top of page

Enhancing Power Platform Security with MFA for Service Accounts and Exception Rules

Enhancing Power Platform Security with MFA for Service Accounts and Exception Rules

In the Power Platform world, service accounts play a critical role in ensuring continuity and stability of app and flow executions. However, managing their security posture—especially when it comes to Multi-Factor Authentication (MFA)—can be tricky.

While it’s generally recommended not to enforce MFA for service accounts used in Power Apps or Power Automate (as it can break connections requiring reauthentication), completely disabling MFA leaves the account vulnerable.

The good news? You can have the best of both worlds by enforcing MFA with exception rules. This article explains how to do that using Microsoft Entra (formerly Azure AD).



🧑‍💼 Why Service Accounts Should Avoid Standard MFA

Service accounts in Power Platform are often used to:

  • Own apps and flows to avoid dependency on individual users

  • Perform actions with elevated privileges (e.g., sending emails, updating records)

  • Maintain stable connections across environments

However, if standard MFA is enabled, connections may fail when a token expires and the service account is prompted to re-authenticate—something that can’t be handled automatically.



🔒 The Security Risk of Disabling MFA

Disabling MFA completely means the service account is exposed if its credentials are ever leaked or brute-forced. Given the elevated access service accounts often have, this is a significant risk to your data and systems.



✅ Solution: Enforce MFA with Exceptions for Specific Apps

With Microsoft Entra Conditional Access Policies, you can enforce MFA globally, but exclude specific cloud apps used by the service account. This way, the account:

  • Remains protected in high-risk scenarios

  • Does not break connections for trusted apps like Power Apps or Power Automate



📌 Example: Cloud Apps to Exclude

You can create exception rules to skip MFA when accessing the following apps:

  • PowerApps and Flow

  • PowerApps Service

  • Office 365

  • Microsoft Graph API

  • Microsoft Entra ID

  • Microsoft Teams

  • Dataverse

  • SharePoint

These exclusions ensure that existing connections in flows or apps continue to work without interruption while other access attempts (e.g., from a browser or new sign-in) still require MFA.



🛠️ How to Set It Up in Microsoft Entra

  1. Go to Microsoft Entra admin center → Security → Conditional Access

  2. Create a new policy targeting your service account

  3. Under Cloud apps or actions, include All cloud apps

  4. Add exceptions for apps like PowerApps, SharePoint, Teams, etc.

  5. Under Grant, select Require MFA

  6. Save and enable the policy

This configuration allows MFA on login, but skips it automatically for the apps where persistent background connections are essential.



🧠 Final Thoughts

Service accounts are essential for reliability in Power Platform—but they shouldn’t be a security loophole. By using Conditional Access with app-based exceptions, you can strike a perfect balance between security and functionality.

This setup allows your flows and apps to run smoothly and securely, without risking disruptions or introducing unnecessary vulnerability.

Comments


ProgeSwiss logo

Reach out to us

Route de Crassier 7 - 1262, Eysins CH

+41 21 560 3113

© 2025 ProgeSwiss. All rights reserved.

Connect with Us

  • LinkedIn
  • Facebook
  • Youtube
bottom of page