Cloud FlowCloud FlowsIntermediate

Decommission Webhook Cleanup

When an integration is marked decommissioned in the integrations Dataverse table, deletes the associated GitHub webhook on the target repo and logs the action to a SharePoint audit list for traceability.

Microsoft DataverseGitHubSharePoint OnlineOffice 365 Outlook

Unique name

flowLibsDecommissionWebhookCleanup

Publisher

FlowLibs (flowlibs)

Version

1.0.0.0

Components

6 env vars + 1 cloud flow

Request access

Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.

What it does

Overview

When a row in the FlowLibs - Integrations Dataverse table has its Status column changed to Decommissioned, this flow automatically deletes the associated GitHub webhook on the target repository, writes an audit row to a SharePoint audit list, and emails a summary to the notification recipient.

It is a reference implementation for pairing a Dataverse "source of truth" for integrations with external-system cleanup (GitHub webhooks), plus audit logging in SharePoint, driven entirely by metadata on the Dataverse row (no hard-coded repos, no per-flow rewiring to onboard new integrations).

Why you'd use it

Use Case

Problem: When an integration is retired, the GitHub webhook that used to call its endpoint continues firing — producing 404s at best, leaking data to orphaned endpoints at worst, and making webhook inventories harder to audit.

Solution: Make the Integrations Dataverse table the single source of truth. A user (or another flow) sets Status = Decommissioned on the row; this flow picks up the change and cleans up the GitHub webhook in seconds, while also writing an auditable trail to SharePoint.

Typical audience: IT Admins and Developers maintaining integration catalogs.

The flow is ideal for teams that:

IT Admins maintaining integration catalogs
Developers retiring integrations and cleaning up GitHub webhooks
Compliance teams needing an auditable trail of decommissioning events

Step-by-step

Flow Architecture

When Integration Status Is Modified

Dataverse SubscribeWebhookTrigger

Fires on Updated (change type 2) at Organization scope (4) on the `flowlibs_integration` table, filtered to the `flowlibs_status` attribute so the flow only runs when the Status column changes.

Initialize GitHub Organization

Initialize variable

Loads `flowlibs_GitHubOrganization` into `varGitHubOrganization` as a fallback when an integration row does not override the owner.

Initialize Integrations Table

Initialize variable

Loads `flowlibs_IntegrationsTableName` (EntitySet name, e.g. `flowlibs_integrations`) into `varIntegrationsTable`.

Initialize Decommission Status

Initialize variable

Loads `flowlibs_DecommissionStatusValue` into `varDecommissionStatus` (default `Decommissioned`). Used in the condition check.

Initialize SharePoint Site URL

Initialize variable

Loads `flowlibs_SharePointSiteURL` into `varSharePointSiteUrl`.

Initialize Audit List Name

Initialize variable

Loads `flowlibs_AuditListName` into `varAuditListName`.

Initialize Notification Recipient

Initialize variable

Loads `flowlibs_NotificationRecipient` into `varNotificationRecipient`.

Get Integration Row

Dataverse GetItem

Retrieves the fully hydrated row from `flowlibs_integrations` using the trigger's `flowlibs_integrationid` (name, status, GitHub owner, GitHub repo, webhook id, owner email). Only the required columns are selected to keep the payload small.

Solution config

Environment Variables

Schema name	Type	Default	Description
flowlibs_GitHubOrganization	String	flowlibs-demo-org	Default GitHub organization used when an integration row leaves `flowlibs_githubowner` empty.
flowlibs_IntegrationsTableName	String	flowlibs_integrations	EntitySet name of the Dataverse integrations table used by the GetItem action.
flowlibs_DecommissionStatusValue	String	Decommissioned	String value that signals an integration should be cleaned up. Change to `Retired` or `Sunset` without editing the flow.
flowlibs_SharePointSiteURL	String	https://your-tenant.sharepoint.com	SharePoint site that hosts the audit list. Set to your tenant root or a specific site collection.
flowlibs_AuditListName	String	FlowLibs - Webhook Decommission Audit	Display name of the SharePoint list that receives audit rows. Must have the documented column shape.
flowlibs_NotificationRecipient	String	<configure>	Email address (or DL / shared mailbox) that receives the decommission summary. Set during deployment.

Auth dependencies

Connectors & Connections

Connector	API name	Actions used
Microsoft Dataverse	shared_commondataserviceforapps	SubscribeWebhookTrigger (trigger) GetItem
GitHub	shared_github	DeleteWebhookTrigger
SharePoint Online	shared_sharepointonline	PostItem
Office 365 Outlook	shared_office365	SendEmailV2

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Tweaks & variations

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Change the trigger value: Update flowlibs_DecommissionStatusValue (e.g., to Retired or Sunset) without modifying the flow.
Point at a different GitHub org: Update flowlibs_GitHubOrganization. Only used when an individual row leaves flowlibs_githubowner empty.
Move to a different SharePoint site / audit list: Update flowlibs_SharePointSiteURL and flowlibs_AuditListName. The target list just needs the same column shape.
Notify a distribution list: Set flowlibs_NotificationRecipient to a DL or shared mailbox address.
Expand cleanup actions: Inside the If-yes branch, add further actions (revoke PAT, remove Azure DevOps service hook, notify Teams channel) in parallel with the existing cleanup chain. Because each downstream action uses runAfter: Succeeded, Failed, Skipped, TimedOut, failures don't short-circuit the audit trail.
Harden against missing webhook id: Add a Condition at the top of the If-yes branch to short-circuit cleanup when flowlibs_webhookid is null, writing a "no webhook id recorded" audit row instead of calling GitHub.

Helpers & literals

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

EXPR.01Status equality check (case-insensitive, null-safe)

Used in the If condition; lower-cased with coalesce to guard against null status values.

workflow definition language

@equals(toLower(coalesce(outputs('Get_Integration_Row')?['body/flowlibs_status'],'')), toLower(variables('varDecommissionStatus')))

EXPR.02GitHub owner fallback

Resolves the owner segment of the GitHub DELETE URL — row value first, env var second.

workflow definition language

@{coalesce(outputs('Get_Integration_Row')?['body/flowlibs_githubowner'], variables('varGitHubOrganization'))}

EXPR.03Audit row action date

Written to the `ActionDate` column on the SharePoint audit row.

workflow definition language

@{utcNow()}

EXPR.04Email subject

Subject line on the summary email; includes the integration's friendly name.

workflow definition language

@{concat('[FlowLibs] Webhook decommissioned for ', outputs('Get_Integration_Row')?['body/flowlibs_name'])}

Decommission Webhook Cleanup

Overview

Use Case

Flow Architecture

When Integration Status Is Modified

Initialize GitHub Organization

Initialize Integrations Table

Initialize Decommission Status

Initialize SharePoint Site URL

Initialize Audit List Name

Initialize Notification Recipient

Get Integration Row

Environment Variables

Connectors & Connections

Customization Guide

Key Expressions

EXPR.01Status equality check (case-insensitive, null-safe)

EXPR.02GitHub owner fallback

EXPR.03Audit row action date

EXPR.04Email subject

Check If Integration Is Decommissioned

Comments