DO NOT MERGE — NPS recovery: 6 new articles + 6 page fixes

articles/TOC.yml

@@ -29,6 +29,8 @@
       items:
         - name: Explore the cloud flows designer
           href: flows-designer.md
+        - name: Classic designer vs. modern designer
+          href: classic-vs-modern-designer.md
         - name: Create your first cloud flow using Copilot
           href: create-cloud-flow-using-copilot.md
         - name: Create your first cloud flow without Copilot
@@ -45,6 +47,8 @@
           href: multi-step-logic-flow.md    
     - name: Copilot in cloud flows FAQ
       href: faq-copilot-cloud-flows.yml
+    - name: Get the most from Copilot in the designer
+      href: copilot-in-cloud-flows-tips.md
     - name: How to
       items:
       - name: Use generative actions (preview)
@@ -67,6 +71,8 @@
         href: use-expressions-in-conditions.md
       - name: Create and edit expressions with Copilot expression assistant (preview)
         href: expressions-copilot.md
+      - name: Expression cookbook for cloud flows
+        href: expression-cookbook.md
       - name: Store and manage values in variables
         href: create-variable-store-values.md
       - name: Manage sensitive input like passwords
@@ -136,6 +142,12 @@
         displayName: Monitor flow activity on mobile devices
       - name: Troubleshoot a cloud flow
         href: fix-flow-failures.md
+      - name: Troubleshoot cloud flow errors
+        href: troubleshoot-flow-errors.md
+      - name: Fix connection failures in cloud flows
+        href: fix-connection-failures.md
+      - name: Cloud flow error code reference
+        href: error-reference.md
       - name: Find and fix errors with flow checker
         href: error-checker.md
     - name: Automated cloud flows

articles/add-manage-connections.md

@@ -22,6 +22,70 @@ ms.custom: sfi-image-nochange
 
 Power Automate uses *connections* to make it easy for you to access your data while building flows. Power Automate includes commonly used connections, including SharePoint, SQL Server, Microsoft 365, OneDrive for Business, Salesforce, Excel, Dropbox, Twitter, and more. Connections are shared with Power Apps, so when you create a connection in one service, the connection shows up in the other service.
 
+## Fix a broken connection
+
+If your flow stopped working because of a connection error, start here.
+
+### Quick diagnosis
+
+| Error or symptom | Likely cause | Fix |
+|---|---|---|
+| **401 Unauthorized** or "invalid credentials" | Your password changed, MFA was updated, or the token expired | [Re-authenticate the connection](#re-authenticate-a-connection) |
+| **403 Forbidden** | A DLP policy blocks this connector, or you lack permissions to the data source | [Check DLP policies](#check-dlp-policies) |
+| **Connection not found** or "connection was deleted" | Someone removed the connection, or it was cleaned up by an admin | [Create a new connection](#add-a-connection) and update the flow |
+| **Gateway offline** or "gateway unreachable" | The on-premises data gateway service is stopped or unreachable | [Troubleshoot the gateway](/data-integration/gateway/service-gateway-tshoot) |
+| **The connection works in the portal but the flow still fails** | The flow uses a different connection than the one you fixed | [Verify which connection the flow uses](#verify-flow-connections) |
+
+### Re-authenticate a connection
+
+This is the most common fix. Connections use OAuth tokens that expire when your password changes, your MFA enrollment changes, or the token's lifetime expires (typically 90 days for some connectors).
+
+1. Go to [make.powerautomate.com](https://make.powerautomate.com) > **Connections** (left navigation, under **Data**).
+2. Find the broken connection. It shows a warning icon or **Error** status.
+3. Select the three dots (**...**) next to the connection, then select **Fix connection** or **Edit**.
+4. Sign in again with your credentials. Complete any MFA prompts.
+5. After re-authenticating, go back to your flow and select **Test** > **Manually** to verify it runs.
+
+> [!TIP]
+> If you re-authenticated but the flow still fails, open the flow in the designer and check the **Flow checker** (top right). It highlights any steps that still reference a broken or different connection.
+
+### Check DLP policies
+
+Data Loss Prevention (DLP) policies set by your admin can block specific connectors or prevent connectors in different groups from being used together in the same flow.
+
+1. If you see a 403 error mentioning policy, contact your Power Platform admin.
+2. Admins can check DLP policies in the [Power Platform admin center](https://admin.powerplatform.microsoft.com/) > **Policies** > **Data policies**.
+3. Look for policies that classify your connector in a different group than the other connectors in your flow.
+
+For more information, see [Data loss prevention policies](/power-platform/admin/wp-data-loss-prevention).
+
+### Verify flow connections
+
+A flow can have multiple connections, and each step can use a different one. To check which connection a specific step uses:
+
+1. Open the flow in the designer.
+2. Select the step that is failing.
+3. In the step details, look for the **Connection** field. It shows the connection name and the account it is signed in as.
+4. If the connection shows a warning, select **Fix connection** and re-authenticate.
+
+## Prevent connection failures
+
+### Use service principal connections for production flows
+
+Personal connections break when the user changes their password, leaves the organization, or has their account disabled. For flows that run in production, use a [service principal connection](/power-automate/connect-with-service-principal) instead. Service principals:
+
+- Don't depend on a specific person's credentials
+- Don't expire when someone changes their password
+- Can be managed centrally by IT
+- Support certificate-based authentication (no passwords to rotate)
+
+### Monitor connection health
+
+Set up a scheduled flow that runs daily and checks the status of your critical connections using the [Power Automate Management connector](/connectors/connector-reference/connector-reference-powerautomate-management). If a connection enters an error state, the flow can send a notification before your production flows start failing.
+
+> [!TIP]
+> For organizations with many flows, the [Power Platform admin center](https://admin.powerplatform.microsoft.com/) provides a **Connections** view where admins can see all connections in an environment, including their status and owner.
+
 Here's a quick video on managing connections.
 
 > [!VIDEO https://learn-video.azurefd.net/vod/player?id=9d210b7d-5449-4da2-9ee8-62d049617cbd]
@@ -155,6 +219,18 @@ If you don't know what authentication option was used on the Power Automate Mana
 
 The [default](/connectors/flowmanagement/#default-deprecated) authentication option was also deprecated in June 2020, however, it was immediately hidden so that it couldn't be used from that date. All connections with the authentication of [default](/connectors/flowmanagement/#default-deprecated) were created prior to June 2020. Those connections should also be replaced. If you use the [Get Connections as admin](/connectors/powerappsforadmins/#get-connections-as-admin) action, those connections will have id="shared_flowmanagement" and properties.connectionParametersSet.name="".
 
+## Common connection errors reference
+
+| Error code or message | Connector types affected | Cause | Resolution |
+|---|---|---|---|
+| **401 Unauthorized** | All OAuth connectors | Token expired, password changed, MFA enrollment changed | Re-authenticate: **Connections** > select connection > **Fix connection** |
+| **403 Forbidden** | All connectors | DLP policy violation, insufficient permissions on the data source, or the app registration was disabled in Entra ID | Check DLP policies; verify user has access to the underlying data source |
+| **404 Connection not found** | All connectors | Connection was deleted by user or admin, or was part of a removed solution | Create a new connection and update the flow to use it |
+| **409 Conflict** | SharePoint, Dataverse | Concurrent connection modifications, or connection reference mismatch after solution import | Re-import the solution and remap connection references during import |
+| **Gateway unreachable** | SQL Server, File System, SAP, Oracle, and other on-premises connectors | On-premises data gateway service stopped, machine offline, or network connectivity lost | Restart the gateway service on the gateway machine; verify the machine can reach `*.servicebus.windows.net` on port 443 |
+| **"Connection not configured for this service"** | Custom connectors, Dataverse | Connection reference in a solution flow points to a connection that doesn't exist in this environment | Create the required connection, then update the connection reference in **Solutions** > your solution > **Connection References** |
+| **AADSTS700024 or "client assertion is not within its valid time range"** | Service principal connections | Certificate used by the service principal has expired | Upload a new certificate to the app registration in Entra ID, then update the connection |
+
 ## Related information
 
 [Training: Streamline SharePoint processes with Power Automate (module)](/training/modules/streamline-processes/)

articles/change-cloud-flow-owner.md

@@ -34,6 +34,149 @@ In cases where ownership needs to be transferred, such as when a flow owner leav
 If an administrator wants to make changes to a flow, they must first make themselves an owner or co-owner.
 [Regular users](/power-platform/admin/create-users#user-types) usually own flows, but if you need to change the owner to a Service Principal application user instead, go to [Change the owner of a cloud flow to a Service Principal application user](#change-the-owner-of-a-cloud-flow-to-a-service-principal-application-user).
 
+## Most common scenario: Reassign flows from a departed employee
+
+When someone leaves your organization, their flows continue to run until their account is disabled or their connections expire. At that point, all flows owned by that person stop working. Here is the complete process to transfer those flows to a new owner and keep them running.
+
+### Before you start
+
+You need:
+- **Power Platform admin** or **Environment admin** role (to transfer flows you don't own)
+- The **new owner** must have an active account with a Power Automate license in the same environment
+- A list of connectors used in the flow (you'll need to re-authenticate each one)
+
+> [!IMPORTANT]
+> Transferring ownership does NOT transfer the connections. All connections in the flow are tied to the original owner's Microsoft Entra ID credentials. After transfer, every connection must be re-authenticated by the new owner or replaced with a service principal connection. **If you skip this step, the flow will fail on the next run.**
+
+### Step-by-step: Transfer ownership
+
+#### For non-solution flows (My flows)
+
+1. Sign in to the [Power Platform admin center](https://admin.powerplatform.microsoft.com/) as an admin.
+2. Select **Environments**, then select the environment that contains the flow.
+3. Select **Resources** > **Flows**.
+4. Find the flow to transfer. Use the search bar or filter by the original owner's name.
+5. Select the three dots (**...**) next to the flow, then select **Manage sharing**.
+6. Under **Owners**, add the new owner's name or email address and select **Save**.
+7. After the new owner is added, the original owner can be removed. If the original owner's account is already disabled, the new owner can remove them after accepting ownership.
+
+> [!NOTE]
+> Makers can also transfer flows they own from [make.powerautomate.com](https://make.powerautomate.com): select the flow > **Share** > add the new owner as a co-owner. The new owner can then remove the original owner.
+
+#### For solution flows
+
+Solution flows are owned by the system and don't have personal owners in the same way. However, the connections used by the flow still belong to specific users.
+
+1. In the target environment, go to **Solutions** > select the solution containing the flow.
+2. Select the flow, then select **Details**.
+3. Under **Run only users** or **Connections**, update the connection references to point to connections owned by an active user.
+4. If the flow uses connection references, go to **Connection References** in the solution and remap each reference to a new connection.
+
+## What changes when you transfer ownership
+
+Understanding exactly what transfers (and what doesn't) is critical to keeping the flow running.
+
+| Aspect | Transfers to new owner? | Action needed |
+|---|---|---|
+| **Flow definition** (triggers, actions, logic) | Yes | None -- the flow design is preserved |
+| **Run history** | Yes | None -- all previous run records are visible to the new owner |
+| **Connections** (OAuth tokens, credentials) | **No** | **New owner must re-authenticate every connection** |
+| **Shared users** (co-owners, run-only users) | Yes | Review and update if needed |
+| **Flow state** (on/off) | Yes | Verify the flow is turned on after transfer |
+| **Scheduled trigger timing** | Yes | Verify the schedule is correct (timezone may differ) |
+| **Environment** | No change | Flow stays in the same environment |
+| **Solution membership** | No change | Flow stays in the same solution (if applicable) |
+
+> [!WARNING]
+> **Connections are the #1 reason flows break after transfer.** Each connection stores an OAuth token issued to a specific user. When ownership changes, those tokens don't move. The flow attempts to use the old owner's token, which fails if their account is disabled or their credentials have changed.
+
+## After transfer checklist
+
+Complete these steps immediately after transferring ownership to prevent the flow from failing.
+
+### 1. Re-authenticate all connections
+
+This is the most critical step.
+
+1. The new owner should open the flow at [make.powerautomate.com](https://make.powerautomate.com) > **My flows** > **Shared with me**.
+2. Select **Edit** to open the flow in the designer.
+3. Open the **Flow checker** (top right corner). It lists all connections with errors.
+4. For each flagged connection:
+   - Select the step that uses the connection.
+   - In the connection field, select **Add new connection** or **Fix connection**.
+   - Sign in with the new owner's credentials.
+5. **Save** the flow after updating all connections.
+
+> [!TIP]
+> If the flow uses many connections, open the **Connections** page ([make.powerautomate.com](https://make.powerautomate.com) > **Data** > **Connections**) first and create the required connections there. Then return to the flow and select the pre-created connections from the dropdown in each step.
+
+### 2. Verify the trigger still works
+
+- **Scheduled triggers**: Confirm the time, timezone, and recurrence are correct.
+- **Automated triggers** (when an item is created, when an email arrives): The trigger monitors events for the signed-in connection user. If the trigger is "When a new email arrives" and you re-authenticated with a different mailbox, the flow now monitors the new owner's mailbox, not the old owner's.
+- **Instant triggers** (button flows): Test by clicking **Run** from the portal.
+
+### 3. Check the run-as account
+
+After re-authenticating, verify who the flow acts as:
+
+- **Send email actions**: Will now send from the new connection owner's email, unless using a shared mailbox.
+- **SharePoint actions**: Will now act as the new connection owner. Ensure they have the necessary permissions on the SharePoint site.
+- **Dataverse actions**: The new owner must have the required Dataverse security roles.
+
+### 4. Run a test
+
+1. Select **Test** in the upper right of the designer.
+2. Choose **Manually** (for instant triggers) or **Automatically** with a recent trigger event.
+3. Verify that every step completes successfully, especially the steps where you changed connections.
+4. Check the output of each step to ensure data is flowing correctly.
+
+### 5. Update shared users
+
+If the flow had run-only users or other co-owners, verify that those sharing permissions are still correct. The transfer itself preserves the sharing list, but you may want to update it (for example, remove the departed employee's account).
+
+## Common issues after transfer
+
+### New owner can't see the flow
+
+- **Non-solution flows**: After being added as co-owner, the flow appears under **My flows** > **Shared with me**. It does NOT appear under **Cloud flows** (that tab shows only flows the user created).
+- **Wrong environment**: The new owner may need to switch to the correct environment using the environment picker in the upper right of the Power Automate portal.
+- **License required**: The new owner must have a Power Automate license. If the flow uses premium connectors, the new owner needs a Power Automate Premium license (or the flow needs a Power Automate Process license).
+
+### Flow stops working after transfer
+
+In almost all cases, this is a connection issue. Follow the [re-authenticate all connections](#1-re-authenticate-all-connections) steps above.
+
+Other causes:
+- **DLP policy**: The new owner's environment may have different DLP policies than the original owner's. Check with your admin.
+- **Permissions on data sources**: The new owner's account may not have access to the SharePoint sites, SQL databases, or other data sources the flow uses. Grant the required permissions in each data source.
+- **Service principal connections**: If the flow used a service principal connection owned by the departed employee's app registration, the app registration itself may need to be transferred in Microsoft Entra ID.
+
+### Transfer succeeded but the old owner is still listed
+
+If the original owner's account is disabled in Microsoft Entra ID:
+1. The new owner should open the flow and go to **Share** (or **Manage sharing**).
+2. Remove the old owner from the owners list.
+3. If the old owner can't be removed (grayed out), an admin can remove them from the Power Platform admin center.
+
+### I need to transfer many flows at once (bulk transfer)
+
+The portal only supports transferring one flow at a time. For bulk transfers (for example, when offboarding an employee with dozens of flows):
+
+1. Use the [Power Automate Management connector](/connectors/connector-reference/connector-reference-powerautomate-management) to list all flows owned by a user and modify sharing programmatically.
+2. Alternatively, use [PowerShell for Power Platform admins](/power-platform/admin/powerapps-powershell#power-automate-commands) with the `Set-AdminFlowOwnerRole` cmdlet.
+
+```powershell
+# Example: Add a new owner to all flows owned by the departing user
+$flows = Get-AdminFlow -EnvironmentName <env-id> -CreatedBy <departing-user-id>
+foreach ($flow in $flows) {
+    Set-AdminFlowOwnerRole -EnvironmentName <env-id> -FlowName $flow.FlowName -PrincipalType User -PrincipalObjectId <new-owner-id> -RoleName CanEdit
+}
+```
+
+> [!NOTE]
+> Even with bulk transfer, you must still re-authenticate connections in each flow individually. There is no bulk connection re-authentication API.
+
 ## Change the owner of a solution-aware cloud flow
 
 An owner, co-owner, or an admin can change the owner of a solution-aware flow to another user to ensure business continuity. After the change of ownership completes, the original owner and the new owner become co-owners of the flow.