Power Automate is a high-impact automation surface: it can move data, trigger downstream systems, and run on schedules or events. To use it with enterprise agents safely, you need permissioned execution that is enforced outside the prompt, using policy-as-code gates for every write or admin action.
Claw EA runs agents on OpenClaw as the baseline runtime, then applies Work Policy Contracts (WPC), CST (scoped token), gateway receipts, and proof bundles so Power Automate actions can be authorized, limited, and audited when connected via official API with enterprise buildout controls.
Step-by-step runbook
-
Inventory the flows you care about and classify them into read-only, write, and admin. For each, identify what would constitute an irreversible change (for example: creating approvals, updating records, posting messages, or changing connectors).
-
Define a WPC that expresses exactly which Power Automate operations the agent may perform, and under what conditions. Keep the policy tight and treat “create or update flow” and “admin environment changes” as separate from “run an existing flow.”
-
Issue a CST (scoped token) from clawscope for the job, with the scope hash aligned to the WPC and optional policy hash pinning. Use job-scoped CST binding so a token from one run cannot be replayed against another run.
-
Connect Power Automate via official API, using least-privilege Microsoft Graph permissions and Power Platform permissions appropriate to the specific action. If you use Entra ID, align authentication with Conditional Access and require a controlled identity (service principal or managed identity, depending on your environment).
-
Route model calls through clawproxy for gateway receipts, and store the resulting proof bundle at the end of the run. Keep Power Automate credentials out of prompts and tool output, and prefer tool-level parameter passing with redaction.
-
Run in a sandboxed OpenClaw tool environment where possible, and keep elevated execution off unless you have a documented reason. After the run, verify the proof bundle and attach it to the change record, incident ticket, or deployment artifact as needed.
Threat model
Power Automate risk is less about a single API call and more about chained effects: a small write can trigger other flows, which then touch mail, files, CRM, tickets, and external SaaS. Prompt-only constraints fail because the model can be induced to ignore instructions or to misinterpret what is “safe,” so you need machine-enforced gates.
| Threat | What happens | Control |
|---|---|---|
| Prompt injection via email, chat, or documents | The agent is tricked into creating or modifying a flow, or running a flow with attacker-controlled inputs that exfiltrate data. | WPC must deny flow creation and connector changes by default; allow only explicit operations. Use CST scope hash aligned to the WPC so calls fail closed when scope does not match. |
| Over-permissioned identity in Entra ID | A token with broad Microsoft Graph permissions allows unintended mailbox, files, or directory actions during automation. | Least-privilege Microsoft Graph permissions and environment roles; separate identities for read vs write. Put “write and admin actions” behind WPC approval gates. |
| Flow chaining and hidden side effects | A “safe” update triggers a downstream flow that posts externally, changes permissions, or syncs data out of tenant. | WPC should specify allowed flow IDs or allowed action families, not just “Power Automate access.” Treat “run flow” as a controlled capability and require explicit allowlists in policy. |
| Replay of a prior run | An attacker reuses an old token or request to rerun automation, causing repeated changes or repeated data movement. | Marketplace anti-replay binding with job-scoped CST binding. Store proof bundles and require verification before accepting a run as legitimate. |
| Disputed actions during audit | You cannot prove which model, policy, and identity produced the automation change. | Gateway receipts from clawproxy for model calls, and proof bundles that tie receipts, policy hash, and job metadata together for verification. |
Policy-as-code example
This illustrates the shape of a WPC: deny-by-default, explicit allow for read, and approval-gated allow for write. The important part is that the policy is signed and hash-addressed, then fetched and verified during execution rather than “promised” in the prompt.
{
"wpc_version": "1",
"policy_name": "power-automate-permissioned-agent",
"default": "deny",
"power_automate": {
"allow": [
{ "action": "flows.read", "resource": "environment:prod" },
{ "action": "runs.read", "resource": "environment:prod" }
],
"allow_with_approval": [
{
"action": "flows.run",
"resource": "flow:FIN-AP-ApproveInvoice",
"constraints": {
"input_schema_hash": "sha256:...expected...",
"max_run_seconds": 300
}
},
{
"action": "flows.update",
"resource": "flow:FIN-AP-ApproveInvoice",
"constraints": { "change_window": "requires-ticket" }
}
],
"deny": [
{ "action": "flows.create", "resource": "*" },
{ "action": "connectors.manage", "resource": "*" },
{ "action": "environments.admin", "resource": "*" }
]
},
"auth": {
"cst": {
"require_scope_hash": true,
"optional_policy_hash_pinning": true
}
},
"logging": {
"require_gateway_receipts": true,
"redact_secrets": true
}
}
What proof do you get?
Every model call routed through clawproxy yields gateway receipts that can be verified later. Those receipts are packaged into a proof bundle alongside run metadata such as the WPC hash, the CST scope hash, and the job binding details.
Operationally, this lets you answer: which policy was in force, which scoped authorization was used, and what the model actually requested. If you need an audit-friendly artifact for review, you can store and view the run as a Trust Pulse.
Rollback posture
Automation changes are often not fully reversible, so rollback is mostly about containment and proving what happened. Design your posture per action type: stop further runs, invalidate authorization, and revert flows only when you can do so deterministically.
| Action | Safe rollback | Evidence |
|---|---|---|
| Agent ran an existing flow with bad inputs | Disable the flow or block the triggering event; revoke the CST and rotate the Entra ID credential used for API calls if needed. | Proof bundle showing the model request path plus WPC and CST binding; flow run records from Microsoft side for cross-checking. |
| Agent updated a flow definition | Restore from version history or redeploy a known-good export; require approval gate for any subsequent update actions. | Proof bundle plus the policy hash that allowed the update; change ticket that authorized the WPC change. |
| Agent created new automation or connectors | Remove the new assets and quarantine the identity; tighten WPC to deny those actions and re-issue CST with narrower scope hash. | WPC decision trail plus receipts for the model’s tool selection; inventory diff of environments performed by admins. |
| Suspected replay of a prior job | Reject runs that do not verify, and re-run the job with a new CST; investigate any side effects as an incident. | Marketplace anti-replay binding results and verification outcome on the proof bundle. |
FAQ
Is Power Automate support available as a native connector in Claw EA?
No. Power Automate can be connected via official API with enterprise buildout controls; do not assume out-of-the-box support.
Why is prompt-only control not enough for Power Automate actions?
Because prompts are not enforcement. A misconfigured tool, a malicious plugin, or prompt injection can push the model into high-impact operations, so write and admin actions need WPC approval gates and CST-scoped authorization that fails closed.
How do WPC and CST work together in a run?
The WPC defines what is allowed, and the CST is minted to match that policy via scope hash and optional policy hash pinning. If the agent attempts an operation outside the policy, the call should be rejected even if the prompt asks for it.
What can I show an auditor after an automated run?
Gateway receipts for model calls plus a proof bundle tying receipts to the job context, WPC hash, and CST binding. For centralized review, you can store the artifact as a Trust Pulse.
Does this replace Microsoft governance like Conditional Access, PIM, or DLP?
No. Use Microsoft controls for identity, access, and tenant governance, and use Claw EA to make the agent’s execution permissioned and verifiable. They address different layers and are most effective when used together.