Microsoft Flow and Azure Conditional Access (Azure MFA)

If you have deployed Azure Conditional Access (Azure MFA) you might have indirectly broken Microsoft Flow and impacted some service accounts used for running a business critical workflow. It is possible to make an exception with Azure Conditional Access that does not block your Microsoft Flow from working.

Example of issue: PowerUsers: MFA and Invalid Connection in Flow

You can use the workaround below to get Microsoft Flow to work as expected and still maintain some degree of security for your Microsoft Flow service account. I hope that Microsoft in the future will provide a better solution for running Microsoft flow for customers with Azure Conditional Access enabled. I’m not sure how they will handle this for simple end-users running Microsoft Flow and what happens on the back-end when the account tries to obtain a new Azure Access Token based on the Azure Primary Refresh Token or gaining access to the resources. I have added this to the list of things that the guys/girls in Redmond needs to explain one day.


  1. Create an exception for the user in the existing “Azure Conditional Access” policy that is blocking the Microsoft Flow for doing it’s magic.

  1. Create a new “Network Location” under Azure Active Directory -> Conditional Access. Name the policy something like “Microsoft Azure Logic App – Microsoft Flow” and add the IP ranges for Microsoft Flow for your tenant region. Find the IP range associated with your tenant here: Limits and configuration in Microsoft Flow.

  1. Create a new “Azure Conditional Access” policy that “block acccess” for the specific Microsoft Flow user (or group of users) and the newly created “Network Location” as a “Exclusion” for this policy.

This should make your Microsoft Flow work again and retain some level of security for the accounts.










Leave a Reply