Google Drive Shared-File Access Audit
On a schedule, the flow lists files in monitored Google Drive folders, checks each file's sharing permissions, flags anything shared externally or set to anyone-with-link, logs findings to a Dataverse table, and alerts security in Teams. Surfaces risky Google Drive sharing for governance.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow audits Google Drive sharing for governance. On a daily schedule it lists files in each monitored Drive folder, calls the Drive API to read every file's sharing permissions, flags anything shared externally or set to anyone-with-link, logs each finding to a Dataverse table, and posts a summary to the security channel in Microsoft Teams.
Why it matters: Over-shared Drive files are a common data-leak path. Automated auditing surfaces risky sharing before it becomes an incident, and the Dataverse log gives security a durable, reportable record.
Build status: Built and verified (Flow Checker 0 errors / 0 warnings). Ships Off — going live requires only connection authorization, a valid Google OAuth token, and env-var configuration.
Use Case
Security / IT Admins want ongoing visibility into externally shared Google Drive files across a set of monitored folders, with findings recorded for audit and a proactive Teams alert when risky sharing is detected.
Flow Architecture
Daily 0300
Recurrence (Day/1, 03:00 UTC)Opens the daily audit window.
Initialize Correlation Id
Initialize Variable (guid())Trace id stamped on every finding and the alert.
Initialize Internal Domain
Initialize VariableOrg domain; grantees outside it = external.
Initialize Risky Count
Initialize Variable (integer = 0)Running count of risky permissions.
Initialize Findings Html
Initialize VariableAccumulates HTML rows for the Teams summary.
Initialize Folder Ids
Initialize Variable (array, split of env var)Monitored folder IDs to iterate.
For Each Folder
Apply to each (sequential)Per folder: List Files (Google Drive ListFolder), then For Each File: skip sub-folders, Get Permissions via HTTP, Parse JSON, and For Each Permission check if risky — increment count, Create Finding (Dataverse), append summary row.
Check Has Risky
Condition (varRiskyCount > 0)Only alert when findings exist; on true, Post Teams Alert (PostMessageToConversation) to the security channel.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_MonitoredFolderIds | String | <configure> | Google Drive folder IDs to audit (comma-separated). |
| flowlibs_InternalDomain | String | yourcompany.com | Internal email domain; grants outside it = external. |
| flowlibs_AuditTable | String | flowlibs_driveaudits | Documents the findings entity-set name. |
| flowlibs_GoogleDriveAccessToken | String | REPLACE_WITH_GOOGLE_OAUTH_BEARER_TOKEN | OAuth Bearer token for the Drive API permissions call. |
| flowlibs_TeamsGroupId | String | <your-team-id> | Teams team (group) ID for the alert. |
| flowlibs_TeamsSecurityChannelId | String | <your-channel-id> | Teams security channel ID for the alert. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Google Drive | shared_googledrive | ListFolder |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Auto-remediate
- Add a Drive API DELETE permissions/{id} (or set role to none) call in the risky branch to remove anyone-with-link sharing automatically.
- Owner notice
- Add an Outlook SendEmailV2 to email the file owner (from the owner permission) when their file is flagged.
- Risk scoring
- Weight findings by sensitivity label or role (writer/owner higher than reader) and only alert above a threshold env var.
- Shared drives
- The HTTP call already sets supportsAllDrives=true; point flowlibs_MonitoredFolderIds at shared-drive folder IDs to audit them.
- Tune the schedule
- Change the Daily 0300 recurrence frequency/time for more frequent scans.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Split folder list
Turns the comma-separated env var into an array.
EXPR.02Skip sub-folders
Audit files only.
EXPR.03Risk type
Classifies the risk.
EXPR.04Grantee
Resolves who was granted access.
EXPR.05Permissions URI
Drive API permissions.list URL.
Customize & download
Generate a ready-to-import copy of this solution with your environment-variable values baked in — available on Base, Pro, or Team.
Upgrade to customize
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.