Administrator Reference
This page is for Microsoft 365 or Power Platform administrators who want to understand what Alert Relay adds to their tenant and why.
What gets added to your tenant
When a user in your organisation creates an Alert Relay connection in Power Automate, Azure AD adds an enterprise application (service principal) to your tenant:
| Property | Value |
|---|---|
| Display name | Alert Relay - Power Automate Connector |
| Publisher | INDEPENDNET PTY LTD (verified) |
| Publisher domain | independnet.com.au |
This is standard behaviour for any multi-tenant Power Automate custom connector. The enterprise application represents Alert Relay in your tenant and records the delegated permissions that have been consented to.
You can view it at:
Microsoft Entra admin center → Enterprise applications → Alert Relay - Power Automate Connector
Permissions requested
Alert Relay requests the following delegated permissions. Delegated means the connector acts on behalf of the signed-in user — it can only access what that user can already access.
| Permission | API | Why it is needed |
|---|---|---|
Read items in all site collections (AllSites.Read) |
SharePoint | Read SharePoint list items, fields, and version history to detect and return change information |
Read items in all site collections (Sites.Read.All) |
Microsoft Graph | Some SharePoint operations use the Microsoft Graph API internally |
Sign in and read user profile (User.Read) |
Microsoft Graph | Resolve the display name and email address of the signed-in user for tenant contact records and user field values |
All permissions are delegated — Alert Relay cannot access SharePoint data that the signed-in user does not already have permission to access.
Alert Relay does not request any write, delete, or administrative permissions.
Admin consent
By default, each user who creates an Alert Relay connection consents individually via the standard Power Automate OAuth consent screen — no admin action is required.
However, if your organisation has configured Microsoft Entra ID to require admin approval before users can consent to third-party applications, admin consent must be granted before any user can create a connection.
Option 1 — Admin creates a connection in Power Automate (recommended)
An administrator can create an Alert Relay connection themselves in Power Automate. When prompted to sign in, they will see the standard OAuth consent screen and can approve on behalf of the organisation. Once completed, other users can create their own connections without further admin involvement.
Option 2 — Grant consent from the Entra admin center
An administrator can grant consent directly from:
Microsoft Entra admin center → Enterprise applications → Alert Relay - Power Automate Connector → Permissions → Grant admin consent
Once admin consent is granted via either method, users can create connections without seeing an individual consent prompt.
How authentication works
Alert Relay uses the OAuth 2.0 On-Behalf-Of (OBO) flow. When a Power Automate flow runs:
- Power Automate sends the signed-in user's access token to the Alert Relay API
- The Alert Relay API exchanges that token for a SharePoint or Microsoft Graph token on behalf of the user
- SharePoint and Graph calls are made using the user's delegated identity and permissions
- No Alert Relay service account or app-only permissions are used
The signed-in user's permissions govern everything. Alert Relay cannot read from sites or lists the user cannot already access.
Removing Alert Relay from your tenant
To remove Alert Relay from your tenant, delete the enterprise application:
Microsoft Entra admin center → Enterprise applications → Alert Relay - Power Automate Connector → Delete
This will revoke all consented permissions and break any Power Automate flows that use Alert Relay connections in your tenant. Users will need to reconnect if Alert Relay is used again.
Individual connections can also be deleted from the Power Automate portal without removing the enterprise application.
First-connection timing issue
On a brand new tenant, the first attempt to create an Alert Relay connection may fail with an AADSTS90008 error. This is a one-time Azure AD provisioning timing issue — the enterprise application is being created during the first consent flow and is not always ready before the first token request completes. Trying again immediately will succeed.
See Troubleshooting for more detail.
Questions and support
For questions about Alert Relay permissions, privacy, or data handling: