Orphaned Flow Cleanup Notifier
Identify flows whose owners have left the org (no Azure AD match) and notify admins with a list to reassign or delete.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
FlowLibs - Orphaned Flow Cleanup Notifier is a scheduled (weekly) Power Automate cloud flow that scans every flow in the target environment, verifies whether each flow's owner still exists in Microsoft Entra ID, and emails the FlowLibs administrator a consolidated report of any "orphaned" flows whose creator has left the organization. The report lets admins decide whether to reassign or delete each flow before it becomes a security or governance problem.
Use Case
When employees leave an organization, the cloud flows they created stay behind, often running for months under credentials that no longer have a real human owner. These orphaned flows are a common governance gap — they bypass new-hire onboarding controls, complicate access reviews, and frequently break silently when their stale connections finally expire.
This flow gives the IT/CoE team a weekly "Monday morning" snapshot of which flows have lost their owner so the team can act on them while the issue is still small.
Flow Architecture
Recurrence Weekly Monday 9am
RecurrenceFires every Monday at 09:00 Eastern Time.
Initialize varTargetEnvironment
Initialize Variable (String)Loads the flowlibs_TargetEnvironmentName environment variable — the GUID of the environment whose flows should be scanned.
Initialize varAdminEmail
Initialize Variable (String)Loads the flowlibs_AdminEmail environment variable — the recipient for the orphaned-flow report.
Initialize varOrphanedFlowsHtml
Initialize Variable (String)Empty string accumulator for the <tr> rows that will eventually be wrapped into the report email's HTML table.
Initialize varOrphanedCount
Initialize Variable (Integer)Counter that tracks how many orphaned flows are found — drives the final email gate so admins only get a message on weeks with at least one orphan.
List Flows In Environment
Power Automate Management — ListFlowsInEnvironment_V2Returns every flow in the target environment along with creator metadata, state, and last-modified time.
Apply To Each Flow
Foreach over body('List_Flows_In_Environment')?['value']Iterates each flow returned by the previous action. The body of the loop wraps the owner lookup in a Scope so that a failed lookup does not abort the whole run.
Try Get Flow Owner (Scope)
ScopeWraps the Office 365 Users lookup so its failure can be detected via result('Try_Get_Flow_Owner')[0]?['status'] instead of halting the loop. Inside the scope: Get Owner Profile (Office 365 Users — UserProfile_V2) looks up the flow's creator userId in Entra ID; this call fails when the user has been deleted.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_TargetEnvironmentName | String | <your-tenant-id> | GUID of the Power Platform environment to scan for orphaned flows. Set this to the environment GUID you want the weekly report to cover. |
| flowlibs_AdminEmail | String | alerts@yourcompany.com | Recipient address for the orphaned-flow report. A monitored mailbox or distro list works well — the flow only sends when one or more orphans are detected. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Power Automate Management | shared_flowmanagement | ListFlowsInEnvironment_V2 (lists every flow in the target environment with creator metadata) |
| Office 365 Users | shared_office365users | UserProfile_V2 (resolves a flow creator's userId to a real Entra ID user — fails when the user has been deleted) |
| Office 365 Outlook | shared_office365 | SendEmailV2 (sends the orphaned-flow report email) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Authorize all three connections
- When you open the flow in the designer, each OpenApiConnection action will prompt for 'Add an authorized connection' on first edit. Authorize Power Automate Management, Office 365 Users, and Office 365 Outlook with an account that has at least Environment Admin (or Power Platform Admin) rights — the Power Automate Management connector requires admin scope to list flows owned by other users.
- Set the target environment GUID
- Set flowlibs_TargetEnvironmentName in the solution to the GUID of the environment you want to scan. Override per environment if you re-import into multiple tenants.
- Set the admin recipient
- Set flowlibs_AdminEmail to a monitored mailbox or distro list. The flow sends only when one or more orphaned flows are found, so a slightly broader distro is fine.
- Optional — change the schedule
- The trigger fires Mondays at 09:00 ET. To change cadence, edit the Recurrence trigger in the designer (frequency, interval, weekDays, hours, timeZone).
- Optional — extend the orphan definition
- Today, 'orphan' means the creator's userId no longer resolves in Entra ID. To also flag flows whose owner is disabled but not deleted, add a check on body('Get_Owner_Profile')?['accountEnabled'] inside the scope and treat false the same as a failed lookup.
- Turn the flow on
- The flow ships in the Stopped (Off) state. Toggle it to On from the flow's details page once connections and environment variables are configured.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Iterate flows returned by the management connector
Used as the foreach input on Apply To Each Flow.
EXPR.02Pull the creator's Entra ID object ID
Passed as the id parameter to Office 365 Users — UserProfile_V2.
EXPR.03Detect a failed owner lookup
True when the inner UserProfile_V2 call failed — i.e., the user is gone. This is the condition on the If Owner Lookup Failed action.
EXPR.04Build one report row per orphaned flow
Appended to varOrphanedFlowsHtml each time an orphan is found.
EXPR.05Gate the report email on orphan count
Suppresses the email when no orphans are found.
EXPR.06Subject line with embedded orphan count
Used on Send Orphaned Flow Report Email — parameters/emailMessage/Subject, so triage can read the count without opening the message.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.