How to manage orphan flows when the owner leaves the organization

A flow turns into an orphaned flow when it does not have a valid owner anymore. This often happens when the creator or owner of the flow has left the organization and there is no co-owner. If the flow uses connections that require authentication, then it may start failing because the user identity is not valid anymore.

Admins can maintain continuity on the business process automated by the flow by adding one or more co-owners to it. Co-owners basically have full control over the flow just like the original owner, and can fix authentication for connections if any and enable the flow if it has been disabled.

How to check if there are orphaned flows

Please note that only privileged users can view flows that do not have any valid owners.

On the environment page from Flow Admin Center (https://admin.flow.microsoft.com/environments), go to "Resources" tab and then open the "Flow" list. Orphaned flows display "None" as their owner. 

Click "Load more" to load the next set of flows so as to ensure you have looked through all flows that might be orphaned.

Assign new co-owner(s) to an orphaned flow

1. From the flow list, click on the orphaned flow to open the flow details page. 
2. Click "Manage sharing" at the bottom of the Owners list. 
3. Type in a new owner name and select the new owner account.
4. Click "Save" to save the changes.

As an Admin, you can also manage flows by running Power Apps cmdlets for administrators. Please make sure you have followed the instructions to complete the installation if you have not done it before.

Fixing permissions for one flow

You will need the environment name and flow name (a GUID).

Run the Get-AdminFlowOwnerRole cmdlet with environment name and flow name to get the list of users and their roles. This will enable you to verify the current permissions set for the flow.

To assign a co-owner to a flow, run Set-AdminFlowOwnerRole with the AAD principal object id of the new owner

Set-AdminFlowOwnerRole -EnvironmentName <env name> -FlowName <flow name> -PrincipalType User -RoleName CanEdit -PrincipalObjectId <new owner object id>

Run Get-AdminFlowOwnerRole again to verify the new owner is in the list.

Fixing permissions for flows created by a particular user

Get a list of flows created by a given user by running the following cmdlet, and then apply the above section to fix every flow on the list.

Get-AdminFlow -EnvironmentName <env name> -CreatedBy <user AAD object id>

Listing all orphaned flows in an environment

To get all flows that do not have valid users, loop through all flows in one environment, and verify there is at least one owner or co-owner that exists in AAD. The following script provides an example:

$env = "<your environment name>"
$flows = Get-AdminFlow -EnvironmentName $env
foreach ($flow in $flows)
{
    $hasValidOwner = $false
    $permissions = Get-AdminFlowOwnerRole -EnvironmentName $env -FlowName $flow.FlowName
    foreach ($permission in $permissions) 
    {
        $roleType = $permission.RoleType
        
        if ($roleType.ToString() -eq "Owner" -or $roleType.ToString() -eq "CanEdit")
        {
            $userId = $permission.PrincipalObjectId
            $users = Get-AzureADUser -Filter "ObjectId eq '$userId'"

            if ($users.Length -gt 0)
            {
                $hasValidOwner = $true
                break
            }
        }
    }

    if ($hasValidOwner -eq $false)
    {
        $flow
    }
}

You can also inject the Set-AdminFlowOwnerRole cmdlet to assign a co-owner for each flow that does not have a valid owner.