Connection Credential Expiry Monitor
Scheduled weekly flow queries connection references from Dataverse, identifies connections with expiring or expired OAuth tokens by checking last-successful-use dates. Enriches with owner info via Office 365 Users and sends targeted Outlook emails prompting credential renewal before flows break.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow proactively monitors Power Automate connection references in your Dataverse environment to identify credentials that may be expiring or have gone stale. It runs on a weekly schedule, queries all active connection references, checks their last-modified date against a configurable threshold, enriches flagged connections with owner profile information via Office 365 Users, and sends targeted email notifications to each affected connection owner. An admin summary report is also sent when any connections are flagged.
Use Case
Connection credentials in Power Automate expire or become stale over time, especially OAuth-based connections. When credentials expire silently, flows fail without warning, causing business process disruptions. This flow provides an early warning system that scans connection references on a regular schedule and notifies the right people before failures occur.
The flow is ideal for teams that:
- Scanning all active connection references weekly
- Flagging connections that haven't been used or modified within a configurable threshold (default: 30 days)
- Notifying individual connection owners with re-authorization instructions
- Sending a consolidated admin report summarizing all flagged connections
Flow Architecture
Weekly Recurrence
RecurrenceRuns every Monday at 8:00 AM UTC.
Init varExpiryThresholdDays
Initialize variableReads flowlibs_StaleConnectionDays env var and converts to integer (default: 30).
Init varAdminEmail
Initialize variableReads flowlibs_AdminNotificationEmail env var for admin report delivery.
Init varEmailSubject
Initialize variableReads flowlibs_CredentialExpiryEmailSubject env var for the email subject line.
Init varExpiryWarningDate
Initialize variableCalculates the cutoff date (today minus threshold days).
Init varReportRows
Initialize variableEmpty string used to accumulate HTML table rows for the admin report.
Init varFlaggedCount
Initialize variableCounter for flagged connections (starts at 0).
List Connection References from Dataverse
Microsoft Dataverse - List rowsListRecords on the connectionreferences table filtered by statecode eq 0 (active only).
For Each Connection Reference: Check If Last Use Before Threshold
Apply to each + If conditionIterates sequentially (concurrency: 1) over each connection reference and compares modifiedon against the warning date.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_AdminNotificationEmail | String | admin@contoso.com | Recipient for the weekly summary report. |
| flowlibs_StaleConnectionDays | String | 30 | Days without activity before a connection is flagged. |
| flowlibs_CredentialExpiryEmailSubject | String | Action Required: Power Automate Connection Credential Expiring Soon | Subject line for individual owner notification emails. |
| flowlibs_CredentialExpiryLogTable | String | flowlibs_credentialexpirylogs | Dataverse table name for audit logging (reserved for future enhancement). |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Microsoft Dataverse | shared_commondataserviceforapps | ListRecords (connectionreferences table) |
| Office 365 Users | shared_office365users | UserProfile_V2 (look up connection owner details) |
| Office 365 Outlook | shared_office365 | SendEmailV2 (owner warnings and admin summary) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Tune the staleness threshold
- Adjust flowlibs_StaleConnectionDays if 30 days is too aggressive or too lenient for your environment, and customize flowlibs_CredentialExpiryEmailSubject to match your org's email conventions.
- Add Teams notification
- Add a Teams PostMessageToConversation action after the admin summary email to also post to a Teams admin channel.
- Add Dataverse logging
- Use the flowlibs_CredentialExpiryLogTable env var to write flagged connection details to a Dataverse audit table for historical reporting.
- Adjust schedule cadence
- Modify the Recurrence trigger from weekly to daily for environments with many connections, or change the day-of-week to align with your operations cadence.
- Filter by connector type
- Add a $filter condition on the Dataverse ListRecords action to target specific connector types (for example, only premium connectors).
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Cutoff date calculation
Computes the warning cutoff date by subtracting the configurable threshold from today.
EXPR.02Null-safe date check
Falls back to an early sentinel date when modifiedon is missing so the comparison still works.
EXPR.03Date formatting for display
Formats the last-modified timestamp for HTML email output.
EXPR.04Dynamic email subject with count
Builds the admin summary subject line including the flagged-connection count.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.