Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Starting with Power Automate for desktop version 2.24, the following requires administrative privileges:

  • Changing the tenant that a machine is registered to.

  • Registering an AAD-joined machine to a tenant different from its AAD-joined tenant.

Machines can also be configured to allow non-admins to perform these operations, as explained below.

What are the goals of these restrictions?

These restrictions make it harder for malicious actors on already compromised machines to use Power Automate Desktop to amplify the problem by commanding and controlling a machine over the network.

You can use the new tenant restriction settings to control which tenants are allowed to run Power Automate desktop scripts on your machines.

Initial machine registration does not require admin privileges but changing the registration restrictions does.

How to register your machine to a different tenant?

We recommend that you define a list of allowed tenants and add them to the registry as seen in the Allowing specific tenants section.

Important: 

  • Running the Power Automate machine runtime app or the silent registration app as an administrator allows registering machines regardless of the registry configurations below by default.

  • The ability to override the tenant change restrictions by running as admin can be disabled from the registry:

  • Navigate to this key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Power Automate Desktop\Registration

  • Create a new DWORD value (Edit > new > DWORD (32 bit) value) named DisableTenantChangeRegistrationAdminOverride

  • Set the value to 1

Allowing specific tenants

The safest and recommended way to control which tenants your machines are allowed to register to is the registration tenant allow-list. Your machine will always allow registration to the tenants in the allow-list and deny registration to any other tenant.

Important: Setting the allow-list will ignore  the  AllowTenantSwitching and AllowRegisteringOutsideOfAADJoinedTenant settings described below.

To define this list:

  • Run the registry editor (regedit.exe)

  • Navigate to this key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Power Automate Desktop\Registration

  • Create a new string value (Edit > new > string value) named AllowedRegistrationTenants

  • Double click the new value and set its data field to a comma separated list of the tenant ids that the machine should allow registration to, such as: 3EF1d993-CBD4-4DEA-A50E-939AEDB23F21,5B19777D-814C-43F3-9317-CDBAD0846ED8

Alternatively, if setting up the tenant allow-list isn’t possible, you can follow the below options to enable cross-tenant registration.

Allowing machine registration to a tenant other than the AAD tenant of the machine

  • Run the registry editor (regedit.exe)

  • Navigate to this key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Power Automate Desktop\Registration

  • Create a new DWORD value (Edit > new > DWORD (32 bit) value) named AllowRegisteringOutsideOfAADJoinedTenant

  • Double click the new value and set its data field to 1. Any value other than 1 disables this setting. 

Switching machine registration to another tenant

  • Run the registry editor (regedit.exe)

  • Navigate to this key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Power Automate Desktop\Registration

  • Create a new DWORD value (Edit > new > DWORD (32 bit) value) named AllowTenantSwitching

  • Double click the new value and set its data field to 1. Any value other than 1 disables this setting.

Validating machine registration when the service starts

The registration restrictions described above are only applied when trying to register the machine. Starting with version 2.31, you can configure Power Automate for desktop to check if the current machine registration is allowed when the Power Automate service (UIFlowService) starts. If the registration is not allowed, the machine will not be able to connect to Power Automate cloud services.

To enable continuous validation:

  • Run the registry editor (regedit.exe)

  • Navigate to this key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Power Automate Desktop\Registration

  • Create a new DWORD value (Edit > new > DWORD (32 bit) value) named EnforceRegistrationTenantRestrictionsOnServiceStart

  • Double click the new value and set its data field to 1. Any value other than 1 disables this setting.

Finding your tenant id

From the Power Automate portal

Sign into the Power Automate portal and press Ctrl + Alt + A. This will open a document where you can find your tenant id under userInfo > tenantId.

From the Power apps portal

Sign into the Power Apps portal and from the settings (top left) choose Power Apps > session details. This will display a popup with your tenant id.

Facebook LinkedIn Email

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×