Security update for "connect with sign-in" connections on AD domain-joined machines in Power Automate for desktop

Summary

A potential security vulnerability is identified in Power Automate for desktop versions 2.47 and earlier. Microsoft has issued a CVE about this issue.

Mitigation

To mitigate the issue, update your Power Automate for desktop to the following patched versions as soon as possible.

• 2.47.119.24249
• 2.46.181.24249
• 2.45.404.24249
• 2.44.55.24249
• 2.43.249.24249
• 2.42.331.24249
• 2.41.178.24249

Impact of the patch

If you use "connect with sign-in" for attended runs on machines that are AD domain-joined but not Microsoft Entra-joined, the patched versions (and future versions) of Power Automate for desktop will cause your runs to fail with the UnallowedTenantForConnectWithSignIn error code.

Creating and testing connections with sign-in option will also fail with one of these errors：

Unable to connect. The credentials for the machine are incorrect.

Tenant <tenantID> needs to be explicitly allow-listed to authorize 'connect with sign-in' runs on the machine.

To use "connect with sign-in" on such machines, you must add the Power Automate tenant where your machine is registered to the allowlist by following the instructions in "UnallowedTenantForConnectWithSignIn" error in a Power Automate desktop flow. We recommend that your AD administrators deploy a Group Policy Object (GPO) in your domain to define the tenant allowlist.

How to determine if a machine is AD domain-joined or Microsoft Entra-joined

To get your machine's join state, run the dsregcmd command from a Windows command prompt:

dsregcmd /status

In the Device State section of the output, AzureAdJoined indicates whether the machine is joined to Microsoft Entra ID, and DomainJoined indicates whether the machine is joined to an AD domain.