Key Vault Access Policy and RBAC Audit
On a schedule, the flow audits a Key Vault's access policies / RBAC assignments via ARM, compares them to an approved baseline, resolves principals through Entra ID, flags drift and over-permissioned principals, logs findings to Dataverse, and alerts security in Teams. Keeps Key Vault access least-privilege and compliant.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow keeps Azure Key Vault access least-privilege and compliant. On a weekly schedule it reads the vault's access policies straight from the Azure Resource Manager resource, compares every principal against an approved baseline, resolves each principal's identity through Microsoft Entra ID, logs every drift finding to a dedicated Dataverse table, and alerts the security team in Microsoft Teams when unapproved access is detected.
Why it matters: vault access tends to accumulate over time. Regularly diffing live access policies against a maintained baseline catches risky or forgotten grants before they can be exploited, and produces a durable, reportable audit trail.
Ships Off (Stopped). Access policies are read from ARM because the Key Vault connector has no access-policy read operation.
Use Case
Security and IT Admin teams want continuous, hands-off verification that only approved identities hold access to a Key Vault. Instead of manually inspecting the Access policies blade, this flow runs the diff weekly, writes one row per violation for review, and pings the security channel only when something is off.
Flow Architecture
Weekly Vault Access Audit
RecurrenceWeekly (Mon 05:00); adjust for your review cycle.
Initialize Trace, Config & Counters
Initialize variableMints a correlation id and binds the subscription, resource group, vault, ARM api-version, approved baseline, and Teams ids; seeds the drift count and HTML summary.
Get Key Vault Resource
ARM - Resources_GetByIdReads Microsoft.KeyVault/vaults/{name}; properties.accessPolicies is the access model audited.
For Each Access Policy
Apply to each (concurrency 1)For each principal not in the baseline: resolves the identity via Entra ID GetUser (groups/SPNs 404 handled gracefully), composes a permissions summary, increments the drift count, logs a finding to Dataverse, and appends an HTML row.
Alert if Drift Detected
Condition + TeamsIf any drift, posts a least-privilege drift alert with the count, vault, correlation id, and offending principals; otherwise the run ends quietly.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_KvAuditSubscriptionId | String | 00000000-0000-0000-0000-000000000000 | Azure subscription GUID containing the vault. |
| flowlibs_KvAuditResourceGroup | String | rg-keyvault | Resource group of the vault. |
| flowlibs_KvAuditVaultName | String | kv-flowlibs-demo | Name of the Key Vault to audit. |
| flowlibs_KvAuditArmApiVersion | String | 2023-07-01 | ARM API version for Microsoft.KeyVault GET. |
| flowlibs_KvAuditAccessBaseline | String | ["00000000-0000-0000-0000-000000000000"] | JSON array of approved principal object IDs; anything not listed is flagged. |
| flowlibs_TeamsGroupId | String | <your-team-id> | Teams team for the security alert. |
| flowlibs_TeamsChannelId | String | <your-channel-id> | Teams channel for the security alert. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Resource Manager | shared_arm | Resources_GetById |
| Azure AD | shared_azuread | GetUser |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Add RBAC role-assignment auditing
- For RBAC-mode vaults (access policies may be empty), add an ARM call to roleAssignments scoped to the vault and diff those principals the same way.
- Auto-remediate
- After logging, add an ARM Resources_CreateOrUpdateById step to remove unapproved access policies (gate behind an Approval).
- Multi-vault
- Change the vault name to a comma list and wrap the read + diff in an outer Apply to each.
- JIT check
- Flag principals whose grants exceed an approved expiry window.
- Reporting
- Point Power BI at the findings table for a monthly access-review pack.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Drift test
Flags principals not in the approved baseline.
EXPR.02Access policies source
The audited access model.
EXPR.03Permissions summary
Flattens granted permissions.
EXPR.04Short resource id
For the ARM GetById call.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.