Access Review Reminder Automation

Overview

FlowLibs - Access Review Reminder Automation is a scheduled cloud flow that runs the first day of every month at 9:00 AM Eastern, walks the directory of Microsoft 365 users, identifies anyone with one or more direct reports (i.e. a people manager), and emails each of them a personalised access-review reminder with a deadline calculated from a configurable env var. After the per-manager loop finishes, the flow sends an HTML digest to the security team and posts a summary card to a Microsoft Teams channel so the security/IT-admin team has full visibility into who was reminded and how many direct reports each manager is responsible for.

The flow ships in the Off state — turning it on requires only authorising the three connections (Office 365 Users, Office 365 Outlook, Microsoft Teams) and updating the Teams group/channel env var values to point at the security review channel.

Use Case

Quarterly or monthly access reviews are a recurring control in most ISO 27001 / SOC 2 / NIST CSF compliance programs, but they fall through the cracks when reminders rely on humans remembering to nudge other humans. This flow automates the nudge: every people-manager in the directory gets a deadline-bound email at the same cadence, the security team gets a single consolidated digest of who was reminded, and the Teams channel gets a public-facing summary so the program's progress is visible to leadership. Because the flow uses real connector calls (Office 365 Users SearchUserV2 + DirectReports_V2), no manual roster maintenance is required.

Flow Architecture

Environment Variables

Connectors & Connections

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Adjust the cadence

Edit the Monthly_Access_Review_Reminder trigger. Change frequency from Month to Week for a weekly cadence.

Tighten the directory scope

Search_All_Active_Users passes searchTerm empty and top 200. To target a specific department, set searchTerm. To support directories larger than 200, replace with a paginated loop using skipToken.

Change the deadline

Update flowlibs_AccessReviewDeadlineDays (parsed to int). Default 7. 14 or 30 are common for less time-sensitive reviews.

Change reminder copy

Update flowlibs_AccessReviewReminderSubject for the email subject. Edit emailMessage/Body on Send_Manager_Reminder_Email for the body copy.

Skip non-people-managers explicitly

Check_Is_Manager uses greater(reportsCount, 0). To exclude users with fewer than N reports, change to greaterOrEquals(reportsCount, N).

Change the audit channels

Update flowlibs_SecurityTeamEmail, flowlibs_TeamsGroupId, flowlibs_TeamsChannelId. The Teams channel ID is in the desktop app via Get link to channel.

Wire up Microsoft Entra Access Reviews

For Entra ID P2 licensing, replace the open the admin center instruction with a direct link to a pre-configured Access Review.

Cc the security team on manager emails

Add emailMessage/Cc = @variables('varSecurityTeamEmail') to Send_Manager_Reminder_Email for real-time visibility.

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

@formatDateTime(addDays(utcNow(), variables('varReviewDeadlineDays')), 'yyyy-MM-dd')

@coalesce(body('Get_Direct_Reports')?['value'], createArray())

@greater(outputs('Compose_Reports_Count'), 0)

@{concat('<tr><td>', coalesce(items('Apply_To_Each_User')?['displayName'], 'Unknown'), '</td>...</tr>')}

@{concat('FlowLibs Access Review - ', string(variables('varManagerCount')), ' managers notified')}