Collaborator Access Audit
Weekly schedule compares a SharePoint list of expected repo collaborators against actual GitHub collaborators using Check If User Is Repository Collaborator and emails discrepancies to IT Admins.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
FlowLibs - Collaborator Access Audit is a scheduled Power Automate Cloud Flow that performs a weekly governance audit comparing expected repository collaborators (maintained in a SharePoint list) against the actual collaborators configured on a GitHub repository. Any expected user who is missing from GitHub is reported in a consolidated HTML email sent to an IT Admin recipient. The flow ships Off and is fully portable across tenants — every external resource pointer is an environment variable.
Use Case
Small engineering teams and IT Admin groups often grant GitHub repository access on a case-by-case basis, and there is no built-in mechanism to ensure the *intended* roster (as maintained in a source of truth like SharePoint) matches what is actually provisioned on each repository. This flow closes that gap: once a week it walks the expected roster, checks each user against the live GitHub collaborator list, and produces a single audit email highlighting users who are missing access. Admins receive zero noise when everything is compliant, and an actionable list of exceptions when it isn't.
Flow Architecture
Weekly Recurrence
RecurrenceFires weekly every Monday at 09:00 Eastern, starting 2026-04-20.
Initialize Variables
Initialize variable (x7)Binds five environment variables (`flowlibs_GitHubOwner`, `flowlibs_GitHubRepository`, `flowlibs_SharePointSiteURL`, `flowlibs_CollaboratorAuditListName`, `flowlibs_AuditAlertRecipient`) and initializes two accumulators: `varDiscrepancyRows` (String, empty) and `varDiscrepancyCount` (Integer, 0).
Get Expected Collaborators From SharePoint
SharePoint - GetItemsReads the configured site and audit list. The list is expected to have at minimum a `Title` column containing the GitHub username for each expected collaborator.
Get Actual Repository Collaborators From GitHub
GitHub - ListCollaboratorsCalls `ListCollaborators` against the configured owner/repository with `per_page=100`. A single call returns the authoritative GitHub roster.
For Each Expected Collaborator
Apply to each (serial, repetitions=1)Iterates over the SharePoint list rows. For each expected collaborator: filters the actual GitHub roster by case-insensitive `login == Title`; if the filtered length is 0, appends an HTML `<tr>` (Title, Email, Notes) to `varDiscrepancyRows` and increments `varDiscrepancyCount`.
If Any Discrepancies Found
If conditionEvaluates `@greater(variables('varDiscrepancyCount'), 0)` to decide whether to send the audit email.
- Send Collaborator Audit Discrepancy Email — Office 365 Outlook `SendEmailV2` with Importance=High to `varAlertRecipient`. Body is a concatenated HTML report: header, summary count, and a `<table>` of discrepancies.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_GitHubOwner | String | your-org-FlowLibs | GitHub owner or organization that owns the audited repository. |
| flowlibs_GitHubRepository | String | FlowLibs-Sample-Repo | GitHub repository name to audit collaborators against. |
| flowlibs_SharePointSiteURL | String | https://your-tenant.sharepoint.com/sites/FlowLibs | SharePoint site that contains the expected-collaborators audit list. |
| flowlibs_CollaboratorAuditListName | String | FlowLibs - Expected Repo Collaborators | Display name of the SharePoint list that holds the expected GitHub collaborator roster (Title column = GitHub login). |
| flowlibs_AuditAlertRecipient | String | you@yourcompany.com | Email address (or distribution list) that receives the weekly audit discrepancy notifications. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| SharePoint | shared_sharepointonline | GetItems (Reads the expected-collaborators list) |
| GitHub | shared_github | ListCollaborators (Returns actual repository collaborators) |
| Office 365 Outlook | shared_office365 | SendEmailV2 (Sends the audit discrepancy email (Importance=High)) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Deploy in a new tenant
- Import the solution, set the five environment variable values for your target environment, authorize the three connection references (SharePoint, GitHub, Office 365 Outlook), then turn the flow On. No expression-level edits are required.
- Tailor the SharePoint audit list
- The flow reads the Title column from the list and uses it as the GitHub login. Add columns such as Email, Role, or Notes to enrich the discrepancy email body — the HTML-row expression in Append_Discrepancy_Row can be extended to pull additional columns.
- Adjust the schedule
- Edit the Recurrence trigger. The default is weekly Monday at 09:00 Eastern. For daily audits, change to Daily frequency and update weekDays accordingly.
- Change the recipient
- Update the flowlibs_AuditAlertRecipient env var value. Multiple recipients can be added by switching the Outlook To-address expression to a semicolon-joined string.
- Expand to multiple repositories
- Wrap the GetItems/ListCollaborators/Foreach subsequence in an outer Foreach over a list of repositories stored in a separate SharePoint list, and parameterize varGitHubOwner and varGitHubRepository inside the loop.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Trigger recurrence
Weekly Monday 09:00 ET schedule for the audit run.
EXPR.02Filter actual collaborators for a given expected user
Case-insensitive match between the expected SharePoint Title and the GitHub login. `coalesce` guards against null Title values.
EXPR.03Discrepancy detection
True when the filtered GitHub roster has no match — i.e., the expected user is missing access.
EXPR.04Append discrepancy HTML row
Builds one HTML table row per missing collaborator; null-safe on optional Email/Notes columns.
EXPR.05Summary guard for the notification email
Gates the Send Email action so admins only receive a message when at least one discrepancy exists.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.