Microsoft Power Platform · Dataverse Security Roles

Delegate

Run apps and flows on behalf of another user. Used by Power Automate child flows and impersonation scenarios.

Scope: Single Dataverse environment - impersonation only

Permissions

  • Impersonation - Act on behalf of another user in Dataverse
  • Used by Power Automate "Run as" patterns

Common use cases

  • Service account that runs flows on behalf of users
  • Custom integrations that need elevated impersonation

Security considerations

  • High-trust role - can act as any user it impersonates
  • Audit impersonation usage via Dataverse audit logs

Common questions

When should I assign the Delegate role?

Assign Delegate when you need to: Service account that runs flows on behalf of users; and Custom integrations that need elevated impersonation. It is part of Microsoft Power Platform and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Delegate role do?

The Delegate role grants permissions including: Impersonation - Act on behalf of another user in Dataverse; and Used by Power Automate "Run as" patterns. See the Permissions section above for the full list.

What are the security risks of the Delegate role?

Key considerations when assigning Delegate: High-trust role - can act as any user it impersonates; and Audit impersonation usage via Dataverse audit logs. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →