Blob SAS Link Generation and Expiry
On a governance pass, the flow issues time-limited, read-only SAS URLs for pending blob-access requests logged in Dataverse, records who requested what and when it expires, emails the secure link, then expires and reports lapsed links. Provides governed, auditable temporary access to Blob files. The storage signing key stays in Key Vault.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow delivers governed, auditable, time-limited access to Azure Blob Storage files. On each pass it issues scoped, expiring SAS (Shared Access Signature) links for pending requests logged in a Dataverse table, records who requested what and when it expires, emails the secure link to the requester, then expires and reports links that have passed their validity window. The storage signing key stays in Azure Key Vault and is never written into a link, email, or log.
Why it matters: ad-hoc sharing of blob files via long-lived links is risky. Scoped, read-only, HTTPS-only SAS links with a hard expiry and a full audit trail keep file sharing safe and reviewable.
Ships Off (demo).
Use Case
A user needs to share a single file from a governed container temporarily, without exposing the whole container or handing out a permanent link. They (or an intake form/Teams/HTTP front end) drop a row into the SAS Request table with the blob path, their email, and the desired duration; the flow mints a scoped link capped to the maximum window, delivers it, and guarantees it self-expires and is marked Expired in the audit log.
Flow Architecture
Daily SAS Governance Pass
RecurrenceEach run issues links for new requests, then expires lapsed ones (swap for a Forms/Teams/HTTP trigger for on-demand).
Initialize Trace, Config & Counters
Initialize variableMints a correlation id; binds the storage account, governed container, max hours, log table, key secret name, and admin email; seeds issued/expired counters and the report rows.
Get Storage Signing Key (gate)
Key Vault - GetSecretRetrieving the key gates all issuance; the value itself is never referenced downstream.
Issue Links for Pending Requests
Dataverse ListRecords + Apply to eachFor each Requested row: computes the capped expiry, generates a read-only HTTPS-only SAS scoped to the single blob, stamps the row Issued (link + timestamps + correlation id), emails the requester, and increments the issued count.
Expire Lapsed Links
Dataverse ListRecords + Apply to eachFor each Issued row past its expiry: flips it to Expired, appends an HTML report row, and increments the expired count.
Send Governance Report
Compose + Outlook SendEmailV2Builds the HTML summary (counts + expired-link table) and emails it to compliance/IT.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_BlobStorageAccount | String | flowlibsdemostorage | Storage account name. |
| flowlibs_BlobGovernedContainer | String | compliance-hold | Container whose blobs may be shared. |
| flowlibs_ComplianceEmail | String | compliance@yourcompany.com | Governance report recipient. |
| flowlibs_MaxSasHours | String | 24 | Maximum SAS validity in hours; per-request hours are capped to this. |
| flowlibs_SasLogTable | String | flowlibs_sasrequests | Dataverse entity set for the audit/intake table. |
| flowlibs_StorageKeySecretName | String | storage-account-key | Key Vault secret name holding the storage signing key. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Blob Storage | shared_azureblob | CreateShareLinkByPath_V2 |
| Azure Key Vault | shared_keyvault | GetSecret |
| Microsoft Dataverse | shared_commondataserviceforapps | ListRecords UpdateRecord |
| Office 365 Outlook | shared_office365 | SendEmailV2 |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- On-demand issuance
- Replace the Recurrence with a Forms/Teams/HTTP trigger that creates the Requested row for instant delivery.
- Tighter permissions
- The link uses Read + HttpsOnly; add policy/IpAddressOrRange to bind the SAS to a corporate IP range.
- Shorter ceilings
- Lower flowlibs_MaxSasHours to enforce a stricter maximum window.
- Approval gate
- Insert an Approvals step before issuance for sensitive files or containers.
- Per-container routing
- Drive the governed container (or a per-row container column) to govern multiple containers from one flow.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Capped expiry
Requested hours capped to the maximum.
EXPR.02Scoped blob path
Scopes the SAS to a single blob.
EXPR.03Expired-link filter
Finds links past their validity.
EXPR.04SAS URL output
The generated link emailed to the requester.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.