Key Vault Secret Expiry Rotation Alert
Daily flow lists secrets in an Azure Key Vault, checks each secret's expiry date, and raises a tiered Teams + Outlook alert for any secret expiring within a configurable window (default 30 days). Logs every near-expiry secret to a Dataverse tracking table so platform owners have an audit trail of rotation events.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow proactively guards against a common cause of production outages in integration-heavy tenants: an expired secret nobody was watching. On a daily recurrence it enumerates every secret in a target Azure Key Vault (metadata only, no secret values are read), computes each secret's days-to-expiry from its attributes.exp epoch, and surfaces anything inside a configurable window through a tiered notification: a Teams channel post for the platform team plus a high-importance Outlook email to the secret owner / platform fallback address. Every near-expiry secret is also written to a Dataverse audit table, and a single end-of-run digest email summarizes the run. Key Vault has no native granular secret-expiry notification that routes to a human queue; this flow puts the warning in front of the right person while there is still time to rotate, and keeps a Dataverse audit trail for compliance.
Use Case
Platform and security teams that store API keys, connection strings, and certificates in Key Vault need lead time before a secret lapses. This flow gives a configurable runway (default 30 days), escalates urgency as the date approaches via a 3-day / 14-day / 30-day severity tier, and keeps a Dataverse record of every alert so rotation can be audited.
Flow Architecture
Daily 07:00
RecurrenceRuns once daily at 07:00 Eastern.
Initialize Variables
Initialize variableBinds vault name, warning window (int), digest/fallback email, Teams group/channel ids, the HTML digest accumulator, found-counter, and the detected-on timestamp.
List Secrets
Azure Key Vault - ListSecretsLists every secret (metadata only) in the vault.
Apply To Each Secret
Apply to eachComputes days-to-expiry from attributes.exp; for secrets with a non-null expiry within the window, sets a severity tier (Critical/High/Warning).
Log To Dataverse
Dataverse - CreateRecordWrites an audit row (name, vault, expiry, days-left, severity, detected-on) to flowlibs_secretexpiryalert.
Post Teams Alert + Email Owner
Teams - PostMessageToConversation / Outlook - SendEmailV2Posts a tiered alert card to the platform channel and sends a high-importance email to the secret owner / fallback; appends an HTML row to the digest.
Send Daily Digest
Outlook - SendEmailV2When at least one near-expiry secret is found, emails an end-of-run digest summarizing the run.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_KeyVaultName | String | kv-flowlibs-demo | Target Key Vault name. |
| flowlibs_SecretExpiryThresholdDays | String | 30 | Days-out warning threshold. |
| flowlibs_PlatformTeamEmail | String | platform@yourcompany.com | Fallback owner / digest recipient. |
| flowlibs_TeamsGroupId | String | <your-team-id> | Teams team id for alerts. |
| flowlibs_TeamsChannelId | String | <your-channel-id> | Teams channel id for alerts. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Key Vault | shared_keyvault | ListSecrets |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
| Office 365 Outlook | shared_office365 | SendEmailV2 |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Point at your vault
- Set flowlibs_KeyVaultName and authorize the Key Vault connection against a principal with List + Get on secrets.
- Tune the window
- Lower flowlibs_SecretExpiryThresholdDays for earlier warnings, raise it for fewer.
- Set the alert routing
- Populate flowlibs_TeamsGroupId / flowlibs_TeamsChannelId for the platform channel and flowlibs_PlatformTeamEmail for the digest/fallback recipient.
- Per-secret owner routing
- Store an owner tag on each secret and add a GetSecret call to read tags, falling back to flowlibs_PlatformTeamEmail.
- Cover certificates too
- Clone the loop using the Key Vault ListKeys operation; for certificates (no connector op), call Graph/ARM over HTTP to extend coverage.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Days remaining from epoch expiry
Whole days from now to the secret's epoch expiry.
EXPR.02In-window test
Only secrets with a set, near expiry.
EXPR.03Severity tier
3-day / 14-day / 30-day tiers.
EXPR.04Epoch to DateTime
Audit-row expiration date.
Customize & download
Generate a ready-to-import copy of this solution with your environment-variable values baked in — available on Base, Pro, or Team.
Upgrade to customize
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.