Inactive Salesforce User Deprovisioning Alert
Weekly flow detects Salesforce users with no login activity in 90+ days, sends a deprovisioning approval request to the IT admin. On approve, flags user for deactivation and sends confirmation email.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow automates the detection of inactive Salesforce users and routes a deprovisioning approval to the IT admin. It runs weekly, queries all active Salesforce users, filters those who have not logged in within a configurable threshold (default: 90 days), and generates a styled HTML report. If inactive users are found, an approval request is sent. On approval, a confirmation email is sent with the list of flagged users. On rejection, a notification email is sent instead.
Use Case
Organizations with Salesforce licenses need to regularly audit user activity to optimize license costs and maintain security hygiene. This flow replaces manual login-date audits by automatically identifying stale accounts and routing deprovisioning decisions through an approval workflow. IT admins receive a single weekly digest instead of running reports manually.
Flow Architecture
Weekly Recurrence
RecurrenceFires every Monday at 8:00 AM EST.
Initialize varApproverEmail
Initialize variableLoads the IT admin approver email from the flowlibs_ApprovalAssignedToEmail environment variable. Runs in parallel with the other initialize-variable actions.
Initialize varConfirmationRecipient
Initialize variableLoads the notification recipient email from the flowlibs_AdminAlertRecipientEmail environment variable. Runs in parallel.
Initialize varInactiveDaysThreshold
Initialize variableLoads the inactivity threshold (in days) from the flowlibs_SfInactiveDaysThreshold environment variable. Runs in parallel.
Get Salesforce Users
Salesforce - Get records (GetItems_table_user)Retrieves all active Salesforce users by querying the User table with $filter=IsActive = true.
Filter Inactive Users
Filter arrayFilters the user list to those whose LastLoginDate is older than utcNow() minus the configured threshold days.
Check If Inactive Users Found
If conditionBranches based on whether any inactive users were returned by the filter (length of filtered array > 0).
- Select User Table Rows — Maps each inactive user to an HTML table row containing Name, Username, LastLoginDate, and Email.
- Compose HTML Report — Builds a styled HTML email with a gradient header, the inactive-user table, and a footer.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_ApprovalAssignedToEmail | String | approver@contoso.com | IT admin who receives the deprovisioning approval request. |
| flowlibs_AdminAlertRecipientEmail | String | admin@contoso.com | Email recipient for confirmation and rejection notifications. |
| flowlibs_SfInactiveDaysThreshold | String | 90 | Number of days without login before a Salesforce user is flagged as inactive. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Salesforce | shared_salesforce | GetItems_table_user (Retrieves active Salesforce users.) |
| Approvals | shared_approvals | StartAndWaitForAnApproval (Routes the deprovisioning decision to the IT admin.) |
| Office 365 Outlook | shared_office365 | SendEmailV2 (Sends confirmation and rejection emails.) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Change the inactivity threshold
- Update the flowlibs_SfInactiveDaysThreshold environment variable value (for example, 60 for 60 days) to adjust how long since last login before a user is flagged.
- Change the approver
- Update flowlibs_ApprovalAssignedToEmail to the desired IT admin's email address.
- Change the notification recipient
- Update flowlibs_AdminAlertRecipientEmail to the email address that should receive confirmation/rejection notifications.
- Add auto-deactivation on approval
- Insert a Salesforce UpdateRecord_V3 action after the approval confirmation to set IsActive = false on each flagged user, automating the deactivation step.
- Modify the Salesforce filter
- Edit the $filter parameter on Get Salesforce Users to exclude service accounts or specific profiles (for example, to skip integration users).
- Change the schedule
- Modify the Recurrence trigger frequency, day, or time as needed (for example, run on the 1st of every month instead of weekly).
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Inactive date threshold calculation
Calculates the cutoff timestamp by subtracting the configured number of days from the current UTC time.
EXPR.02Filter condition
Compares each user's LastLoginDate against the calculated cutoff inside the Filter array action.
EXPR.03HTML table row mapping
Used inside the Select action to project each inactive user into an HTML table row.
EXPR.04Select unwrap pattern
Strips the JSON wrapper around the Select output so the HTML rows can be concatenated into the final email body.
EXPR.05Approval outcome check
Inner If condition that routes to the confirmation-email branch when the approver clicks Approve.
EXPR.06Approver comments extraction
Pulls the approver's comments from the approval response, defaulting to a friendly placeholder when none are supplied.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.