Conditional Access Policy Change Notifier

Overview

The Conditional Access Policy Change Notifier is a daily-scheduled cloud flow that watches every Microsoft Entra ID (Azure AD) Conditional Access policy in the tenant and alerts the security team in Microsoft Teams and over email whenever a policy is created or modified. A SharePoint list (FlowLibs - CA Policy Snapshots) acts as the historical store — each detected change writes a per-policy snapshot row capturing the full policy JSON, the previous and current state, and a human-readable change summary.

This flow is purpose-built for IT Admins and security operations teams that need an out-of-band audit trail of CA policy drift — independent of the Entra ID admin center's own audit log retention window — and want immediate, in-channel notification when a policy is altered.

Use Case

In any production tenant, Conditional Access is the primary identity perimeter. Silent or accidental modification of a CA policy (toggling state, broadening included users, weakening grant controls) can dramatically expand the blast radius of a credential compromise. This flow runs once every 24 hours against the Microsoft Graph /identity/conditionalAccess/policies endpoint, compares each policy's serialized snapshot to the most recent snapshot persisted in SharePoint, and detects three states: NEW (policy did not exist last run), MODIFIED (snapshot JSON differs), and NO_CHANGE (silent skip). For every NEW or MODIFIED policy it writes a new history row to the snapshot list, posts an HTML-formatted alert card to a Teams channel, and sends a high-importance email summarizing the change, the previous state, the current state, and the Graph-reported modifiedDateTime.

The flow ships in the Off state. Activation requires only (a) authorizing the SharePoint, Teams, and Outlook connections, (b) populating the Graph app-registration credentials inline on the HTTP action, and (c) updating environment variable values for the target Teams group / channel / recipient email.

The flow is ideal for teams that:

• Runs once every 24 hours against the /identity/conditionalAccess/policies Microsoft Graph endpoint
• Compares each policy's serialized snapshot to the most recent snapshot persisted in SharePoint
• Detects three states: NEW (policy did not exist last run), MODIFIED (snapshot JSON differs), and NO_CHANGE (silent skip)
• For every NEW or MODIFIED policy: writes a new history row, posts a Teams alert card, and sends a high-importance email

Flow Architecture

Environment Variables

Connectors & Connections

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Create the SharePoint snapshot list

Create FlowLibs - CA Policy Snapshots (Generic List, BaseTemplate 100) with columns Title, Policy_x0020_ID (Text), Policy_x0020_Name (Text), Policy_x0020_State (Choice: enabled / disabled / enabledForReportingButNotEnforced), Snapshot_x0020_JSON (Note), Last_x0020_Checked (DateTime), Change_x0020_Detected (Boolean), Change_x0020_Details (Note). The flow references these internal names directly, so they must match exactly.

Register a Microsoft Entra ID app

Create an app registration with Policy.Read.ConditionalAccess (or broader Policy.Read.All) Application permission, grant admin consent, and capture the tenant ID, client ID, and client secret for the HTTP action.

Populate the HTTP action credentials

Edit the Get Conditional Access Policies HTTP action and replace the inline placeholders REPLACE_WITH_TENANT_ID, REPLACE_WITH_CLIENT_ID, REPLACE_WITH_CLIENT_SECRET with real values. Best practice in production: switch the auth type to Key Vault-backed credentials before activation rather than embedding the secret in the flow definition.

Update environment variable values

Set flowlibs_TeamsGroupId, flowlibs_TeamsChannelId, and flowlibs_RecipientEmail to the target audience. Override flowlibs_GraphApiEndpoint for sovereign clouds. Confirm flowlibs_SharePointSiteURL matches the site that hosts the snapshot list.

Authorize connection references and re-bind SharePoint dropdowns

Open each connection reference (SharePoint, Teams, Outlook) and sign in with a service account that has rights to the snapshot list, the Teams channel, and the sending mailbox. After authorization, open Get Existing Snapshots and Create Snapshot Item and reselect the site/list from the dropdowns — the API-deployed bindings sometimes require this in the new designer.

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

@if(empty(body('Filter_Previous_Snapshot')),
    'NEW',
    if(equals(first(body('Filter_Previous_Snapshot'))?['Snapshot_x0020_JSON'],
              outputs('Compose_Current_Snapshot_JSON')),
       'NO_CHANGE',
       'MODIFIED'))

@equals(item()?['Policy_x0020_ID'], items('For_Each_Current_Policy')?['id'])

@coalesce(items('For_Each_Current_Policy')?['modifiedDateTime'], 'n/a')
@coalesce(first(body('Filter_Previous_Snapshot'))?['Policy_x0020_State'], 'unknown')

@string(items('For_Each_Current_Policy'))