Dropbox Shared-Link Access Audit
On a schedule, the flow lists shared links and folder members across monitored Dropbox folders, flags public/open or external shares, logs findings to Dataverse, and alerts security in Teams with remediation suggestions. Surfaces risky Dropbox sharing for governance.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow surfaces risky Dropbox sharing for governance. On a daily schedule it lists every shared link in the account and the members of a monitored shared folder, flags links whose resolved visibility is public and folder members whose email is outside the internal domain, logs each finding to a Dataverse audit table, and posts a summary with remediation suggestions to a security Microsoft Teams channel.
Why it matters: public Dropbox links and external collaborators silently leak data. Automated, scheduled auditing catches over-sharing before it becomes an incident and gives security a durable, queryable record in Dataverse.
Ships Off (demo). The Dropbox reads use the Business Sharing API via HTTP (the connector lacks those operations).
Use Case
Security wants ongoing visibility into externally shared Dropbox content without manually trawling the admin console. This flow runs unattended each morning, writes one Dataverse row per risky finding (public link or external folder member), and alerts the security channel with counts and concrete next steps.
Flow Architecture
Daily 03:00 Audit Window
RecurrenceDefines the daily audit window (03:00 UTC).
Initialize Trace, Config & Counters
Initialize variableMints a correlation id and binds the monitored folders, internal domain, audit table, Dropbox token, Teams ids, and shared-folder id; seeds the risky-link and external-member counters.
List Shared Links
HTTP - /2/sharing/list_shared_linksLists all shared links with resolved visibility.
Flag Public Links
Apply to each + ConditionFor each link with visibility = public, logs a finding to Dataverse and increments the risky-link counter.
List Folder Members
HTTP - /2/sharing/list_folder_membersLists the members of the monitored shared folder.
Flag External Members
Apply to each + ConditionFor each member whose email is outside the internal domain, logs a finding and increments the external-member counter.
Compose Audit Summary
ComposeBuilds the HTML alert body (counts + remediation).
Post Audit Alert to Teams
Teams - PostMessageToConversationPosts the summary to the security channel.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_MonitoredFolders | String | /FlowLibs Published,/FlowLibs Drafts | Comma list of audited folder paths (shown in the alert). |
| flowlibs_InternalDomain | String | yourcompany.com | Members outside this domain are flagged external. |
| flowlibs_AuditTable | String | flowlibs_dbxaudits | Dataverse findings entity-set name. |
| flowlibs_DropboxAccessToken | String | REPLACE_WITH_DROPBOX_TEAM_TOKEN | Dropbox OAuth token (team/admin scope); bind to Key Vault. |
| flowlibs_TeamsGroupId | String | <your-team-id> | Teams team/group id for the alert. |
| flowlibs_TeamsChannelId | String | <your-channel-id> | Teams channel id for the alert. |
| flowlibs_MonitoredSharedFolderId | String | REPLACE_WITH_SHARED_FOLDER_ID | Dropbox shared_folder_id whose members are audited. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| HTTP | shared_http | POST /2/sharing/list_shared_links POST /2/sharing/list_folder_members |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Auto-remediate
- After each public-link finding, call POST /2/sharing/revoke_shared_link (HTTP) to revoke the link automatically.
- Owner notice
- Add an Outlook SendEmailV2 to email the file owner about each finding.
- Enforce expiry
- Call POST /2/sharing/modify_shared_link_settings to apply an expires timestamp on sensitive links.
- Scope
- Populate the shared-folder id and extend to multiple folders by wrapping the member scan in a Foreach over the parsed monitored-folders list.
- Severity routing
- Branch on visibility to send high-risk public links to a different channel or an Approvals gate.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Public link test
Flags links whose resolved visibility is public.
EXPR.02External member test
Flags members outside the internal domain.
EXPR.03Finding name fallback
Names each finding.
EXPR.04Correlation id
Stamped on every finding and the alert.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.