Error when running a flow from a Power App

Question

For a customer, I have developed a Power App solution. In the PowerApp a Power Automate flow is called via MyFlow.Run(). The users in the customer tenant get the following message when the flow is triggered:

"Principal with id <principal-id> does not have ReadAccess right(s) for record with id <record-id> of entity workflow."

I am confused, because in my company tenant where I developed the app I don't get such an error

AND

when I try it with another user in the customer tenant where I have access there is no problem either. I give the user the same license and the same right to use the app and when I run the app with this user everything works fine. What could be the problem?

Furthermore, what does the principal id mean? I would have thought that would be the ID of the user of the app where it fails. But it is not the id.

Answer 1

This sounds like you need rights for Power Automate management, as you run a flow by code. Could this be a problem, this right needs to be assigned? Power Automate management rights are situated under /connections on the PowerAutomate environment URL.

PrincipalID might refer to your user or entra app source (always confused by the two) in your customer's tenant:

To access resources that are secured by a Microsoft Entra tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal).

The next action I advise is to look up the principalID in your error log in Entra, EnterpriseApp or AppReg.

Answer 2

Thanks for your replies. I had a discussion about the issue besides here: https://powerusers.microsoft.com/t5/Building-Power-Apps/Error-when-running-a-flow-from-a-Power-App/td-p/2676866

Eventually I had to share the flow with the user who is using the app. That was very confusing for me as a newbie in the Power Platform. Because I thought I would run the flow in the context of a preset user (e.g. the owner of the flow) by setting the "Connections used" in the "Manage run-only permissions" dialog to an explicit connection instead of "Provided by run-only user". For me that would be okay, because for this flow it is not important to run it in the context of the app user. But that did not work as expected (by me).

But I didn't want to have to share the flow with every single user that uses the app, either. So I shared it with the group of the Sharepoint website under which the lists that I access are stored. All users of the app have to be in this group anyway so that they can access the data in the lists via the app.

If anyone has a better solution, now knowing the context, then I would welcome it.