How to manage orphan flows when the owner leaves the organization
This article describes how to manage orphan flows when the owner leaves the organization.
Applies to: Power Automate
Original KB number: 4556130
A flow turns into an orphaned flow when it doesn't have a valid owner anymore. It often happens when the creator or owner of the flow has left the organization and there's no co-owner. If the flow uses connections that require authentication, then it might start failing because the user identity isn't valid anymore.
Admins can maintain continuity on the business process automated by the flow by adding one or more co-owners to it. Co-owners basically have full control over the flow just like the original owner, and can fix authentication for connections if any and enable the flow if it has been disabled.
Note
Only privileged users can view flows that don't have any valid owners.
On the environment page from Power Platform Admin Center, go to Resources tab and then open the Flow list. Orphaned flows don't have an owner displayed in the Owners column.
Select Load more to load the next set of flows so as to ensure you've looked through all flows that might be orphaned.
- From the flow list, select the orphaned flow to open the flow details page.
- Select Manage sharing at the bottom of the Owners list.
- Type in a new owner name and select the new owner account.
- Select Save to save the changes.
Note
It may be hard to find the orphaned flows if there are a large amount of flows in your organization. In that case, you can also manage orphaned flows through PowerShell cmdlets.
As an Admin, you can also manage flows by running Power Apps cmdlets for administrators. Make sure you've followed the instructions to complete the installation if you haven't done it before.
You'll need the environment name and flow name (a GUID).
Run the Get-AdminFlowOwnerRole
cmdlet with environment name and flow name to get the list of users and their roles. Which will enable you to verify the current permissions set for the flow.
To assign a co-owner to a flow, run the Set-AdminFlowOwnerRole
cmdlet with the Microsoft Entra principal object ID of the new owner.
Set-AdminFlowOwnerRole -EnvironmentName <env name> -FlowName <flow name> -PrincipalType User -RoleName CanEdit -PrincipalObjectId <new owner object id>
Note
You can get the Microsoft Entra principal object ID of a user by running the Get-AzureADUser cmdlet (which is from AzureAD module). You need to call the Connect-AzureAD
cmdlet before running the Get-AzureADUser
cmdlet.
Note
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
Run the Get-AdminFlowOwnerRole
cmdlet again to verify the new owner is in the list.
Get a list of flows created by a given user by running the following cmdlet, and then apply the above section to fix every flow on the list.
Get-AdminFlow -EnvironmentName <env name> -CreatedBy <user-object-id>
To get all flows that don't have valid users, loop through all flows in one environment, and verify there's at least one owner or co-owner that exists in Microsoft Entra ID. The following script provides an example:
Connect-AzureAD
$env = "<your environment name>"
$flows = Get-AdminFlow -EnvironmentName $env
foreach ($flow in $flows)
{
$hasValidOwner = $false
$permissions = Get-AdminFlowOwnerRole -EnvironmentName $env -FlowName $flow.FlowName
foreach ($permission in $permissions)
{
$roleType = $permission.RoleType
if ($roleType.ToString() -eq "Owner" -or $roleType.ToString() -eq "CanEdit")
{
$userId = $permission.PrincipalObjectId
$users = Get-AzureADUser -Filter "ObjectId eq '$userId'"
if ($users.Length -gt 0)
{
$hasValidOwner = $true
break
}
}
}
if ($hasValidOwner -eq $false)
{
$flow
}
}
You can also inject the Set-AdminFlowOwnerRole
cmdlet to assign a co-owner for each flow that doesn't have a valid owner.