Event Grid Resource Change to Governance Log
Subscribed to Azure subscription/resource Event Grid events (resource created, deleted, action), the flow records each change to a Dataverse governance log, flags risky operations (public IP, role assignment, NSG change), and alerts security in Teams. Builds a real-time change-audit trail for Azure resources.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow builds a real-time change-audit trail for Azure using an Event Grid subscription. It subscribes to subscription-level resource events (write / delete / action), writes every change to a Dataverse governance log with a risk classification, and alerts the security team in Microsoft Teams when a risky operation is detected.
Why it matters: the Azure Activity Log is hard to act on live. Event Grid lets the organization react to risky changes the moment they happen, while keeping a permanent, queryable audit record in Dataverse.
Ships Off (demo).
Use Case
Security and IT governance teams want immediate logging and alerting on sensitive Azure resource changes - for example a new public IP, a role assignment, an NSG rule change, or a storage account modification - without polling the Activity Log. Each change is recorded for audit, and the risky ones page the security channel in real time.
Flow Architecture
When a Resource Event Occurs
Azure Event Grid - CreateSubscription (webhook)Fires on subscription-scoped resource write/delete/action events; splitOn runs each batched event independently.
Initialize Trace & Risk Config
Initialize variableCaptures operationName, mints a correlation id, loads the governance table name, and splits the risky-operation patterns into an array.
Classify Risk
Filter array + ConditionKeeps any risky pattern found in the operationName; if any matched, sets the risk flag to Yes with the matched reason.
Log Change
Microsoft Dataverse - CreateRecordWrites the event and risk classification (operation, subject, resource URI, provider, caller, status, risk flag/reason, correlation id, raw event) to the governance log.
Alert If Risky
Condition + Microsoft Teams - PostMessageToConversationWhen the risk flag is Yes, posts a formatted security alert to the Teams channel.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_AzureSubscriptionId | String | <your-subscription-id> | Azure subscription the trigger subscribes to. |
| flowlibs_GovernanceTable | String | flowlibs_azchanges | Entity-set name of the governance log table. |
| flowlibs_RiskyOperations | String | Microsoft.Network/publicIPAddresses/write,Microsoft.Authorization/roleAssignments/write,Microsoft.Network/networkSecurityGroups,Microsoft.Storage/storageAccounts/write,Microsoft.KeyVault/vaults/write,Microsoft.Authorization/policyAssignments/write,Microsoft.Compute/virtualMachines/write | Comma-separated operation substrings flagged as risky. |
| flowlibs_SecurityChannelId | String | <your-channel-id> | Teams channel id for security alerts. |
| flowlibs_TeamsGroupId | String | <your-team-id> | Teams team/group id for alerts. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Event Grid | shared_azureeventgrid | CreateSubscription (trigger) |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Tune the risk list
- Edit the risky operations list to add/remove patterns; substring matching means partial provider paths catch all sub-operations.
- Scope
- Point the trigger at a resource group or single resource instead of the whole subscription by changing the resource type and topic.
- Auto-remediate
- Add an Azure Resource Manager action in the risky branch to revert disallowed changes.
- Policy tie-in
- Cross-reference Azure Policy assignments before alerting.
- SIEM
- Forward risky events to Microsoft Sentinel via an additional action.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Risky match (Filter where)
Keeps risky patterns found within the event operationName.
EXPR.02Is risky
True when at least one risky pattern matched.
EXPR.03Caller (cross-shape)
Resolves the identity that made the change across payload shapes.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.