Microsoft Flow – Elevating Privileges


As a flow that has a background trigger like when an item is created or modified can run in the context of the author of the flow, sometimes it is desirable to have manually started flows to have the same behaviour.

For the users to see this flow, at first you will need to add users or groups as the “run-only users”, so that they can call the flow from the item context menu (if you don’t add them as run as users or owners, they can’t see the flow, as the flow is created in the context of the creator).

For instance, you build a document approval workflow that is started by a user without content approval permissions, and after the approval step is done by the approver, you would then change the approval status of the document:

If you don’t the proper configuration, you would get the following bad gateway error after the approver does the approval step:

To overcome this limitation, there is a specific configuration under the “run-only users” addition, which can be unnoticed if you let the default values chosen.

When adding any users or groups to the run-only section, under the section “Connections used”, by default the option “Provided by run-only user” is chosen. Just change it for the SharePoint connection that is related to the document approval with a user that has the proper permissions, and you are good to go.

Save it, and now if the users start the flow with an account without approval permissions on the library or list, the document will be properly approved or rejected using the “impersonated” account when the approver takes action.

Leave a Reply

Your email address will not be published. Required fields are marked *