Ownership of Resources in the M365 Power Platform
Today we’re going to be digging into the Power Platform in Microsoft 365 a little bit, specifically creating resources in Power Automate and Power Apps. Who should be the owner of these things? Should we be using a service account? What happens if the owner of these resources leaves the company? If you are the Power Platform Admin at your organization, this one is for you.
We’re going to be answering all these questions, and give you a few recommendations for how to best manage resources in the Power Platform. Please enjoy the conversation with Matt Dressel, Ashley Jolman, and myself.
Transcript
Matt – “So this is a huge problem, so I'm going to create a brand-new business process that's mission critical andI'm going to use Office 365 and I'll use my personal account to do it, right? 'Cause it's easy to do, it's free I can make it happen. That shouldn't happen like that is not something that people should be doing.”
*Into starts*
Mitch – “Welcome back to Make OthersSuccessful, a podcast about modernizing your workplace and improving your organizations communication, collaboration, and business process automation. Today we're going to be digging into the Power Platform in Microsoft 365 a little bit.Specifically, creating resources in power automate and power apps. Who should be the owner of these things? Should we be using a service account? What happens if the owner of these resources leaves the company? We're going to be answering all these questions and give you a few recommendations for how to best manage resources in the power platform. Please enjoy the conversation withMatt Dressel, Ashley Jolman, and myself.”
*Intro ends*
Ashley – “So we just got back from our first in person client meeting in over a year, a year and a half probably.”
Mitch – “It was refreshing. Tt was like life bringing.”
Ashley – “Very refreshing I think we were all so happy to be there like this is so nice.”
Matt – “It was also a little bit weird because it's the first time that we've been all in the office trying to figure out like, do we all ride in the car to the client’s location? Like they’re in town and-”
Mitch – “The logistics.”
Matt – “Yeah how do we do that and, and we all forgot it was partly over lunch. So-”
Ashley – “Yeah, we're not used to logistics.”
Matt – “Do we, do we get lunch like what are we doing for that, right? Like it's not as easy as getting, going up to your computer and just turning on the screen and-”
Ashley – “We had to warn them that our team is tall in person.”
Matt – “Yeah.”
Ashley – “that can be shocking for people that have been talking to us for a year through our computer.”
Matt – “We never asked them about that, but I like I guess we prepped them enough they didn't say anything usually somebody was like wow yeah.”
Mitch – “Yeah and we did like a card sorting exercise which is awful to do digitally.”
Matt – “Yeah.”
Ashley – “It is.”
Mitch – “It worked great in person, so we're happy that we got to do that yeah.”
Ashley – “Yeah I think we've learned a lot about what works well online and what really works better in person so.”
Matt – “And now we get to a podcast.”
Ashley – “Yeah now we're back to a podcast we've had some heated discussions at the office lately that we decided to resolve while we’re recording.”
Mitch – “So before we dig in too far, let’s do introductions quick and we'll get started. My name is Mitch Herrema I have a background in development and have been helping with some of our modern workplace offerings and kind of operations around here at Bulb and get to fill in with development stuff when I'm able.”
Ashley – “My name is Ashley Jolman I am delivery lead here at Bulb and my background is mostly in project management type work.”
Matt – “And now you're becoming expert in the Power Platform.”
Ashley – “Yes, now that I work hereat Bulb, I am dabbling into Power Platform and development work.”
Matt – “Becoming an expert.”
Ashley – “Yes.”
Matt – “So this is Matt Dressel, I am one of the founders of Bulb Digital and I do lots of different things from development, architecture, Office 365, communication, collaboration. So, lots of different things.”
Mitch – “So today we're talking about ownership of resources in the power platform. So, Ashley do you kind of want to set the stage a little bit for us?”
Ashley – “Sure, so something that we encountered here, internally this week, was an individual that had built a flow in power automate that we use for one of our business processes and another user needed to edit that flow. So, the topic came up of how is it going to work with when somebody else owns it and I, for example, need to edit it? Then how do we deal with shared ownership? How do I build this in case that primary resource leaves, the person who built it originally? So, I went to Matt Dressel with this question, and he said it has come up a lot actually with our clients and figuring out ownership in power platform and what happens when people leave.So, we thought hey let's have a discussion about this on the podcast 'cause it is something that we have been encountering more frequently.”
Mitch – “Yeah, we tend to get deep into these conversations in person, and I'm like wait-pause. Let's set up some microphones this can help other people, so looking forward to the chat.”
Matt – “Yeah.”
Ashley – “So, let's start with the original question, which is if I'm working on a flow that is owned by one of my coworkers and they are leaving what happens to that flow? If that individual leaves.”
Matt – “Yeah so, that's a really good question a lot of people have this question. So, one of the biggest things people need to realize is that flow and Power Apps are platforms that are, if you're creating it in the default environment so a standard flow of standard power app that is related to me as a person. So, there can only be one true owner of those resources and that owner is the person that created it. Beyond that I can share ownership with other people, so I can give someone else access, but they are get what's called co-owner access which isn't the same as an owner access. So, owner access is only for one person. So, it's to my account if I leave, I'm no longer-. Note like, if no one else is a co-owner no one has access to it from the standard interface. At the same time, it's not the same as like what you might think of in One Drive or a mailbox or something like that where, if I delete the account eventually, I'm going to delete it all the way and it's just going to disappear all of it's going to go away. All of those things in the Power Platform kind of linger on, they stay around they don't go away. But they're only accessible by someone who is a Power Platform administrator. So, this would be someone who is a tenant admin or a, a specific administration role called Power Platform administrator. In those cases, you can go in and find those things and you can actually reassign them. So, first thing that everybody needs to be aware of is that they don't go away. It’s not like they get-”
Ashley – “The flow?”
Matt – “Yeah. The flow in the, in the app and all that stuff it doesn't disappear.”
Mitch – “Does it keep running?”
Matt – “Yeah so, that's it gets even trickier so, it will potentially keep running depending on what the connections are. So, if your connection is for is to something or is using a personal account that still exists? So, if you created these things with the service account that connection with use it will use the service count and as long as the service counts available it will continue to operate and run. However, you won't be able to edit it if there's not a note co-owner you wouldn't be able to really do some of the things that only an owner can do with the flow, or the power app and those things are still related to the person who is no longer at the organization and their account is gone. So, you really want to clean those up so, especially if you're using those as a core business process.Again, you want to be looking to using like a service account for the connections, 'cause that will stay on afterwards. But then also you want to bethinking about maybe you shouldn't have the owner of that may not want, may not want that to be a person, you may also want that to be a service account.”
Ashley – “So it sounds like to avoid this issue not to have an individual who may leave or change positions as the owner.”
Matt – “Yeah so, for sure if you can create it as a service account and have the service account on it, which is obviously number one an extra step. So, you gotta remember to do that which is often these things start ad hoc and I'm an individual doing some work and I just created a flow and now it's part of my business process. But then in addition you have to remember to do that and then in addition you've got a challenge related to licensing because that service account needs Office 365licenses, it may need flow licenses or Power Apps licenses. So, you may be buying that from multiple people because you want to be able to have this thing live out, live beyond the individual.”
Ashley – “So if I'm setting up anew flow and I want this to be timeless because it's going to automate a business process for Bulb on an ongoing basis, it's not just for me as an individual. How should I set that up so that it doesn't matter what happens tome personally?”
Matt – “That’s a great great question, so I'm going to step into a little bit different discussion for a second. So what we've been talking about to up till now is creating things in a very personal level in a particular environment what's known as the default environment. When you ask me what the ideal or best solution is, the best solution is not to create something that is as a business-critical process in the default environment. The default environment is really meant for my personal work that I'm doing right, and the reason I say that is because everybody kind of has the same rights across the entire organization everybody creates in this one space it's free it comes with your license automatically so that's what a lot of people use but if you really are looking to develop a solution within Office 365 for these business solutions. I would be looking to create a new environment and probably create what are called solutions so solutions is actually a little bit bigger wrapper around all of these resources, and the reason I say that is because when you create a flow it's like a one off thing so let's say I have a business process that goes through approvals and maybe there's five different stages of approvals and I have five different flows that do that there's nothing that ties those things together, right? I as the owner of them see them and that's it right there's nothing that says that this is part of this business process or this business unit. Instead to solve that problem, I would recommend creating a solution which a solution allows you to say I created a solution that is you know financial approval right and then within that solution I add power apps and flows and connections that are all packaged in that solution. In doing so you're now in a situation where you've got that single package and you can actually administer that and deploy that as one big component, we're at rather than what a lot of people do which is in the main default environment they just create personal flows randomly and then we have all of these problems. So, it's kind of a 2 so. I know that's a little bit bigger answer then probably a lot of people were looking for but that's the ideal that's where I would really go. The minimum which is I think where you were going at is definitely, I would create it is as using a service account and I would make sure the service account is using, you use the service accounts for all of your connections doing that will ensure that your whatever you’re doing is has a longevity that's beyond the, the user the person who would have created it.”
Ashely – “And then anyone who can access the service account can edit get in back later?”
Matt – “Correct anyone who has access to the service account can get in and get later. Another big, big thing about that to that a lot of people need to remember is that if I set up a connection in a flow or a power app and that connection is using my account, right and I give you access to it. You now have access to my connection to whatever that service is. So, what that means is you could potentially do something on my behalf and that's really not great. However, if that's the service account and you are authorized to see the service account anyways it's not as big of a deal right like if you do something that is using the service account you are authorized to use the service account. That's OK and we know that it was the service account.”
Mitch – “So question I had is it could this feel a little bit like black magic where you have a service account set up. You're years down the line you know this thing works because someone set it up at some point. You have no idea why it's still working but like how do you fight that, how do you get on top of that situation.”
Matt – “Yeah so a lot of that comes back to like again that solution and that environment so that's one piece of it.So, what the solution and the environment will do is it allows you to create relationships between all these things and package all of these connections and, and the way that everything works together in one location. It also allows you to separate it out into its own environment, like I was saying, right in an environment means that if I go if I switch to that environment and I go into flow I'm only going to see the flows related to that environment. I'm not going to see the flows that are related to the default environment or maybe another application within your organization is just the things that are self-contained for that solution. So, it's really easy to know what that is and I'm going to say up and to a point right where that falls down is I have a bunch of data that's in SharePoint, well that stuff that got created in SharePoint isn't managed in that solution, right? I have a bunch of stuff that's been created in maybe SQL let's say that you're doing something and there's data in SQL again the table management of that isn't contained in the solution. The solution to the, a solution to that problem would be to do everything within the CDs for the data verse, right? So if you do everything with the data verse your now everything is all within that one environment right and you have a really good packaged solution to have all of the components of your solution your application all in one spot, but of course that's licensing, right? To create an environment and have a separate environment you have to have some additional licensing but to actually use the environment you don't need additional licensing but the moment you want to connect to SQL or to CDs or some of these other things there's more licensing ramifications.”
Mitch – “So how can someone know where something lives they just, they just know it works and they don't knowhow set up.”
Ashely – “Yeah the flow.”
Mitch – “Yeah”
Matt – “So it's it's really up to the person who's the power apps admin. So, or a power platform admin so power platform admin is able to look at all of these things in a cohesive way they're going to be able to see all the environments. Each environment will have its own information that they can go look at and get ownership of. It's really up to that, that, that tenant level or power platform level administrator to access it.”
Ashley – “So, how should we handle when an employee is leaving, and we know that they have built flows that we use in their personal account.”
Matt – “Yeah so-”
Ashley – “You mentioned the co-owner thing before, but it sounded like they couldn't, you can make someone a co-owner but that's still different than being the original owner.”
Matt – “It is for sure different the two things that I would do is I would do an audit of what they have. So, you can either do that by going and sitting behind them and going hey let's go look through all your flows let's go look through all of your power apps you can also go into the tables behind CDs or into the administrator, administrator interface and look for things that they own to kind of identify things that you want to investigate. Anything that you want to keep long term you can definitely have them do co ownership that's definitely an OK first step. Longterm there are PowerShell scripts that you can run that will actually transfer the ownership from the current owner to a brand-new owner. In addition, so that's PowerShell which may be more difficult for some, some people I will say that if you go into the admin center you can actually share it with someone else but when you do that sharing it's getting the co ownership it won't allow you to directly transfer ownership.”
Ashley – “And there's no way to do that?”
Matt – “Though note, transfer ownership the PowerShell script works so it's just not as convenient.”
Ashley – “So that’s the only way?”
Matt – “That's the only real way to transfer ownership.”
Ashley – “Otherwise that person lets say their account gets shut off. There's no owner if you have-”
Matt – “Yeah, basically there's no more there's pretty much no owner and you can still address it again you use that PowerShell script to transfer it to someone else. So, it's not like you're stuck with no resolution it's just a lot easier if you're proactive before the person leaves. Look through what they've got, identify anything that is is critical that you want to continue to keep owners above, and move it to the appropriate person.
Ashley – “And to be really proactive would be to set up before-”
Matt – “Beforehand.”
Ashley – “You know procedures in place that people aren't building these in their personal anyways.”
Mitch – “On that note like anyone can go build whatever they want wherever for the most part.”
Matt – “Yep.”
Mitch – “By default, right? How do you wrangle that?
Matt – “So, this is a huge problem.So, the idea of governments and shadow IT as people call it and the IT department. So, shadow IT if you're not familiar with the term, it's the concept of I'm, I'm going to you know in the old days it's going to put a server under my desk and that's going to be my web server to do so X Y and Z'cause I don't want to go through the process, the formal IT process to go get this thing to work, right? That's kind of transformed in with Office 365 to I'm going to create a brand-new business process that's mission critical and I'm going to use Office 365 and I'll use my personal account to do it right 'cause it's easy to do it's free I can make it happen. That shouldn't happen like that is not something that people should be doing you can't, you can't or it's difficult I should say, to stop people from doing that. So, the only way to stop them from doing that is to shut it all down right you can just disable all power platform features, stop people from doing anything. The problem with that obviously is you lose all of the other things yeah, all the other things that you get benefits from. So, it's really about educating and partnering with your user base to better understand what it does what it is to take to do these things and empowering them to make that happen. So, if you really want if you really have a desire to get people to be able to do these things and take ownership of it. It requires training, documentation, and governance to say hey this is how you can do that this is the type of thing right and also it can also we found that it helps to clearly articulate the level of service you get if you're doing it in the default environment let's say, right? Like the default environment, so I'll step back to a couple of minutes so the environments also have what are called DLP which is data loss prevention which is the idea of will allow you to connect to certain things. So, one strategy to try to encourage people to go to corporate IT or to someone and actually get authorization to manage these things is to say hey in our default environment we only allow you connect to Office 365 resources, that's it. That's all you can do, right? We won't let you connect to Salesforce we won't let you connect to any the other business tools that we might have, right? If you want to connect to those things you need to come talk to us and we'll get you an environment where there's another environment that you could get access to and that allows you to engage the customer or engage the client with ‘hey what is this for, what maintenance do you need?’
Ashley – “Yeah what do you know?”
Matt – “Yeah let's get up for longterm plan, engage for this so that's one way you can encourage them but ultimately that's only one piece of the puzzle and again that can be restrictive if I want to do something for me personally to try to help my daily flow. Do you really want to restrict that? Probably not. What you really want to do is stop someone from building that enterprise level service on their you know related to them personally, right?”
Ashley – “Uh-huh.”
Mitch – “It sounds like it's a lot easier to just lock it down and do any of this stuff.”
Matt – “Uh so-”
Ashley – “We have seen that.”
Matt – “But for sure, from a, from a purely IT perspective there can be a tendency to say yeah lets just lock it all down we don't need any of this stuff, right? If you still believe that IT departments and their development staff are the only solution to solving your customers problems, yeah. Locking it down is the best choice. If you subscribe to the idea that citizen developers and people who are closest to the work can have some valuable input to these things and provide value in either proof of concepting it or validating the need showing, proving out that it really has value locking it down is probably not the best choice, right. You need to simply figure out how to engage with them. Honestly, we talk about this a lot with our customers our, our philosophy our opinion is it is about the engagement with everyone, right. It's not an us verse them IT is not the bad guy IT is not the savior IT is just another partner in this whole, whole process. Especially when you get into enterprise level solutions enter or mission critical solutions, you're going to want to get someone involved from IT because there's a whole host of things that the regular developer, regular person doing things won't have any really a lot of experience with their understanding.”
Mitch – “Are there any resources that you could point people toward. Where did you learn all this, how do you know all this?”
Matt – “Uh well I've been doing it for very long time. From both angles, from both someone who's done stuff with IT.Managing proxy projects with IT and also developer, you know somebody who's trying to just get something done get it out the door, solve the problem. So,I've seen both sides number one. Number two, Microsoft provides a lot of documentation about environments and how they look at applications, what they call application lifecycle management ALM, for the power platform. All of those things when I look at that those are the things that I've learned, I've used to kind of come up with the strategy that we take when approaching these things. But honestly, it's up to the organization to decide what's best for them with these things and probably the biggest problem a lot of people have is they either a) turn it all on and don't have any documentation or guidance or anything any strategy around it and then all sorts of stuff happens-”
Mitch – “Then they recover later.”
Matt – “Right. Yeah well, they need to recover later and then they, they look like they're really bad when they're starting to take stuff away that people really want, right?”
Ashley – “Yeah, like ours is broken and then they have to figure out why and work backwards.”
Matt – “And then somebody's like well you should have never done that and then they start taking stuff away and people are upset because they were using that.”
Ashley – “Yeah or adding red tape that-”
Matt – “Yeah. Yep or the other end of it they lock it all down you know. We know customers who won't basically it's pointless for them to have a license to any of these things because they aren't letting their users do any of it, right?”
Ashley – “Just a specific department.”
Matt – “Yeah which again if you have a business case for that's what you need either from a legal or policy perspective.It is it is what it is right like that's that's OK, right. But you need to bethinking about it and really thinking about how this affects your culture of IT and approaching it that way, right? Does this add to the the your, your organization and how IT works with everyone or is it a hindrance and have a strategy.”
Mitch – “Also we’ll include some of those resources in the show notes for sure. Matt, do you want to close by just giving us a short summary of what we talked about here and how someone can step in the right direction on this stuff?”
Matt – “Yeah so I would summarize by when someone's creating a flow or a power app you need to think a little bit take, take 15-20 minutes and really think about what it is that you're trying to do. If it's a personal thing for you or a thing that is for your team, so something pretty small, something focused in a small group of people. Doing it were related to your account is probably not a big deal you can probably manage it when you when there's departures it's not going to have a huge impact on the business you would probably be alright. If you're talking about something that is mission critical something that is going to be broad reaching across your organization you really need to step back and engage with whoever it is that your organization that is knowledgeable about the way they implement IT projects and work with Office 365 and come up with a strategy that will be that will work long term. Now that could be as simple as making sure that you get a service account and that all the connections and all of the resources that you create are related to the to the service account. That's there's nothing wrong with that, that will work just fine. It may be that they say, ‘hey let's create an environment for you let's make you an owner of that environment so you can manage that thing or your team and owners of that environment, let's get some other IT resources to help you kind of get set up and ready to go for where you're going to be in some training’. And that's also a really great solution, right. There's no really right or wrong there in this regard it really depends on what you're trying to do and what you're what you're trying to do with what the business outcome is and, and what it means from a longevity perspective and what impact it has on your business and importance it has on your business.”
Ashley – “Alrighty.”
Mitch – “You're going to close us?”
Ashley – “Nope that was just that was also my summary, yeah.”
Matt – “So Ashley, you were the one that started the conversation we started does this does that help does it, I know that's a lot we went a lot of different ways.”
Ashley – “Yeah, yes.”
Matt – “And it winded around but do you know now what to do it once with the, with the flow that somebody left the organization then?”
Ashley – “Yeah I'm going to have you write a PowerShell script for me to transfer the ownership.”
Matt – “Transfer the ownership.”
Ashley – “To our service account.”
Matt – “Yeah there you go. So, problem solved.”
Ashley – “Yes.”
Mitch – “So the good news is we didn't lose our flow and now we know the perfect way to manage all this stuff.”
Ashley – “To get out of it next time.”
Mitch – “Yeah so it'll be better next time, right?”
Matt – “Yeah for sure. We're perfect after the, after we learn a lesson, we never make mistake again.”
Ashley – “No honestly it helps me a lot and knowing I mean how to you know see these problems coming and prevent it from breaking.”
Matt – “Yeah for sure. Our up-and-coming power platform superstar will know everything about it in the future.”
Ashley – “Yes, yeah. Working on it so.”
Mitch – “Cool so hopefully that helps everyone, and we'll see you again next time.”
Ashley – “Bye….bye see you later.”
Matt – “Adios!”
Mitch – “Thanks for joining us today! If you haven't already, subscribe to our show on your favorite podcasting app so you'll always be up to date on the most recent episodes. This podcast is hosted by the team members of Bulb Digital, special thanks to Eric Veeneman for our music tracks. If you have any questions for us head over to makeotherssuccessful.com and you can get in touch with us there. You'll also find a lot of insightful blogs and videos to help you modernize your workplace, thanks again for listening we’ll see you next time.
*Outro music plays*