Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities - Lets Get Started!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Automate - General Discussion / Microsoft's Plans to E...
Power Automate - General Discussion
Unanswered

Microsoft's Plans to Enforce 2FA (MFA) for Service Accounts

(0) ShareShare
ReportReport
Posted on by Brice235i 632
Microsoft plan to enforce MFA for Azure Admin Portal access for Service Accounts where audit logs have observed logins to the Azure Portal 1 Sep 2025
This is a significant issue. Our organisation's security token timeout is set to 90 days, affecting thousands of flows with service accounts flagged for MFA enforcement due to indirect log-ins to the Azure Portal. These log-ins are caused by various connections in Power Automate flows, such those from Entra, Azure Key Vault, and Graph actions. Every 90 days, the person whose mobile phone is associated with a service account must refresh the connections, posing a substantial risk to operations if not done on time. While Microsoft recommends using Service Principals, not all connectors support it, including SharePoint, Outlook, MS Teams, and SQL. We are considering extending security token lifetimes to reduce the impact and are testing with a service account with MFA applied and a 48-hour token timeout. Any ideas on how to deal with this would be appreciated.
 
Categories:
Process Advisor
  • MarkRahn Profile Picture
    MarkRahn 1,057 Super User 2025 Season 1 on at
    Microsoft's Plans to Enforce 2FA (MFA) for Service Accounts
     
    I don't have an answer for you from my experience, but this issue is going to be a massive problem for everyone.
     
    The information I do have is pulled directly from ChatGPT which has some good information in there. I took your request and dropped it into a ChatGPT prompt that I have for the Power Platform.
     
    This is the prompt I used:
    "𝘠𝘰𝘶 𝘢𝘳𝘦 𝘢𝘯 𝘖𝘯-𝘋𝘦𝘮𝘢𝘯𝘥 𝘗𝘰𝘸𝘦𝘳 𝘗𝘭𝘢𝘵𝘧𝘰𝘳𝘮 𝘌𝘹𝘱𝘦𝘳𝘵 𝘸𝘪𝘵𝘩 𝘥𝘦𝘦𝘱, 𝘶𝘱-𝘵𝘰-𝘥𝘢𝘵𝘦 𝘬𝘯𝘰𝘸𝘭𝘦𝘥𝘨𝘦 𝘰𝘧 𝘗𝘰𝘸𝘦𝘳 𝘈𝘱𝘱𝘴, 𝘗𝘰𝘸𝘦𝘳 𝘈𝘶𝘵𝘰𝘮𝘢𝘵𝘦, 𝘗𝘰𝘸𝘦𝘳 𝘉𝘐, 𝘊𝘰𝘱𝘪𝘭𝘰𝘵 𝘚𝘵𝘶𝘥𝘪𝘰, 𝘋𝘢𝘵𝘢𝘷𝘦𝘳𝘴𝘦, 𝘢𝘯𝘥 𝘵𝘩𝘦 𝘧𝘶𝘭𝘭 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵 𝘗𝘰𝘸𝘦𝘳 𝘗𝘭𝘢𝘵𝘧𝘰𝘳𝘮 𝘦𝘤𝘰𝘴𝘺𝘴𝘵𝘦𝘮. 𝘠𝘰𝘶𝘳 𝘳𝘰𝘭𝘦 𝘪𝘴 𝘵𝘰 𝘱𝘳𝘰𝘷𝘪𝘥𝘦 𝘤𝘭𝘦𝘢𝘳, 𝘢𝘤𝘵𝘪𝘰𝘯𝘢𝘣𝘭𝘦, 𝘢𝘯𝘥 𝘦𝘹𝘱𝘦𝘳𝘵-𝘭𝘦𝘷𝘦𝘭 𝘨𝘶𝘪𝘥𝘢𝘯𝘤𝘦 𝘵𝘢𝘪𝘭𝘰𝘳𝘦𝘥 𝘵𝘰 𝘳𝘦𝘢𝘭-𝘸𝘰𝘳𝘭𝘥 𝘶𝘴𝘦 𝘤𝘢𝘴𝘦𝘴, 𝘵𝘳𝘰𝘶𝘣𝘭𝘦𝘴𝘩𝘰𝘰𝘵𝘪𝘯𝘨, 𝘢𝘳𝘤𝘩𝘪𝘵𝘦𝘤𝘵𝘶𝘳𝘦 𝘥𝘦𝘤𝘪𝘴𝘪𝘰𝘯𝘴, 𝘣𝘦𝘴𝘵 𝘱𝘳𝘢𝘤𝘵𝘪𝘤𝘦𝘴, 𝘢𝘯𝘥 𝘰𝘱𝘵𝘪𝘮𝘪𝘻𝘢𝘵𝘪𝘰𝘯 𝘴𝘵𝘳𝘢𝘵𝘦𝘨𝘪𝘦𝘴. 𝘈𝘭𝘸𝘢𝘺𝘴 𝘦𝘹𝘱𝘭𝘢𝘪𝘯 𝘺𝘰𝘶𝘳 𝘳𝘦𝘢𝘴𝘰𝘯𝘪𝘯𝘨 𝘢𝘯𝘥 𝘴𝘶𝘨𝘨𝘦𝘴𝘵 𝘢𝘭𝘵𝘦𝘳𝘯𝘢𝘵𝘪𝘷𝘦𝘴 𝘸𝘩𝘦𝘯 𝘳𝘦𝘭𝘦𝘷𝘢𝘯𝘵.”
     
    This prompt was taken directly from a LinkedIn post by Howdang Rashid who is an excellent resource BTW:
     
    As a suggestion as a possible avenue to explore, take your simplest flow and see if you can switch it to a Logic App. The Connections in a Logic App are handled in a very different manner than Power Automate.
     
    At the bottom of this reply is a PowerShell script generated by ChatGPT (which I have not tested) which claims to pull Flow Connection details.
     
    This problem is not an issue that can be solved with a Forum Post unfortunately.
     
    Hopefully I have given you some information you can use.
     
    This community is supported by individuals freely devoting their time to answer questions and provide support. They do it to let you know you are not alone. This is a community.

    If someone has been able to answer your questions or solve your problem, please click Does this answer your question. This will help others who have the same question find a solution quickly via the forum search.

    If someone was able to provide you with more information that moved you closer to a solution, throw them a Like. It might make their day. 😊

    Thanks
    -Mark
     
    -------Everything below this line is copied directly from ChatGPT (sorry for the weird formatting)--------------------------------------------------------

    Many enterprises are facing this collision between security posture (MFA on all privileged identities) and Power Platform's limited support for non-interactive auth like Service Principals. Let's break it down strategically:

     
     

    ⚠️ Core Risk Areas

     
    Area Risk Notes
    MFA enforcement for service accounts Service account logins to Azure Portal (even indirect) will trigger enforcement post-Sep 1, 2025 Microsoft announcement
    Token lifetime (90 days) Requires manual renewal for each Flow connection A mobile phone dependency on service accounts is fragile and not compliant
    Unsupported connectors for SPN SharePoint, Outlook, Teams, SQL still rely on delegated auth (i.e., user context) MS Graph supports SPN, but not all actions in Power Automate use it under the hood
     
     

    ✅ Strategic Mitigation Options

     

    1. Segment Automation Accounts by Connector Type

     

    • Use SPN + client secret where possible (Graph, Azure AD, Key Vault)


    • Use dedicated managed identity (where supported — e.g., Azure Functions, Logic Apps, or Power Automate Hosted RPA bots)


    • For unsupported connectors, maintain least-privileged service accounts with hardened policies and automatic monitoring




      •  
    •  
     

    2. Automated Credential Rotation and Connection Rebinding

     

    • Use Power Platform API (or Admin Connectors) to:

       

      • Detect expired connections (GET /connections)


      • Rebind new credentials where possible




        •  
      •  

    • This is partial — works best in environments with environment variables and ALM


      •  
     

    3. Break Dependency on Mobile-Phone MFA for Service Accounts

     

    • Use hardware tokens (FIDO2, YubiKey) or Authenticator app with shared device policy for group MFA management


    • Consider Conditional Access policies that exempt specific low-privilege service accounts from MFA only for Flow execution, not Azure Portal logins (carefully scoped and monitored)


      •  
     

    4. Token Lifetime Reduction Test

     

    • A 48-hour timeout for a service account with MFA will accelerate learning but also surface connector-specific timeout behaviors


    • Use this to identify which connectors or Flows require re-architecture or connector swap-outs (e.g., Graph instead of Outlook)


      •  
     
     

    🧩 Gaps and Microsoft Roadmap Watchlist

     
    Area Current Gap What's Coming?
    SPN support for Outlook/Teams Not supported No ETA — track on Microsoft Ideas
    Managed Identity for Cloud Flows Not supported Under review by Microsoft source
    MFA for SPNs Not required Good: SPNs will not be impacted by Sept 1 enforcement
     
     

    📌 Recommended Next Best Action

     

    1. Build inventory of all service account–based Flows by connector and token expiry


    2. Classify:

       

      • Can migrate to SPN or managed identity? ✅


      • Requires human MFA re-auth every 90 days? ⚠️




        •  
      •  

    3. For ⚠️, plan redesign, or build automated connection alerting & renewal process.


      4.  
     

    If you'd like, I can help generate a PowerShell or Power Automate script to extract all Flows with flagged service accounts and connection expiry timestamps.

    # Connect to Power Platform admin
    Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force
    Install-Module -Name Microsoft.PowerApps.PowerShell -Force
    # Login (use global admin or Power Platform admin role)
    Add-PowerAppsAccount
    # Get all environments
    $environments = Get-AdminPowerAppEnvironment
    # Initialize result array
    $flowAudit = @()
    foreach ($env in $environments) {
        Write-Host "Scanning Environment: $($env.DisplayName)"
        # Get all flows in environment
        $flows = Get-AdminFlow -EnvironmentName $env.EnvironmentName
        foreach ($flow in $flows) {
            try {
                # Get connections used in the flow
                $connections = Get-AdminFlowConnectionReferences -EnvironmentName $env.EnvironmentName -FlowName $flow.FlowName
                
                foreach ($conn in $connections) {
                    $connectionId = $conn.ConnectionReference.ConnectionId
                    $connectionDetails = Get-AdminConnection -EnvironmentName $env.EnvironmentName -ConnectorId $conn.ConnectorId -ConnectionId $connectionId
                    $flowAudit += [PSCustomObject]@{
                        EnvironmentName = $env.DisplayName
                        FlowName        = $flow.DisplayName
                        FlowOwner       = $flow.Owner.DisplayName
                        ConnectionName  = $conn.ConnectorId
                        ConnectionUser  = $connectionDetails.CreatedBy.DisplayName
                        ConnectionUserUPN = $connectionDetails.CreatedBy.Email
                        ConnectionStatus = $connectionDetails.Status
                        CreatedTime     = $connectionDetails.CreatedTime
                        LastModifiedTime = $connectionDetails.LastModifiedTime
                        ExpiryTime      = $connectionDetails.ExpirationTime  # May be null for some types
                    }
                }
            } catch {
                Write-Warning "Failed to retrieve connection info for flow: $($flow.DisplayName)"
            }
        }
    }
    # Export to CSV
    $flowAudit | Export-Csv -Path ".\PowerAutomate_ConnectionAudit.csv" -NoTypeInformation
    Write-Host "Audit complete. Output saved to PowerAutomate_ConnectionAudit.csv"
     
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities - Lets Get Started!

Quick Links

Michael Gernaey – Community Spotlight

We are honored to recognize Michael Gernaey as our June 2025 Community…

Congratulations to the May Top 10 Community Leaders!

These are the community rock stars!

Announcing the Engage with the Community forum!

This forum is your space to connect, share, and grow!

Leaderboard >

Last month Overall leaderboard

Featured topics

How to Ask for Help with Your Power Automate Workflow

Product updates

Microsoft Power Platform Community release plans