requires a different license

Some connectors, such as SQL Server or HTTP with Azure AD, require a Power Automate per-user plan with attended RPA or a per-flow plan. If the flow uses such connectors, ensure the service account or flow has the appropriate license. Standard connectors (SharePoint, Outlook, Teams) work with a Microsoft 365 license alone.

Service account cannot sign in to create a connection due to MFA

If your tenant requires multi-factor authentication for all users, the service account will be blocked. Exclude the service account from Conditional Access policies that enforce MFA. In the Entra admin center, go to Protection > Conditional Access. Locate the policy that applies to all users and add the service account as an exclusion. Alternatively, create a separate Conditional Access policy that blocks the service account from interactive sign-in but allows modern authentication.

Flow breaks after the original user’s password changes

If you do not move the connection before the user’s password changes, the flow will fail with a connection error. To recover, sign in to Power Automate as an admin, open the flow, and edit each action to use a new connection created with the service account. If the original user is already disabled, you cannot create a new connection with that identity — you must use the service account from the start.

Service account mailbox is not provisioned

For flows that send email, the service account must have a licensed Exchange Online mailbox. When you assign a Microsoft 365 E3 or E5 license, the mailbox is provisioned automatically. If you assign a lower license, verify the mailbox exists in the Exchange admin center. If the account is cloud-only, the mailbox may take up to 24 hours to appear.

User Account vs Service Account for Power Automate Flows

Item	User Account	Service Account
Dependency on a person	Breaks when user leaves or password changes	No dependency on a single person
License required	User’s Microsoft 365 license	Microsoft 365 license plus Power Automate license
Audit trail	Actions attributed to the specific user	Actions attributed to the controlled identity
Setup complexity	Low – use existing user	Medium – create account, grant permissions, create connection
Best for	Personal flows or short-term projects	Business-critical or long-running flows

After moving the flow connection to a service account, the flow will run independently of any individual user. The key benefit is reliability: the flow continues working even when the original creator leaves or changes their password. Next, consider setting up a monitoring alert for the flow using the Power Automate admin center. Create a rule that notifies your team if the flow fails to run. As an advanced tip, store the service account password in Azure Key Vault and use the Key Vault connector in your flow to retrieve it dynamically. This avoids hard-coding credentials and improves security compliance.