The Power Automate Approvals feature is configured on-demand the first time any approval flow runs in an environment and executes the "Create an Approval" or "Start and wait for an approval" steps. The following actions take place to provision Power Automate Approvals:
1. A CDS Database is provisioned and linked to the Power Platform environment if one does not already exist.
2. The latest versions of the msdyn_FlowApprovals and msdyn_FlowApprovalsCore solutions are imported.
3. The Application User that the Power Automate service uses to read and write approval data is created in the CDS database SystemUsers table. It is assigned the "Approvals Administrator" CDS role group to give it permission over the various Approval entities used to track state.
Note: For Default environments, any user in the tenant may be able to trigger the provisioning of the database and installation of the solution. For non-default environments, only an environment admin may initiate provisioning.
On-Demand Solution Upgrade
Users of Power Automate Approvals cannot currently install the Approvals solutions out-of-band outside of the On-Demand Provisioning steps listed above, nor can they upgrade the solution to newer versions.
Solutions are upgraded at the time that features provided by the newer versions are used by a flow. For example, an environment may have an early version of Approvals (188.8.131.52) installed. At the time that a flow in that environment uses a newer feature such as Approval Attachments, the solution will be upgraded to the latest version.
Permissions and Roles
As part of provisioning, the Power Automate application user (UPN: firstname.lastname@example.org) is bootstrapped into the SystemUsers table and assigned the Approvals Administrator role.
When users create or are assigned approvals, they are internally assigned the "Approvals User" role. This grants them permissions on records assigned to them in the CDS database approvals entities.
These roles may need to be customized for your environment depending on the use of other Microsoft or 3rd party Dynamics/CDS plugins that demand additional user privileges to audit data, trigger workflows, etc. Use the Power Platform Admin center and/or Dynamics portal experiences to assign additional permissions to these roles.
1. A CDS database has been created or linked to the Power Platform environment.
Database information can be checked on https://admin.powerplatform.microsoft.com.
2. The CDS database linked to the environment is available in Ready state.
Database state can be checked on https://admin.powerplatform.microsoft.com.
Note: Some lifecycle options like backup and restore can leave the database in disabled or Admin-only states. This prevents usage of Power Automate Approvals and other CDS functionality.
3. The Approvals solutions are installed.
This can be viewed in:
- https://admin.powerplatform.microsoft.com > Click "Dynamics 365 apps".
- The Power Automate portal: https://flow.microsoft.com > Click "Solutions" from the left nav.
- Power Apps: https://make.powerapps.com > Click "Solutions" from the left nav.
4. The email@example.com System user is configured correctly.
From https://admin.powerplatform.microsoft.com, select the environment in question, select "Users", click "Manage Users in Dynamics 365", and search for firstname.lastname@example.org. A properly configured application user will:
- Exist. If it does not exist but the solution is installed, follow these steps or delete the approvals solution to force a reinstall. (Note: Deleting the solution will delete all approval data!)
- Browse to https://<your CDS org domain name>/main.aspx?etn=systemuser&extraqs=etc%3D8&pagetype=entitylist&forceclassic=1#614445440
- Select "Application Users".
- Click "+ New".
- Select "Application User" from the dropdown near the profile icon.
- For user name and primary email, enter "email@example.com".
- For full name, enter "Microsoft Flow" or "Microsoft Power Automate".
- For application id, enter the appropriate application id from the list and click Save.
- Have the "Approvals Administrator" role assigned. Assign this role if it is not assigned to the user.
- Have a business unit that matches the "Approvals Administrator" role group's business unit. Modify the business unit to match that of the role.
- Have a client access mode of "Non-interactive". Change it to this value if it is not set.