Press "Enter" to skip to content

Microsoft Flow and Powerapps – Dealing with Business Critical Applications)

Outside, Microsoft Teams is the top topic and in many companies the tool is also seen as an adoption excelerator or as the communication tool for 2019. But if we look deeper into the processes and the companies of our community, we see that Microsoft Flow and PowerApps are the real heroes. They connect places, people, files or even rooms with users so quickly and easily that the user doesn’t need much time or programming knowledge.

Business critical applications – a challenge

Anyone who uses Flow to quickly and effectively send and build new workflows will quickly notice that these are not only attachments from emails, but can also often become critical for the company’s business if they fail. Business-critical applications have increased requirements, so they are redundant and monitored. A failure of one system can be intercepted by a second and possibly a third one.

Flow – Microsoft Vision and What Customers Do

Microsoft Flow was initially intended to enable employees without programming skills to support their daily work with small workflows and to perform repetitive tasks through automation.

When we ask our community and their companies, Flow is of course also used for the intended purpose, but more and more also for business critical applications. This happens when Flow is used for more complex and above all general workflows on the one hand and on the other hand it happens more and more often that employees or department heads consciously or unconsciously digitize processes important for the departments with Flow and PowerApps.

These are made through an individual employee’s account and if that employee leaves the company, forgets to transfer or if the employee receives another license or more, then the flows stop and there is a medium to large problem.

Challenges with flow and critical workflows

The following challenges can arise and issues that have probably not been explored:

  • Licenses
  • documentation
  • redundancy
  • Monitoring and analysis
  • No communication with the IT department
  • No risk management
  • Data protection area (e.g. procedural index/processing index)
  • approaches
  • Sensitization – Control – Trust

central community on Teams/Yammer

  • Centralized Wiki for employees with Flow driver’s license & templates with schema for documentation
  • Update of the IT department
  • Train and sensitize employees (Flow/PowerApps – Driver’s license)
  • PowerApps and Flow Hackathon in the company (practical exercise)
  • Flow of the month in the department
  • Flow – list as DIN A0 poster for visualization
  • App exam
  • Process: Involvement of the data protection officer and the works council
  • technical solutions
  • Central flow control via auditing in the Security and Compliance Center
  • Reports and reports
  • create automatic redundancies

You have ideas? Write to us at

employee structures

  • Employee becomes: Risk Manager, Technician and IT Manager in one person
  • IT department should assign 1-2 employees as contact persons
    • 1-2 employees
    • assignments
      • answer technical questions
      • document critical applications
      • Define and implement TOMs
      • Building redundancies for critical applications
      • Monitoring of flows and PowerApps


Employee becomes risk manager/IT manager

Anyone who can build flows now has to operate a risk management system in addition to their technical skills. The people must at least be able to assess whether it is a) a separate workflow for them or b) a workflow that is or can become a critical application. In the case of decision b, the IT department should then be informed and, of course, documentation carried out. Together with the IT department, it is then discussed how the workflow can be secured and a warning message (flow no longer runs), which goes by email to the employee and IT department is set up. In consultation, a Flow P2 license is assigned to the employee and a backup is created in the central account of the IT department.

Especially in the case of critical flows for the company, the employee must independently check and assess the risk in a first step. He must not be left alone and should receive offers from the IT department in order to protect him, the department and the company from damage.

Works council and data protection

In some flows and power apps, personal data is processed, surveys and codetermination input is made (employee monitoring). As a result, some flows may first have to be processed by the works council and data protection officer before they can be used. This should be done by the department head together with the employee. It is worthwhile to agree on parameters and to develop a small form with approval process for the “consent” (before!) of the positions. Exactly this is wonderfully realizable with Flow.

Indications for a critical application can be:

  • Processing of personal data
  • Processing of sensitive data
  • Target group: Companies, for sensitive areas of the company (production, management)
  • large target group
  • central workflow and not “just for me”.