Cloud FlowCloud FlowsAdvanced

Key Vault Access Audit Report

Weekly flow queries Azure Key Vault diagnostic logs via HTTP to pull all secret access events, cross-references accessing identities against an approved-users list in Dataverse, flags unauthorized or anomalous access patterns, exports findings to Excel, and emails a formatted audit report to the security team.

HTTP with Microsoft Entra ID (pre-authorized)Office 365 OutlookExcel Online (Business)

Unique name

flowLibsKeyVaultAccessAudit

Publisher

FlowLibs (flowlibs)

Version

1.0.0.1

Components

8 env vars + 1 cloud flow

Request access

Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.

What it does

Overview

This cloud flow runs weekly to audit access to an Azure Key Vault. It queries Azure Log Analytics for all secret/key access events over the last 7 days, cross-references the accessing identities against an approved-users list, flags any unauthorized or anomalous access, exports the findings to an Excel workbook on SharePoint, and emails a summary audit report to the security team.

The pattern is useful anywhere you need to turn raw Azure diagnostic logs into a scheduled, human-readable compliance report without having to stand up a Sentinel workbook or a dedicated SIEM pipeline.

Why you'd use it

Use Case

IT admins are typically required to prove — on a recurring cadence — that only approved service principals and users have accessed secrets in a Key Vault. Manually pulling this out of Log Analytics each week is tedious, and most teams want an audit artifact (Excel + email) that can be saved alongside change records or shared with auditors.

This flow automates that end-to-end.

The flow is ideal for teams that:

Pulls the last 7 days of AzureDiagnostics rows for the target vault
Checks each accessing identity against an allow-list stored in an environment variable
Writes a row to Excel for every unauthorized or unrecognized access event
Sends a formatted audit email summarizing the flagged count

Step-by-step

Flow Architecture

Recurrence Weekly Monday 6AM

Recurrence

Trigger fires on Mondays at 06:00 Eastern Time.

Initialize Variables (9)

Initialize variable

Pulls all configuration from environment variables into flow-local variables so the rest of the flow references one naming convention.

Query Key Vault Access Logs

HTTP

HTTP POST to the Azure Log Analytics API using ActiveDirectoryOAuth, running a KQL query against AzureDiagnostics where ResourceType == "VAULTS" for the last 7 days.

Parse Log Analytics Response

Parse JSON

Parses the KQL response JSON so downstream steps can index into the tables/rows shape.

Apply to Each Access Event

Apply to each

Iterates over body('Parse_Log_Analytics_Response')?['tables']?[0]?['rows']. Inside the loop, a condition checks whether the accessing identity is on the approved-users list.

If unauthorized identity (true)2 actions run in series

Add Flagged Event To Excel — AddRowV2 against the Excel audit log table on the configured SharePoint workbook.
Increment Flagged Count — Increments varFlaggedCount so the email body can report the total flagged events.

If approved identity (false)

Empty branch — no action.

Send Audit Report Email

Send an email (V2)

Outlook SendEmailV2 to the security team recipient summarizing the flagged event count.

Solution config

Environment Variables

Schema name	Type	Default	Description
flowlibs_KeyVaultName	String	<configure>	Name of the target Azure Key Vault.
flowlibs_LogAnalyticsWorkspaceId	String	<configure>	GUID of the Log Analytics workspace receiving Key Vault diagnostics.
flowlibs_ApprovedKeyVaultUsers	String	<configure>	Comma-separated list of UPNs / object IDs allowed to access the vault.
flowlibs_SecurityTeamEmail	String	alerts@yourcompany.com	Recipient address for the audit report email.
flowlibs_AuditSharePointSiteUrl	String	https://your-tenant.sharepoint.com/sites/<configure>	SharePoint site hosting the Excel audit workbook.
flowlibs_AuditDriveId	String	<configure>	Drive ID for the SharePoint document library hosting the workbook.
flowlibs_AuditExcelFileId	String	<configure>	Drive item ID of the audit workbook.
flowlibs_AuditExcelTableName	String	AuditLog	Name of the table inside the workbook to append flagged events to.

Auth dependencies

Connectors & Connections

Connector	API name	Actions used
HTTP with Microsoft Entra ID (pre-authorized)	http	HTTP (Calls the Log Analytics query API with ActiveDirectoryOAuth)
Office 365 Outlook	shared_office365	SendEmailV2 (Sends the audit report email)
Excel Online (Business)	shared_excelonlinebusiness	AddRowV2 (Appends a row to the audit workbook per flagged event)

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Tweaks & variations

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Install the solution: Import the solution zip into the target Power Platform environment.
Create connections: When prompted, create Outlook and Excel Online connections and map them to the two connection references in the solution.
Populate all 8 environment variables: Provide tenant-specific values for vault name, Log Analytics workspace GUID, approved-users list, security team email, SharePoint site, drive ID, file ID, and Excel table name.
Replace the HTTP action's OAuth credentials: Swap the inline tenant/client ID/client secret for a service principal that has Log Analytics Reader on the workspace and Key Vault Reader on the vault. In production, move the secret into an Azure Key Vault reference or a secure environment variable.
Create the Excel workbook: At the configured SharePoint location, create the workbook with a table matching the AddRowV2 columns: Timestamp, Identity, Operation, ResourceId, CallerIpAddress, ResultType.
Adjust the KQL query: Edit the KQL inside Query_Key_Vault_Access_Logs if you want a different time window, resource scope, or anomaly heuristic (after-hours, new IPs, etc.).
Turn the flow on: The flow ships in the Off state. Enable it only after the previous steps are complete so it does not fire against unconfigured env vars.

Helpers & literals

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

EXPR.01Loop source

Indexes into the KQL response shape where the first table's rows array holds one entry per access event.

workflow definition language

body('Parse_Log_Analytics_Response')?['tables']?[0]?['rows']

EXPR.02Identity extraction

The second column of each row, per the project clause in the KQL query.

workflow definition language

item()?[1]

EXPR.03Unauthorized check

Simple substring check against the approved-users CSV; swap for split() + contains(array, value) if you prefer exact-match semantics.

workflow definition language

not(contains(variables('varApprovedUsers'), item()?[1]))

EXPR.04Flagged-count reference in email

After IncrementVariable runs inside the loop, the running total is referenced in the audit report email body.

workflow definition language

variables('varFlaggedCount')

Overview

Use Case

Flow Architecture

Recurrence Weekly Monday 6AM

Initialize Variables (9)

Query Key Vault Access Logs

Parse Log Analytics Response

Apply to Each Access Event

Send Audit Report Email

Environment Variables

Connectors & Connections

Customization Guide

Key Expressions

EXPR.01Loop source

EXPR.02Identity extraction

EXPR.03Unauthorized check

EXPR.04Flagged-count reference in email

Comments