How to manage orphan flows when the owner leaves the organization

This article describes how to manage orphan flows when the owner leaves the organization.

Applies to:   Power Automate
Original KB number:   4556130

What are orphaned flows?

A flow turns into an orphaned flow when it doesn't have a valid owner anymore. It often happens when the creator or owner of the flow has left the organization and there's no co-owner. If the flow uses connections that require authentication, then it might start failing because the user identity isn't valid anymore.

Admins can maintain continuity on the business process automated by the flow by adding one or more co-owners to it. Co-owners basically have full control over the flow just like the original owner, and can fix authentication for connections if any and enable the flow if it has been disabled.

How to check if there are orphaned flows

On the environment page from Power Platform Admin Center, go to Resources tab and then open the Flow list. Orphaned flows don't have an owner displayed in the Owners column.

Select Load more to load the next set of flows so as to ensure you've looked through all flows that might be orphaned.

Assign new co-owner(s) to an orphaned flow

1. From the flow list, select the orphaned flow to open the flow details page.
2. Select Manage sharing at the bottom of the Owners list.
3. Type in a new owner name and select the new owner account.
4. Select Save to save the changes.

Manage orphaned flows through Power Automate cmdlets for administrators

As an Admin, you can also manage flows by running Power Apps cmdlets for administrators. Make sure you've followed the instructions to complete the installation if you haven't done it before.

Fixing permissions for one flow

You'll need the environment name and flow name (a GUID). Run the Get-AdminFlowOwnerRole cmdlet with environment name and flow name to get the list of users and their roles. Which will enable you to verify the current permissions set for the flow.

To assign a co-owner to a flow, run the Set-AdminFlowOwnerRole cmdlet with the Microsoft Entra principal object ID of the new owner.

Set-AdminFlowOwnerRole -EnvironmentName <env name> -FlowName <flow name> -PrincipalType User -RoleName CanEdit -PrincipalObjectId <new owner object id>

Run the Get-AdminFlowOwnerRole cmdlet again to verify the new owner is in the list.

Fixing permissions for flows created by a particular user

Get a list of flows created by a given user by running the following cmdlet, and then apply the above section to fix every flow on the list.

Get-AdminFlow -EnvironmentName <env name> -CreatedBy <user-object-id>

Listing all orphaned flows in an environment

To get all flows that don't have valid users, loop through all flows in one environment, and verify there's at least one owner or co-owner that exists in Microsoft Entra ID. The following script provides an example:

Connect-AzureAD
$env = "<your environment name>"
$flows = Get-AdminFlow -EnvironmentName $env
foreach ($flow in $flows)
{
    $hasValidOwner = $false
    $permissions = Get-AdminFlowOwnerRole -EnvironmentName $env -FlowName $flow.FlowName
    foreach ($permission in $permissions) 
    {
        $roleType = $permission.RoleType
        
        if ($roleType.ToString() -eq "Owner" -or $roleType.ToString() -eq "CanEdit")
        {
            $userId = $permission.PrincipalObjectId
            $users = Get-AzureADUser -Filter "ObjectId eq '$userId'"

            if ($users.Length -gt 0)
            {
                $hasValidOwner = $true
                break
            }
        }
    }

    if ($hasValidOwner -eq $false)
    {
        $flow
    }
}

You can also inject the Set-AdminFlowOwnerRole cmdlet to assign a co-owner for each flow that doesn't have a valid owner.