Guest User App Sharing Audit
Power Apps for Admins lists all app role assignments, filters for external/guest user accounts, and sends a weekly formatted Outlook report to admin. Catches apps accidentally shared outside the org.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
FlowLibs - Guest User App Sharing Audit is a scheduled governance flow that audits all Power Apps in a target environment for external/guest user sharing. It uses the Power Apps for Admins connector to enumerate every app and its role assignments, filters for guest principals (by type or #EXT# email pattern), logs a summary to Dataverse, and emails the admin a formatted HTML report. If no guest sharing is detected, it sends an all-clear confirmation instead.
Use Case
Organizations using Power Platform often need to know which canvas apps have been shared with external (guest) users. This flow automates that audit on a weekly schedule, replacing manual reviews and catching accidentally shared apps before they become a compliance issue.
The flow is ideal for teams that:
- IT Admins
- Security & Compliance teams
Flow Architecture
Recurrence Weekly
RecurrenceFires every Monday at 8:00 AM UTC.
Initialize Variables
Initialize variable (x6, parallel)Initializes six variables: `varTargetEnvironment` from `flowlibs_TargetEnvironmentName`, `varAdminEmail` from `flowlibs_AdminAlertRecipientEmail`, `varReportSubject` from `flowlibs_GuestAuditReportSubject`, `varReportRows` (String, empty) to accumulate HTML table rows, `varGuestCount` (Integer, 0) to count guest sharing instances, and `varAppsScanned` (Integer, 0) to count total apps audited.
Get All Apps As Admin
Power Apps for Admins — Get Apps As AdminLists all Power Apps in the target environment.
Loop Each App
Apply to eachFor each app returned: increments `varAppsScanned`, calls Power Apps for Admins to get the app's role assignments, filters that array to guest principals (principal type = `Guest` or email contains `#EXT#`), and if any guest assignments are found, loops each guest to increment `varGuestCount` and append an HTML table row (app name, guest email, display name, role) to `varReportRows`.
Check Any Guests Found
If conditionBranches on whether `varGuestCount > 0`.
- Build Report HTML — Compose wraps the accumulated report rows in a styled HTML table with header, audit date, environment, and apps-scanned count.
- Log Audit To Dataverse — Creates a record in `flowlibs_guestappauditlogs` capturing audit date, guest count, apps scanned, and finding summary.
- Send Guest Audit Report — Outlook SendEmailV2 sends the HTML report to the admin with High importance.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_TargetEnvironmentName | String | <your-tenant-id> | The Power Platform environment ID to audit. Set to the GUID of the environment you want to scan. |
| flowlibs_AdminAlertRecipientEmail | String | admin@contoso.com | Email address that receives the audit report. |
| flowlibs_GuestAuditReportSubject | String | Weekly Guest User App Sharing Audit Report | Subject line for the audit email. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Power Apps for Admins | shared_powerappsforadmins | GetAppsAsAdmin (lists apps in environment) GetAppRoleAssignments (lists role assignments per app) |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord (logs audit results to flowlibs_guestappauditlogs) |
| Office 365 Outlook | shared_office365 | SendEmailV2 (sends HTML audit report or all-clear email) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Import the solution
- Import the FlowLibsGuestUserAppSharingAudit solution into your target environment.
- Update environment variable values
- Set flowlibs_TargetEnvironmentName to your environment ID, set flowlibs_AdminAlertRecipientEmail to your admin's email, and optionally customize flowlibs_GuestAuditReportSubject.
- Authorize connections
- Open the flow in the designer and authorize connections for Power Apps for Admins, Dataverse, and Outlook.
- Turn on the flow
- Toggle the flow from Off to On after connections and env vars are configured.
- Adjust the schedule
- Modify the Recurrence trigger to a different frequency (daily, bi-weekly, etc.) if weekly is not the right cadence for your team.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Guest detection filter
Used in the Filter Array step to keep only guest principals — matches either by principal type `Guest` or by `#EXT#` in the email.
EXPR.02HTML report row
Appended to `varReportRows` for each guest assignment — produces a four-column row with app name, guest email, display name, and role.
EXPR.03Audit log name
Used as the Dataverse audit log record name, stamped with the run date.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.