Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Highlighted
Level 3 Contributor

Effect of MFA on Service Accounts in Logic Apps/Flows etc

Hi all

 

We have had MFA enabled on admin accounts and end user accounts for some time. One thing we didnt do however was enable it on all service accounts. Specifically we have a small number of service accounts that are used by logic apps in azure.

 

When we enable MFA for these accounts, what is the correct means by which to allow these accounts to still connect to things like SharePoint lists and D365? We have actually had problems with these connectors even without the use of MFA which is why we were in no rush to make it more complicated than it needed to be.

 

Thanks in advance

 

Simon

7 REPLIES 7
Highlighted
Level 5 Contributor

Re: Effect of MFA on Service Accounts in Logic Apps/Flows etc

We have a similar question about Microsoft Flow.  We added IP address exclusions for the servers that host flow Flow to keep it working.  What is the solution for this?  We didn't like excluding the IP addresses in the first place, and now that won't comply wiht the new requirements.  Microsoft, how do we keep Flow and PowerApps working with these new requirements?

Highlighted
Level 5 Contributor

Re: Effect of MFA on Service Accounts in Logic Apps/Flows etc

@JanoschUlmer I'd like to bump this question before tomorrow's office hours.  How do we keep using Flow and PowerApps with MFA enabled on all accounts and no IP based exclusions?  We're using these for business processes and can't just stop.  Thank you.

Highlighted
Level 5 Contributor

Re: Effect of MFA on Service Accounts in Logic Apps/Flows etc

I just heard during the office hours that Microsoft is still working on this but that a solution will not be in place before August 1.  Hopefully they have a solution soon after.

Highlighted
Level 3 Contributor

Re: Effect of MFA on Service Accounts in Logic Apps/Flows etc

Hi, we have the same problem. Whole our CRM in Dynamics and SharePoint automatization running on service accounts with Flow and Logic Apps with service accounts allowed to sign only from Azure IP spaces and users done with recommendations like https://support.microsoft.com/en-us/help/4467879/conditional-access-and-multi-factor-authentication-in-flow. How to solve this?

Highlighted
Level 1 Contributor

Re: Effect of MFA on Service Accounts in Logic Apps/Flows etc

 


@simonharvey wrote:

Hi all

 

We have had MFA enabled on admin accounts and end user accounts for some time. One thing we didnt do however was enable it on all service accounts. Specifically we have a small number of service accounts that are used by logic apps in azure.

 

When we enable MFA for these accounts, what is the correct means by which to allow these accounts to still connect to things like SharePoint lists and D365? We have actually had problems with these connectors even without the use of MFA which is why we were in no rush to make it more complicated than it needed to be.

 

Thanks in advance

 

Simon


Any update on this?  

Highlighted
Level 5 Contributor

Re: Effect of MFA on Service Accounts in Logic Apps/Flows etc

I'm wondering if there's any official update about Microsoft Flow and the accounts used to create flows and connecting to services having MFA enabled.  Can we safely remove our IP address exclusions and have our flows still work?  Will everyone ahve to log in again and somehow re-authorize their flows and connections after the IP exclusions are removed?

Highlighted
Microsoft

Re: Effect of MFA on Service Accounts in Logic Apps/Flows etc

Flow would need to be re-authorized as per https://support.microsoft.com/en-us/help/4467879/conditional-access-and-multi-factor-authentication-in-flow(see effect 1 under "more Information")  after you enable MFA on the account which set up a flow before.