Cloud FlowCloud FlowsAdvanced

Inactive Maker Access Review

Scheduled flow cross-references Power Apps for Admins activity data with Office 365 Users sign-in logs. Makers with no activity in 90 days trigger an Approvals flow to their manager to confirm or revoke access.

Microsoft DataverseOffice 365 UsersApprovals

Unique name

flowLibsInactiveMakerAccessReview

Publisher

FlowLibs (flowlibs)

Version

1.0.0.1

Components

2 env vars + 1 cloud flow

Request access

Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.

What it does

Overview

A scheduled governance flow that identifies Dataverse makers who haven't been active in a configurable number of days (default 90) and routes each one through a manager-attested access review. Approvers renew or revoke access; the flow updates the systemuser record on rejection and produces an HTML report for the admin.

This solves a common enterprise pain: maker licenses linger on inactive accounts, creating attack surface and inflating license spend. Running this weekly closes the review loop automatically.

Why you'd use it

Use Case

Identifies Dataverse makers who haven't been active for a configurable number of days (default 90) and runs each one through a manager-attested access review. Approved makers are renewed; rejected makers have a revocation-flagged note stamped on their systemuser record for IT follow-up. An HTML summary report is produced for the admin recipient.

The flow is ideal for teams that:

IT admins responsible for Power Platform governance and license hygiene
Security and compliance teams enforcing periodic access reviews on maker accounts
Centers of Excellence (CoE) looking to automate inactive-maker cleanup
Tenants that want manager attestation in the loop before revoking access

Step-by-step

Flow Architecture

Weekly Recurrence

Recurrence

Fires every Monday at 09:00 UTC to start the weekly access-review pass.

Initialize Runtime Variables

Initialize variable (x4, parallel)

Four parallel InitializeVariable actions load runtime state: threshold days (from env var), admin email (from env var), inactive count (0), and an HTML string buffer for the final report.

Compose Threshold Date

Compose

Computes the cutoff timestamp by subtracting varThresholdDays from utcNow(). Anything modifiedon before this date is considered inactive.

List Inactive Makers

Dataverse - List rows

Queries the systemusers table for active, non-application users (accessmode eq 0) whose modifiedon is older than the threshold. Top 50, ascending by modifiedon. modifiedon is used as a Dataverse-side proxy for activity.

For Each Inactive Maker

Apply to each

Loops the result set. For each maker: attempts a manager lookup in a Try scope, then either runs a manager approval (with approve/revoke branching) or appends a Skipped row when no manager is found.

Try_Get_Manager Scope

Scope (with broad runAfter)

Wraps Get_Maker_Manager (Office 365 Users Manager_V2) so a missing manager (common for service accounts) falls through gracefully rather than failing the run. Downstream runAfter is set to Succeeded, Failed, Skipped, TimedOut.

If Manager Found

If condition

Checks whether the Try scope returned a manager object. If yes, request manager approval; if no, append a Skipped - No Manager row to the report.

If manager found (true)4 actions run in series

Solution config

Environment Variables

Schema name	Type	Default	Description
flowlibs_InactiveMakerThresholdDays	String	90	Days of inactivity before a maker is included in the review. Parsed as int at runtime.
flowlibs_AdminNotificationEmail	String	<configure>	Set to the admin mailbox that should receive the final HTML report and appear as the approval requestor.

Auth dependencies

Connectors & Connections

Connector	API name	Actions used
Microsoft Dataverse	shared_commondataserviceforapps	ListRecords (Query inactive makers from systemusers) UpdateRecord (Stamp revocation note on rejected makers)
Office 365 Users	shared_office365users	Manager_V2 (Look up each maker's manager)
Approvals	shared_approvals	StartAndWaitForAnApproval (Manager attestation step)

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Tweaks & variations

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Tighten the activity signal: modifiedon is a Dataverse-side proxy and misses sign-in-only activity. For tighter precision, swap List_Inactive_Makers for a Power Apps for Admins + Azure AD sign-in log join. Requires premium connectors and admin-tenant auth.
Adjust the access mode filter: Owner / System Admin users are excluded by the accessmode eq 0 (Read-Write) filter. Broaden this to include access mode 3 (Non-interactive) if you want to audit application users too.
Scale beyond 50 makers: Top: 50 batching keeps the flow under the 5-minute per-action limit when Approvals fan out. For larger tenants, wrap List_Inactive_Makers in a pagination loop or split into chunked child flows.
Re-tune the schedule: Default is Monday 09:00 UTC, weekly. Adjust the Recurrence trigger frequency/timezone to match your governance cadence.
Customize the report styling: The HTML report uses green/red/orange row colors for Renewed/Revoke/Skipped. Edit the Compose Final Report HTML template to match your brand or add columns (e.g. maker department, license SKU).

Helpers & literals

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

EXPR.01Compute the inactivity threshold date

Used in Compose Threshold Date to derive the modifiedon cutoff from the env-var-driven varThresholdDays.

workflow definition language

addDays(utcNow(), -1 * int(variables('varThresholdDays')))

EXPR.02Dataverse OData filter for inactive makers

Filter on the systemusers List rows action: active read-write users that are not application users and were last modified before the threshold.

workflow definition language

accessmode eq 0 and isdisabled eq false and applicationid eq null and modifiedon lt @{outputs('Compose_Threshold_Date')}

EXPR.03Approval outcome check

Used in the Condition Approval Outcome to branch between the Renewed and Revoke paths.

workflow definition language

equals(outputs('Request_Manager_Approval')?['body/outcome'], 'Approve')

EXPR.04Increment inactive count

Used in the Increment Inactive Count Set variable action inside the loop.

workflow definition language

add(variables('varInactiveCount'), 1)

EXPR.05Final report decision

Used in Compose Final Report to emit either the full HTML table or a success message.

workflow definition language

if(greater(variables('varInactiveCount'), 0), variables('varHtmlReport'), 'No inactive makers found this run.')

Overview

Use Case

Flow Architecture

Weekly Recurrence

Initialize Runtime Variables

Compose Threshold Date

List Inactive Makers

For Each Inactive Maker

Try_Get_Manager Scope

If Manager Found

Environment Variables

Connectors & Connections

Customization Guide

Key Expressions

EXPR.01Compute the inactivity threshold date

EXPR.02Dataverse OData filter for inactive makers

EXPR.03Approval outcome check

EXPR.04Increment inactive count

EXPR.05Final report decision

Compose Final Report

Comments