Blog

Power Automate: Risks and governance best practices

3 min read
Header_blogpost_Power Automate_Risks and governance best practices-1
3 min read

The cloud allures us with the potential to achieve more and keep pace in the modern world. Cloud collaboration platforms are here to stay, and while many are jockeying for position, Microsoft has done well to establish Microsoft 365 in the hearts of many organizations.


Charged with the capabilities to digitally transform organizations through the end-user, Microsoft 365 user adoption has skyrocketed as employees yearn for the flexibility and convenience that the modern workplace provides. It comes equipped with popular services such as SharePoint, Teams, PowerApps, and Power Automate to allow all users to optimize their daily work lives. Today, we focus on Power Automate and look at the possible compliance and security risks ungoverned adoption could pose. 

Automation for the masses 

Power Automate (Flow) is a powerful productivity tool available as a part of Microsoft 365. In the hands of a skilled person, Power Automate is an invaluable asset that helps you to automate time-consuming and routine tasks, saving you precious time and allowing you to focus on your job. Those who experience using Power Automate say it helps them optimize everyday communication and organization for them to work better within the modern workplace. Setting up a personal workflow that automates a simple process can help the delivery of automated emails, point individuals to the correct content, funnel notifications into one single place making organization easier.  
If you want to know more about what Power Automate is and what its many use cases are, we recommend that you read our blog ‘What is Power Automate: Go with the Flow!’. 
Many organizations want to enable Power Automate for their users. But before they do, they need an answer to one question: how do we ensure that Power Automate won’t expose our organization and its data to risks? 
Using Power Automate connectors, you can stitch multiple services together to build powerful automation workflows. Some connectors are tied to specific services like Outlook, Planner or Trello, and some are more generic, allowing you to call an API or connect to a database of your choosing. 
What’s truly empowering about Power Automate is that every person with access to Power Automate can start automating their work right away, without setting up projects, getting budgets or approvals. But it’s exactly because users can do anything they want, that it makes organizations hesitant to give them access to Power Automate. They’re afraid that the organization and its data might get exposed to risks they can’t control. Are they right? 

What does it mean to govern Power Automate?  

Power Automate governance becomes paramount given the ease of usage of this no-code, low-code solution. Through effective governance, organizations can address critical aspects such as compliance, security, and efficient usage. 
 From the need for establishing policies and monitoring mechanisms to safeguard against unauthorized access, data breaches, and other non-compliance issues, there are a myriad of challenges involved with Power Automate adoption. Once again, a proper governance framework holds the key for the adoption and usage of any cloud collaboration solution, to ensure that the collaboration remains secure.  
With Power Automate, product misgovernance creates other issues.  

Efficiency of flows 

Slow-running flows are a common challenge for organizations with automated processes. Possible causes might be that a flow is in excess of daily action limits for a company’s plan (and an upgrade is required), a flow is exceeding data consumption allowance, or the connector a company is using has protective mechanisms to slow a flow down. In any case, a slow-running flow undermines the advantages of process automation which, in theory, ought to fast-track manual processes, improve productivity, and reduce the risk of error. A governance policy is required for monitoring and catching slow-running flows early, ensuring that processes remain streamlined and operational. 

Errors 

Flows with errors will also compromise the efficiency of automated processes. Users, while executing flows, may encounter run time errors, which cause a flow to stop running unless error handling has been configured. For organizations that run processes via flows, a failed flow can negatively impact operations, causing a decline in productivity. Advances in computing power and process automation generate higher levels of performance for a business, but if the technology does not work, the higher productivity and cost benefits deteriorate quickly. A governance strategy will mitigate the risk of automated flows containing execution errors that might not function as intended. 

Workforce training 

A key component of proper governance of flows is training the workforce regularly. Training not just for end-users, but also for administrators is paramount to increase the efficiency of Power Automate.  

How admins can control Power Automate  

There is no doubt that Power Automate (Flow) is a tool for business users – non-developers who have the know-how to simplify their daily work. But Power Automate also has great potential in organizations, where IT has limited budgets, resources, and many processes in place. Power Automate administrators have a number of tools at their disposal to manage Flows in their organization. While administrators could manage flows via the Power Automate admin center in the past, it was retired over the years, giving way to Power Platform admin center.

View all Flows 

First of all, Power Automate (Flow) administrators can see all environments in their organization. For each environment, they can see all flows. For each flow, they can see who created it, when it was last modified and when and what connectors the flow uses. Administrators can also create new flows, edit existing ones and delete flows that are no longer needed.  

Manage permissions 

Administrators can add users as owners and assign them permissions to edit and control specific flows. They can also share flows with other users.  

Configure data loss prevention policies 

Another security capability that admins have at their disposal is data loss prevention (DLP) policies. Using DLP, admins can divide connectors into two groups: those that have access to business data and those that don’t. When the DLP policy is applied, users won’t be able to build flows with connectors from two different groups. 

What admins can’t do 

Security-aware organizations want to be able to understand how their users work with Power Automate and where the organization’s data is going to. Unfortunately, there are some limitations that prevent them from managing Power Automate effectively.

While admins can get some information about every flow in their organization, they can’t see the flow itself. They can see that a flow is making an HTTP call but they can’t see to what. They can see that a flow connects to a database, but they can’t see to which database. They also can’t see if there are any credentials stored in plain-text that could be exposed to others when sharing or exporting the flow.

The risks of using Power Automate


Like with every custom solution, there are certain risks involved when using it. This isn’t necessarily bad as long as you understand the risk and its impact so you can make an educated choice if you want to accept or mitigate it. 

Power Automate makes it extremely easy to connect multiple different services together and exchange data between them. In fact, it’s so simple, that users don’t need to worry about complexities such as authentication and with just a couple of clicks, they can access data inside and outside their organization.

But this makes it all too easy for users to store an email attachment in a Trello board or a Dropbox account for convenient access. They don’t mean harm and just want to get their job done as quickly as possible. However, they’re not always keeping in mind the consequences for them and their organization. 

More tech-savvy users can use Power Automate to securely connect to enterprise applications protected with Azure Active Directory. To authenticate, they will implement OAuth storing credentials in plain-text in a variable inside the flow. But if they share the flow with others, export it or submit it as a template, these credentials will become visible to others. 

Power Automate governance best practices 

There is a huge opportunity for organizations to automate some of their mundane work with Power Automate. With careful planning and right consideration, Power Automate will deliver on its promise without exposing the organization to any unnecessary risks.

In the end, users will find a different way of doing what they want, perhaps even one outside of your control which in the end is even worse. 

Discover and resolve redundant flows  

As applications grow in complexity, ensuring that every workflow, automation, and process functions optimally is of utmost importance. Discovering and resolving non-functioning and redundant flows is similar to maintaining an engine for peak performance, ensuring your solutions run smoothly and efficiently. 

Resolve accountability issues 

Ambiguity in responsibility makes it difficult to resolve business-critical issues quickly. By identifying and highlighting newly created Flows, those without owners, and ones not shared with service accounts, you can ensure that responsibilities are assigned and issues are promptly addressed.

Flows-without-Owners-tile-Declutter-Dashboard-resizable-3x3-Copy

To ensure continuous access to a flow, it's best to add a service account as a co-owner, even if the flow already exists in an individual's account. Service accounts retain access even when other co-owners depart from the organization. The key principle is to avoid having only one person with access to the flow. This way, if an individual leaves the organization, others can still manage and utilize the flow. 
Consider discovering Flows that use risky activities and start a conversation with their owners about the possible risks. Together, you could decide to assess the contents of the flow and verify that it doesn’t pose any risks to your organization or its data. It sounds more tedious, but it’s an acceptable middle ground between allowing users to do anything and disabling everything. 

Conclusion

One day, Power Automate will get very popular in your organization, so whatever process you choose to assess flows, keep in mind that it should scale to stay seamless and timely with the latest developments in your organization. 
Our Microsoft governance tool Rencore Governance has the capabilities to detect flows. Rencore Governance allows you to choose what you want to track, build relevant reports, and automate with your business processes in mind. If you would like to learn more about Rencore Governance and see it in action, please head to the Rencore Governance product page by clicking the button below. 

*With contributions from Waldek Mastykarz 

Subscribe to our newsletter