What are run-only users in Power Automate?
Run-only users in Microsoft Power Automate are people who have permission to run a specific flow, but they can’t view, change, or manage the flow’s design or setup. In other words, this permission lets certain individuals or groups trigger automations as needed, while keeping the flow’s business logic and sensitive data out of reach. It’s worth considering that this concept helps organizations share automation tools more widely, so more users can benefit from process automation—without putting security or compliance at risk.
Especially in sectors like healthcare, finance, or government—where strict data controls are required by standards such as HIPAA, SOX, or GDPR—run-only permissions are incredibly valuable. When you assign run-only permissions, you’re making sure that only the right people can run a flow, whether it’s from Power Automate, Microsoft Teams, SharePoint, PowerApps, or even a mobile device. This is especially helpful in situations where lots of users need to perform a standard task, like submitting a request or kicking off an approval, but only a select few should be able to change how the process works behind the scenes.
Let’s say you work for a large retail company. You might set up a flow so store managers can submit inventory requests with a button in SharePoint. By giving them run-only permissions, the IT team allows managers at hundreds of locations to trigger the process, but only the core operations team can update the logic or data sources. This kind of separation keeps the process running smoothly and reduces accidental or unauthorized changes.
You’ll often see run-only users in flows that are triggered manually or from places like SharePoint lists, PowerApps, or the Power Automate mobile app. This setup is different from making someone a co-owner, and it’s a secure way to let more people use automation while still keeping administrative and design control. If your organization has a Power Platform Center of Excellence (CoE), run-only permissions are a smart way to support citizen development and still let IT keep an eye on things.
Run-only users vs co-owners: key differences
| Feature/Permission | Co-Owners | Run-Only Users |
|---|---|---|
| Edit flow logic | Yes | No |
| Change connections | Yes | No |
| Update triggers and actions | Yes | No |
| Manage sharing and permissions | Yes | No |
| View run history and errors | Yes | No |
| Trigger or run the flow | Yes | Yes |
This difference is important if your organization wants to let people use automation tools, but you still need to keep tight control over how those tools are built and maintained. By sticking to run-only permissions, you can lower risk and make compliance with company or legal rules much easier.
For example, imagine HR has automated onboarding approvals. HR managers might be co-owners, able to update and maintain the flow, while department leads have run-only access to kick off onboarding requests. This keeps the process consistent and ensures only authorized people can make changes to sensitive workflows.
Setting up run-only user permissions
If you want to assign run-only permissions in Power Automate, there are a few steps to follow—and it’s important to know not every type of flow supports this function. Planning ahead as you design your flows really pays off here.
Compatible trigger types for run-only access
Run-only permissions are mainly available for flows with manual triggers. The most common triggers that let you assign run-only users are:
- “Manually trigger a flow” actions, which are popular for button flows in the Power Automate portal or mobile app.
- SharePoint triggers like “For a selected item” and “For a selected file.”
- PowerApps triggers, but specifically with the PowerApps V2 trigger.
Flows that run automatically on a schedule or in response to system events usually don’t support run-only users. So, if you want certain people to run a flow on demand, make sure you pick a compatible trigger from the start.
Keep in mind, Microsoft is always updating what’s possible. For instance, the PowerApps V2 trigger came out to fix security and user context issues with the older V1 version. If you’re planning to scale, it’s smart to check Microsoft’s Power Automate documentation or release notes so your flows stay compatible with run-only scenarios.
SharePoint integration with run-only users
SharePoint is a classic place to use run-only user permissions. When a flow is tied to a SharePoint list or document library and uses “For a selected item” or “For a selected file” as the trigger, you can give run-only permissions to people or groups who have edit rights in SharePoint.
In this setup, users with the right SharePoint permissions can run the flow directly from the list or library. The flow designer can also fine-tune which people or groups are run-only users, making sure access lines up with business rules and data governance needs.
This is great for things like document approvals, updating metadata, or kicking off business processes that end users need to start—without opening up the full automation logic to everyone.
For example, a legal department might use a SharePoint-based flow so contract reviewers can request document signatures. By making those reviewers run-only users, the legal operations team ensures only trusted staff can start the signature process, while the flow’s logic and sensitive integrations stay protected.
PowerApps and run-only user configuration
When you embed flows in PowerApps, the run-only permission model lets app users trigger flows as part of their app experience. To make this work, the flow should use the PowerApps V2 trigger, which offers better security and user context handling than the old V1 trigger.
Giving app users run-only permissions means only people using the app can run the flow, and they can’t see or change the design. This is common in apps that automate approvals, send notifications, or process data, where the app itself controls who can start these actions.
Getting the settings right in both PowerApps and Power Automate is key. You want to make sure run-only permissions are enforced and users have the right access to any data sources or services the flow touches.
For instance, suppose your company has a field service app where technicians log completed work orders. The app triggers a flow to update records in Dynamics 365 or send notifications to supervisors. By giving technicians run-only permissions, IT makes sure the workflow logic stays safe, but technicians can still keep things moving smoothly from the app.
Connection management for run-only users
Using embedded connections
Flows in Power Automate need connections to access services like email, SharePoint, or Dynamics 365. When setting up run-only permissions, the flow owner can decide to use embedded connections—basically, the credentials of whoever owns or created the flow.
When run-only users run the flow, it uses the owner’s permissions and access rights. This is convenient, since run-only users don’t have to set up their own connections, but it also means any action the flow takes is done as the owner, not the person running it.
- This might give run-only users more access than they’d have with their own accounts.
- It’s important to double-check what the embedded connection can do, so you stay in line with your company’s security policies.
- If your organization is subject to audits, document which flows use embedded connections and review them regularly.
For example, if a flow with an embedded connection sends out payroll data, only trusted people should be run-only users—and ideally, the flow’s owner should be a service account with tightly controlled permissions.
User-provided connections
You can also set up flows so run-only users must use their own credentials. In this model, when a run-only user triggers the flow, they’re asked to authenticate, and the flow runs under their permissions.
- Every action is tied to the individual user, which is great for security and tracking.
- This is especially useful in organizations with strict data rules or where regulations require detailed activity logs.
- Make sure all run-only users have the right permissions and licenses to access the services or data sources the flow needs.
- Flow designers should give clear instructions so users know how to set up and approve their connections.
For example, a sales team using a flow to update customer records in Dynamics 365 will have every change logged with the sales rep’s account—a plus for meeting internal audit requirements or regulations like the Sarbanes-Oxley Act.
Best practices for run-only user implementation
- Plan flows carefully for run-only access, focusing on security and simplicity.
- Use only supported triggers and make input requirements clear.
- Provide easy-to-follow guides for run-only users, explaining how to trigger flows, what info they’ll need, and how to interpret feedback or error messages.
- Review run-only user lists regularly to ensure only the right people keep access.
- Use security groups instead of individual users to manage permissions when possible.
- Periodically check both your list of run-only users and your flow’s connections to remove outdated or unnecessary access.
- Make sure run-only permissions in Power Automate align with permissions in integrated platforms like SharePoint or PowerApps.
- For critical business processes, consider using service principals or dedicated service accounts as flow owners.
- Establish a change management plan for flows involving run-only users. For example, restrict access to co-owners during updates, test, and then reinstate run-only permissions.
Troubleshooting common run-only user issues
- If you don’t see the option to assign run-only users, check that your flow uses a supported trigger and isn’t set to run on a schedule or system event.
- If run-only users can’t execute a flow, verify they have the right permissions in the connected system (e.g., edit rights in SharePoint or app access in PowerApps).
- For user-provided connections, ensure users have completed authentication and have the proper licenses.
- Connection errors may occur if the flow owner’s credentials have expired or if the embedded connection doesn’t have enough privileges. Update the connection or change ownership as needed.
- For flows in PowerApps, confirm you’re using the V2 trigger and that permissions are synced between the app and the flow.
- Update run-only user assignments if SharePoint groups or app user roles change. Regularly syncing permissions helps avoid execution failures or access issues.
Security and governance considerations
- Review who has run-only access regularly to ensure only approved users can run sensitive flows.
- Remove access immediately if someone’s role changes or they leave the company.
- Monitor flows using embedded connections for compliance, since all actions are carried out under the owner’s credentials.
- For highly sensitive or regulated processes, use user-provided connections and maintain detailed logs.
- Include regular audits of flows, permissions, and connection setups in your governance policies.
- Use service principals as flow owners for critical or widely shared automations to lower the risk of disruptions if staff changes.
- Set up clear guidelines for documentation, training, and support so both flow owners and run-only users understand their responsibilities.
- For large organizations, align Power Automate governance with broader IT security frameworks like ISO 27001 or NIST SP 800-53.
Advanced scenarios and use cases
Run-only user functionality can be a game-changer in several advanced scenarios across the Microsoft ecosystem:
- In SharePoint, run-only users can kick off flows for document approvals, updating metadata, or launching custom integrations with other business systems.
- Inside PowerApps, run-only users can start complex workflows from custom apps, enabling business processes like leave requests, expense approvals, or provisioning access.
- Power Automate’s flexibility allows for integration with Microsoft Teams, Dynamics 365, and even third-party services—all while keeping automation accessible but controlled with run-only permissions.
- Some organizations use run-only permissions to make mobile-driven workflows possible, letting field staff use the Power Automate app to update statuses, report incidents, or collect data—without ever seeing or changing the underlying logic or sensitive connections.
- For organizations rolling out automation at scale, combining run-only permissions with service principal ownership and strong governance practices helps support automation across the business, while keeping security, compliance, and operational resilience front and center.
As Microsoft keeps expanding the Power Platform ecosystem, new integration options keep emerging. For example, run-only permissions can be used in Microsoft Teams so team members can trigger flows from chatbots or adaptive cards. This approach helps democratize automation even more, making it easy for everyone to participate—while still ensuring only authorized actions are allowed. It’s a smart way to support digital transformation and scale automation, all without sacrificing control or transparency.
Frequently Asked Questions
What is the main difference between run-only users and co-owners in Power Automate?
Run-only users can only execute flows, while co-owners have full control to edit, manage, and troubleshoot flows, including access to run history and error details.
Which triggers support run-only user permissions?
Run-only permissions are mainly supported by manual triggers, such as “Manually trigger a flow,” SharePoint’s “For a selected item/file,” and PowerApps V2 triggers.
Can run-only users see or edit the flow’s logic?
No, run-only users cannot view or change the flow’s design, logic, or connections. Their access is strictly limited to executing the flow.
What should I do if run-only users can’t run a flow?
Check that the flow uses a supported trigger, that users have the necessary permissions in connected systems, and that any required authentication or licensing is complete.
How can run-only permissions help with compliance?
By restricting flow execution to designated users and separating execution from design access, organizations can better comply with data protection standards like HIPAA, SOX, or GDPR.
Turn your ideas into digital solutions
Our power platform consulting services are expertly tailored to leverage Microsoft Power Automate for seamless process automation. By guiding you through every step, we ensure you unlock the full potential of automation while maintaining strict data governance and compliance. Discover how we can transform your digital workflow with innovative solutions.
