Your flow needs attention…

When you have a flow running with your account and have MFA enabled, you often receive an error email about your flow connection, which states “YOUR FLOW NEEDS ATTENTION….”

This notification was sent as the flow had failure runs due to invalid flow connection.

We can fix this by just reauthenticating the flow connection but if this comes too frequent then it may require some back end fix.

  • Get rid of “Remember Multi-factor authentication”
    • If you are using “Remember Multi-factor authentication” option from
    • AAD Console –> Users –> All Users –> Multi-Factor Authentication -> Service Settings.
  • We should move away from this setting and configure the same using Conditional Access policy.
  • This setting overrides the default behavior for modern authentication clients (like Microsoft Outlook) who only prompt every 90 days, by default.
  • We can configure the same setting using Conditional Access Policies –
  • AAD Console -> Security -> Conditional Access -> Access Controls -> Sessions –> Sign-in Frequency.
  • Exclude selected users from MFA
    • The one solution is to exclude the user from MFA, but this may not be possible in all cases, especially when we have MFA enabled for all the accounts.
    • If you apply MFA using conditional access policies, then excluding some users is simple, just create one group and then all such users to that group and exclude the group in the policy.
    • Open Azure AD console and select Security and click Conditional Access.
    • If you already have a policy, open the policy and in Assignment section -> Users and groups – Exclude – Add the group.
  • Exclude Flow location IPs from MFA.
    • The another solutions can be to exclude the Flow location services IP from MFA.
    • For this create a “New Network” location, like “IP range for Flow in APAC”.
    • Azure AD Console -> Security -> Named Locations.
  • Add IPs of Flow of your tenant location, you can find IPs using below link.

https://docs.microsoft.com/en-us/power-automate/limits-and-config

  • Now in the Conditional Access Policy, Assignments -> Conditions  -> Locations – Exclude the Name location you have created.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s