Group Membership Change Audit Log
When members are added or removed from an Office 365 Group, log the change to a Dataverse audit table with timestamp and actor.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow monitors an Office 365 Group for membership changes by comparing current group members against a baseline stored in SharePoint. When members are added or removed, the changes are logged to a SharePoint audit list and an alert email is sent to the designated administrator. Runs daily at 7:00 AM UTC.
Use Case
IT administrators need visibility into who joins or leaves security and collaboration groups. Manual checks are time-consuming and error-prone. This flow automates the audit by taking a daily snapshot of group members, comparing against the previous day's baseline, logging additions and removals with timestamps, and alerting admins immediately when changes occur. Ideal for compliance audits, access reviews, and security monitoring.
The flow is ideal for teams that:
- Taking a daily snapshot of group members
- Comparing against the previous day's baseline
- Logging additions and removals with timestamps
- Alerting admins immediately when changes occur
Flow Architecture
Recurrence - Daily Membership Check
RecurrenceRuns daily at 7:00 AM UTC.
Initialize Variable - Site URL
InitializeVariableLoads SharePoint site URL from the flowlibs_SPSiteUrl environment variable.
Initialize Variable - Baseline List
InitializeVariableLoads baseline list name from the flowlibs_GroupMembershipBaselineList environment variable.
Initialize Variable - Audit Log List
InitializeVariableLoads audit log list name from the flowlibs_GroupMembershipAuditLogList environment variable.
Initialize Variable - Group ID
InitializeVariableLoads monitored Office 365 Group ID from the flowlibs_MonitoredGroupId environment variable.
Initialize Variable - Group Name
InitializeVariableLoads monitored Office 365 Group display name from the flowlibs_MonitoredGroupName environment variable.
Initialize Variable - Alert Recipient
InitializeVariableLoads alert email recipient address from the flowlibs_AuditAlertRecipient environment variable.
Initialize Variable - Changes Detected
InitializeVariableBoolean flag, starts as false; flipped to true when any addition or removal is found.
Initialize Variable - Change Summary
InitializeVariableString to accumulate human-readable change descriptions for the alert email.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_SPSiteUrl | String | https://your-tenant.sharepoint.com | Root SharePoint site that hosts the baseline and audit log lists. |
| flowlibs_GroupMembershipBaselineList | String | FlowLibs - Group Membership Baseline | Title of the SharePoint list that stores the current known membership snapshot. |
| flowlibs_GroupMembershipAuditLogList | String | FlowLibs - Group Membership Audit Log | Title of the SharePoint list that stores detected change events. |
| flowlibs_MonitoredGroupId | String | <configure> | GUID of the Office 365 Group whose membership should be monitored. |
| flowlibs_MonitoredGroupName | String | <configure> | Display name of the monitored group, used in audit titles and the alert email. |
| flowlibs_AuditAlertRecipient | String | admin@your-tenant.onmicrosoft.com | Email address or distribution list that receives change alerts. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| SharePoint Online | shared_sharepointonline | GetItems (read baseline) PostItem (write audit log + baseline additions) DeleteItem (remove stale baseline entries) |
| Office 365 Groups | shared_office365groups | ListGroupMembers (current membership snapshot) |
| Office 365 Outlook | shared_office365 | SendEmailV2 (audit alert email) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Monitor a different group
- Update the flowlibs_MonitoredGroupId and flowlibs_MonitoredGroupName environment variables with the target group's GUID and display name.
- Change alert recipients
- Update flowlibs_AuditAlertRecipient to any valid email address or distribution list.
- Monitor multiple groups
- Duplicate the flow and create separate baseline/audit lists per group, or enhance the flow with an array variable of group IDs and a nested Apply to Each.
- Change the schedule
- Modify the Recurrence trigger frequency and schedule parameters to run more or less often.
- Deploy to another tenant
- Update all environment variable values, create new SharePoint lists matching the expected names, and update connection references to valid connections in the target tenant.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Detect new members
Used inside Filter Array; combined with @length(body('Filter_Baseline_for_This_Member')) equals 0 to flag a new member.
EXPR.02Detect removals
Same pattern reversed — filter current group members by baseline email; length 0 means the member was removed.
EXPR.03Audit title format
Composes the Title column for each audit log entry; swap Added/Removed for the removal branch.
EXPR.04Timestamp
Used for the DetectedDate and LastSyncDate columns on the audit log and baseline items.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.