Box External Share Audit
On a schedule, the flow lists shared links and collaborations across monitored Box folders, flags externally shared or open-access items, logs findings to Dataverse, and alerts security in Teams with remediation suggestions. Surfaces risky Box sharing for governance.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow surfaces risky Box file sharing for governance. On a schedule it walks a configurable set of monitored Box folders, reads each folder's items and collaborations, flags open (public) or company-wide shared links and external collaborators, logs every finding to a dedicated Dataverse table, and posts a summary alert to a Microsoft Teams security channel with remediation guidance.
Why it matters: over-shared Box files are a common data-leak vector. Automated daily auditing catches external/open shares and stray external collaborators before they become incidents, and produces a durable Dataverse audit trail for compliance review.
Ships Off (demo).
Use Case
Security and IT-admin teams want ongoing, low-effort visibility into externally shared Box content and external collaborators across the folders that hold sensitive material. Instead of manual periodic reviews, this flow runs every night, records findings centrally, and pings the security channel so risky shares are triaged the next morning.
Flow Architecture
Daily Audit At 0300 UTC
RecurrenceRuns the audit once per day.
Initialize Audit Config
Initialize variableSets a guid() run id, monitored folder ids, internal domain, Box REST base URL, Key Vault-backed Box token, and Teams group/channel ids.
Apply to each Monitored Folder
Box ListFolder + HTTPLists folder items (connector), then reads items-with-shared-links and folder collaborations via built-in HTTP against the Box REST API.
Flag & Log Shared-Link Findings
Condition + Dataverse CreateRecordFlags shared links with access open or company and logs each as a finding (High for open, Medium for company).
Flag & Log External Collaborators
Condition + Dataverse CreateRecordFlags collaborators whose login is outside the internal domain and logs each as a Medium finding.
Post Audit Summary To Teams
Microsoft Teams - PostMessageToConversationPosts the run id, monitored folders, and remediation guidance to the security channel.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_MonitoredFolderIds | String | 0 | Comma-separated Box folder ids to audit. |
| flowlibs_InternalDomain | String | yourcompany.com | Internal email domain; collaborators outside it are treated as external. |
| flowlibs_BoxAuditTable | String | flowlibs_boxaudits | Dataverse entity set for findings. |
| flowlibs_BoxApiBaseUrl | String | https://api.box.com/2.0 | Box REST base URL for the HTTP calls. |
| flowlibs_BoxAccessToken | String | REPLACE_WITH_KEYVAULT_REF | Box OAuth admin bearer token - Key Vault-backed. |
| flowlibs_TeamsGroupId | String | <your-team-id> | Security Teams group id. |
| flowlibs_TeamsChannelId | String | <your-channel-id> | Security Teams channel id. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Box | shared_box | ListFolder |
| HTTP | shared_http | GET /folders/{id}/items GET /folders/{id}/collaborations |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Auto-remediate
- Add a Box HTTP PUT (or DELETE the shared link) in the High-severity branch to strip open links automatically.
- Owner notice
- Add an Outlook SendEmailV2 to email each file's owner about their risky share.
- Risk score
- Weight severity by folder sensitivity (e.g. a sensitivity column on a folder-config table) instead of access level alone.
- Scope tuning
- Extend the monitored folder ids to cover more folders; the loop is already sequential and concurrency-safe.
- Recurring digest
- Add a second scheduled flow that reads the findings table and emails a weekly roll-up by severity.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Item externally shared
Open or company-wide shared link.
EXPR.02External collaborator
Login outside the internal domain.
EXPR.03Shared-link severity
High for open, Medium for company.
EXPR.04Audit run id (correlation)
Stamped on every finding.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.