Cloud FlowHTTP & APIsAdvanced

Key Vault-Backed Flow Connection Health Check

Scheduled flow iterates all Power Platform connections that rely on Key Vault-stored credentials and alerts admins when a rotated secret hasn't been picked up by a successful flow run.

HTTPMicrosoft DataverseMicrosoft TeamsOffice 365 Outlook

Unique name

flowLibsKeyVaultConnectionHealthCheck

Publisher

FlowLibs (flowlibs)

Version

1.0.0.1

Components

7 env vars + 1 cloud flow

Request access

Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.

What it does

Overview

This flow monitors Azure Key Vault secrets used as backing credentials for Power Platform connections. When a Key Vault secret is rotated (updated) but no successful flow runs are detected within a configurable time window, the flow flags the credential as potentially stale and alerts administrators via Microsoft Teams and Outlook email. This helps IT teams proactively identify connections that need re-authentication after secret rotation.

Why you'd use it

Use Case

Organizations using Azure Key Vault to store credentials for Power Platform connections need a way to detect when secrets have been rotated but the associated connections haven't been re-authenticated. Without this check, flows silently fail after credential rotation. This flow automates that detection and notification loop.

The flow is ideal for teams that:

IT Admins responsible for credential hygiene across Power Platform environments
Developers maintaining flows that depend on Key Vault-stored secrets
Teams adopting routine secret rotation policies who need post-rotation validation

Step-by-step

Flow Architecture

Recurrence

Runs on a weekly schedule (frequency configurable in the trigger).

Initialize Variables (parallel)

Initialize variable

Eight variables are initialized simultaneously from solution environment variables: Key Vault URL, Teams Group ID, Teams Channel ID, alert email address, staleness threshold (hours), target environment name, a stale-secrets collector array, and an alert body string.

List Key Vault Secrets

HTTP

HTTP GET to the Azure Key Vault REST API ({vaultUrl}/secrets?api-version=7.3) using Active Directory OAuth against the https://vault.azure.net audience. Returns all secrets in the configured vault.

Apply to Each Secret

Apply to each

For each secret returned from Key Vault: fetches the secret metadata, extracts the secret name and last-updated timestamp, queries Dataverse flowsessions for recent successful runs within the staleness window, and evaluates whether the credential is stale. When stale, the secret is appended to the varStaleSecrets collector array.

Check If Any Stale Credentials Found

If condition

After the loop, evaluates whether the stale secrets collector has any entries.

If yes (stale credentials found)3 actions run in series

Build Stale Credential Report — Compose action generates an HTML report with environment name, vault URL, stale count, and remediation instructions.
Post Stale Credential Alert to Teams — Posts a summary alert to the configured Teams channel via PostMessageToConversation.
Send Stale Credential Alert Email — Sends the full HTML report via Outlook SendEmailV2 with High importance to the configured alert email.

Solution config

Environment Variables

Schema name	Type	Default	Description
flowlibs_KeyVaultUrl	String	https://kv-flowlibs-demo.vault.azure.net	Base URL of the Azure Key Vault instance the flow inspects.
flowlibs_KeyVaultName	String	kv-flowlibs-demo	Display name of the Key Vault, used in alert messages.
flowlibs_TeamsGroupId	String	<configure>	Microsoft 365 Group ID for the Teams channel that receives alerts.
flowlibs_TeamsChannelId	String	<configure>	Teams channel ID within the group that receives alert messages.
flowlibs_ConnectionHealthAlertEmail	String	admin@contoso.com	Email recipient (typically an IT admin distribution list) for stale credential reports.
flowlibs_StaleCredentialThresholdHours	String	72	Hours after which a rotated secret with no successful runs is considered stale.
flowlibs_TargetEnvironmentName	String	<configure>	Power Platform environment ID used for the Dataverse flowsessions query.

Auth dependencies

Connectors & Connections

Connector	API name	Actions used
HTTP	http	HTTP (List Key Vault Secrets — GET {vaultUrl}/secrets?api-version=7.3 with AAD OAuth) HTTP (Get Secret Metadata — GET individual secret for attributes.updated)
Microsoft Dataverse	shared_commondataserviceforapps	ListRecords (Query flowsessions for successful runs (statuscode eq 4) within the threshold window)
Microsoft Teams	shared_teams	PostMessageToConversation (Post stale-credential alert summary to the admin channel)
Office 365 Outlook	shared_office365	SendEmailV2 (Send the full HTML stale-credential report with High importance)

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Tweaks & variations

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Set environment variables: Update flowlibs_KeyVaultUrl with your actual Key Vault URL. Set flowlibs_TeamsGroupId and flowlibs_TeamsChannelId to your admin Teams channel. Set flowlibs_ConnectionHealthAlertEmail to your IT admin distribution list.
Configure HTTP authentication: Open the two HTTP actions (List Key Vault Secrets, Get Secret Metadata) and fill in the Active Directory OAuth fields: tenant (your Azure AD tenant ID), clientId (an app registration with Key Vault read access), secret (the app's client secret), and audience (https://vault.azure.net).
Authorize connections: Open the flow in the designer and authorize the Dataverse, Teams, and Outlook connections with an appropriate service account.
Adjust the staleness threshold: The default 72-hour threshold works for weekly secret rotation. For daily rotation, lower to 24-48 hours by editing flowlibs_StaleCredentialThresholdHours.
Turn on the flow: Set the flow state to On — it will run on its weekly recurrence schedule.

Helpers & literals

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

EXPR.01Secret name extraction

Parses the secret name from the full Key Vault secret URL.

workflow definition language

last(split(string(body('Get_Secret_Metadata')?['id']), '/'))

EXPR.02Threshold calculation

Calculates the cutoff datetime by subtracting the threshold hours from now.

workflow definition language

addHours(utcNow(), mul(-1, int(variables('varThresholdHours'))))

EXPR.03Dataverse filter

Filters flow sessions to only successful runs within the staleness window.

workflow definition language

statuscode eq 4 and completedon ge {cutoffDateTime}

EXPR.04Stale detection logic

Secret updated within the threshold window AND zero successful flow sessions = stale credential.

workflow definition language

and(greaterOrEquals(secretUpdated, cutoff), equals(length(body('Query_Recent_Successful_Flow_Sessions')?['value']), 0))

Overview

Use Case

Flow Architecture

Recurrence

Initialize Variables (parallel)

List Key Vault Secrets

Apply to Each Secret

Check If Any Stale Credentials Found

Environment Variables

Connectors & Connections

Customization Guide

Key Expressions

EXPR.01Secret name extraction

EXPR.02Threshold calculation

EXPR.03Dataverse filter

EXPR.04Stale detection logic

Comments