Blob Retention and Legal Hold Enforcement
On a schedule, the flow enforces retention and legal-hold policy on Blob data: it reconciles a Dataverse legal-hold register against the governed container, flags missing or expired holds, logs the evaluated policy state for audit, and emails an exception report to compliance. Operationalizes data-retention governance for Blob.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow operationalizes data-retention governance for Azure Blob Storage. On a daily schedule it enforces retention and legal-hold policy on governed blob data - verifying that held blobs still exist (guarding against premature deletion), detecting holds whose retention window has lapsed, logging the evaluated policy state back to a Dataverse register for audit, and emailing an exception report to compliance.
Why it matters: retention and legal holds are compliance obligations. Automated enforcement and reporting reduce the risk of improper deletion or a missed/expired hold, and produce a defensible audit trail.
Ships Off (demo). Physically applying immutability/WORM requires an ARM management-plane action (the data-plane Blob connector cannot); this flow governs by verification, logging, and exception reporting.
Use Case
Compliance and IT Admins need assurance that held/retained blob data is protected and auditable. The flow runs unattended each morning, reconciles the Dataverse legal-hold register against what is actually present in the governed container, flags exceptions, and reports them - turning a manual quarterly review into a daily automated control.
Flow Architecture
Daily Policy Pass
RecurrenceRuns the retention/hold policy pass each morning (05:00 ET).
Initialize Trace, Config & Accumulators
Initialize variableMints a correlation id; binds the storage account, governed container, retention days, compliance email, and hold-register table; seeds exception rows/count and holds-checked counters.
Read Holds + List Blobs
Dataverse ListRecords + Azure Blob ListFolder_V4 + Filter arrayReads ACTIVE holds from the register and lists files actually present in the governed container.
For Each Active Hold
Apply to each (concurrency 1)Matches the hold's blob path against the listing, derives the policy state (MISSING / EXPIRED_RELEASE_DUE / PROTECTED), writes the state + enforcement timestamp + correlation id back to the hold row, and on non-PROTECTED appends an exception row and increments the count.
Compose & Email Report
Compose + Outlook SendEmailV2Builds the HTML report (summary + exception table, or all-clear) and emails it to compliance.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_BlobStorageAccount | String | yourcompanyblob | Azure Blob storage account name (connector dataset). |
| flowlibs_BlobGovernedContainer | String | compliance-hold | Container holding governed data. |
| flowlibs_RetentionDays | String | 2555 | Default retention window in days (7 years). |
| flowlibs_ComplianceEmail | String | compliance@yourcompany.com | Exception report recipient. |
| flowlibs_HoldRegistryTable | String | flowlibs_legalholds | Dataverse entity set of the hold register. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Blob Storage | shared_azureblob | ListFolder_V4 |
| Microsoft Dataverse | shared_commondataserviceforapps | ListRecords UpdateRecord |
| Office 365 Outlook | shared_office365 | SendEmailV2 |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Apply real immutability (WORM)
- Add an ARM action calling the Storage immutabilityPolicies management API on the PROTECTED branch to enforce a time-based retention policy on the container.
- Release approval gate
- Route EXPIRED_RELEASE_DUE items through an Approvals action before any release/cleanup.
- Retention by age
- Flag blobs older than the retention days that are not under any hold (cleanup candidates).
- eDiscovery export
- On demand, copy held blobs to a secure export container for legal discovery.
- Teams escalation
- Post the exception summary to a compliance Teams channel in addition to email.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Policy state
Derives the per-hold policy verdict.
EXPR.02Blob match
Finds the actual blob for a hold (0 = missing).
EXPR.03Files only
Drops subfolders from the listing.
EXPR.04Active-holds filter
Reads only active holds from the register.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.