Shared Connection Audit Report
Scheduled flow queries connection objects from Dataverse, identifies connections shared with multiple users beyond the owner. Enriches with Office 365 Users lookup and sends a formatted Outlook report highlighting high-risk shared connections that could allow unauthorized data access.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
The Shared Connection Audit Report is a scheduled governance flow that audits all connection references in a Dataverse environment, identifies connections shared with multiple users beyond a configurable threshold, enriches each record with the owner's display name via Office 365 Users, and delivers a formatted HTML audit report to the admin team via Outlook.
Use Case
IT Admins need visibility into which Power Platform connections are shared across users. Over-shared connections can expose sensitive data access — this flow automates weekly detection and reporting of high-risk shared connections so admins can take action before a security incident occurs.
Flow Architecture
Weekly Schedule
RecurrenceFires every Monday at 8:00 AM UTC.
Init varAdminEmail
Initialize VariableBinds to the flowlibs_AdminNotificationEmail environment variable.
Init varThreshold
Initialize VariableBinds to the flowlibs_SharedConnectionThreshold environment variable (cast to int).
Init varReportHtml
Initialize VariableEmpty string accumulator for HTML table rows.
Init varHighRiskCount
Initialize VariableInteger counter for flagged connections.
List Connection References
Dataverse List RecordsQueries the connectionreferences table filtered by statecode eq 0 (active).
For Each Connection Reference
Apply to EachIterates all active connection references. For each item: looks up the owner profile via Office 365 Users, then runs the threshold condition to append either a high-risk or normal row to the report.
Get Connection Owner Profile
Office 365 Users — User Profile (V2)Inside the loop: looks up the owner display name by _ownerid_value from the current connection reference.
If Shared Beyond Threshold
If conditionCompares the connection sharing count against the configured threshold (varThreshold).
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_AdminNotificationEmail | String | <configure> | Recipient email for the audit report. Set to your IT admin distribution list or individual admin mailbox. |
| flowlibs_SharedConnectionThreshold | String | 2 | Number of shared users before a connection is flagged as high-risk. Stored as String and cast to int at runtime. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Microsoft Dataverse | shared_commondataserviceforapps | ListRecords (Lists active connectionreferences records) |
| Office 365 Users | shared_office365users | UserProfile_V2 (Looks up the connection owner's display name) |
| Office 365 Outlook | shared_office365 | SendEmailV2 (Sends the formatted audit report) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Change the recipient
- Update the flowlibs_AdminNotificationEmail environment variable current value to your admin distribution list or individual email.
- Adjust the threshold
- Update flowlibs_SharedConnectionThreshold to change how many shared users trigger a high-risk flag (default: 2).
- Change the schedule
- Edit the Weekly Schedule trigger to run daily, biweekly, or monthly depending on your audit cadence.
- Add more detail
- Extend the HTML row template in the Append actions to include additional connection reference fields (e.g., connectionid, description).
- Filter by connector type
- Add additional $filter criteria to the List Connection References action to audit only specific connector types.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Threshold cast
Converts the String environment variable to an integer for comparison in the If condition.
EXPR.02Owner lookup
Extracts the owner GUID from each connection reference record inside the Apply to Each loop.
EXPR.03Dynamic subject
Builds the email subject with today's date and the high-risk count.
EXPR.04Report assembly
Used in the Compose action to assemble the complete HTML document with styled table, summary statistics, and footer.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.