App Shared with Everyone Detector
Power Apps for Admins checks role assignments for tenant-wide sharing. When any app is shared with the entire org, triggers an immediate Teams alert to the admin channel. High-value compliance catch for apps with sensitive data.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This compliance-focused flow scans all Power Apps in a target environment daily, checks each app's role assignments for tenant-wide sharing, and immediately alerts the admin team via Microsoft Teams and email when an app is discovered that has been shared with the entire organization. This is a high-value governance catch — apps shared with "Everyone" may expose sensitive data to the entire tenant.
Use Case
Organizations with self-service Power Platform environments often have makers who accidentally (or intentionally) share apps with the entire organization. This flow provides a daily automated audit, flagging any app with a "Tenant" or "Everyone" principal type in its role assignments. The admin team receives both a per-app Teams alert and a consolidated email summary for review and remediation.
Flow Architecture
Recurrence Daily Scan
RecurrenceRuns daily at 8:00 AM.
Initialize Variables
Initialize variable (x6, parallel)Initializes six variables in parallel: varTeamsGroupId (from flowlibs_TeamsGroupId env var), varTeamsChannelId (from flowlibs_TeamsChannelId env var), varTargetEnvironment (from flowlibs_TargetEnvironmentName env var), varNotificationEmail (from flowlibs_NotificationEmail env var), varFlaggedAppsHtml (empty string, accumulates HTML table rows), and varFlaggedCount (0, counts flagged apps).
Get All Apps As Admin
Get Apps as AdminPower Apps for Admins connector lists all apps in the target environment.
For Each App
Apply to each (concurrency = 1)For each app returned by the admin list: gets the app's role assignments, filters for Everyone/Tenant principals, and if any matches are found increments varFlaggedCount, appends an HTML table row (app name, ID, owner, created date) to varFlaggedAppsHtml, and posts an immediate Teams channel alert with the app details and review prompt.
Check If Any Apps Flagged
If conditionEvaluates whether varFlaggedCount is greater than 0 after the loop completes.
- Send Summary Email — Sends a consolidated HTML email via Outlook with a table of all flagged apps to the notification recipient.
Empty branch — no action.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_TeamsGroupId | String | <configure> | The Microsoft 365 Group ID for the Teams team where alerts are posted. |
| flowlibs_TeamsChannelId | String | <configure> | The Channel ID within the Teams team for alert messages. |
| flowlibs_TargetEnvironmentName | String | <your-tenant-id> | The Power Platform environment name (GUID-style identifier, e.g., Default-<your-tenant-id>) to scan for shared apps. |
| flowlibs_NotificationEmail | String | alerts@yourcompany.com | Email address for the consolidated daily summary report. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Power Apps for Admins | shared_powerappsforadmins | GetAppsAsAdmin (lists all apps in the target environment) GetAppRoleAssignments (retrieves permissions per app) |
| Microsoft Teams | shared_teams | PostMessageToChannel (per-app alert to the admin channel) |
| Office 365 Outlook | shared_office365 | SendEmailV2 (consolidated summary email with HTML table) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Set Environment Variables
- In the solution, update the four environment variable current values: Teams Group ID and Channel ID for your admin alert channel, target environment name (the GUID-style environment identifier), and the notification email for the daily summary recipient.
- Authorize Connections
- Open the flow and authorize the Power Apps for Admins, Teams, and Outlook connections with an admin account that has the Power Platform Admin or Global Admin role.
- Adjust Schedule
- The default is daily at 8:00 AM; modify the Recurrence trigger for your preferred cadence.
- Turn On
- Toggle the flow from Off to On.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Filter for Everyone sharing
Used inside the Filter Array action to keep only role assignments shared with the whole tenant or a display name containing 'Everyone'.
EXPR.02HTML table row construction
Builds one row of the consolidated email's HTML table for each flagged app (display name, app ID, owner, created date).
EXPR.03Flagged count check
Condition expression that gates the summary email — only send when at least one app was flagged.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.