Key Vault Drift and Compliance Reporting
On a schedule, the flow inventories all Key Vaults in a subscription via ARM - soft-delete/purge-protection, network rules, RBAC mode, retention - compares to a security baseline, writes a posture snapshot per vault to Dataverse, and posts a compliance scorecard with remediation to Teams. Gives ongoing Key Vault posture assurance.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow gives ongoing Azure Key Vault security-posture assurance. On a weekly schedule it inventories every Key Vault in the target subscription via Azure Resource Manager, reads each vault's management-plane configuration (soft-delete, purge protection, RBAC vs access-policy mode, public network access, network default action, soft-delete retention), compares each vault to a configurable JSON security baseline, writes a posture snapshot row per vault to a Dataverse table, and posts an HTML compliance scorecard to a Teams channel. The Dataverse table is the source a Power BI scorecard reads downstream.
Why it matters: misconfigured vaults silently undermine secret security. Continuous, automated posture reporting keeps configuration drift visible and gives security/leadership a recurring compliance scorecard with concrete remediation actions.
Ships Off (demo). Management-plane settings are read via ARM (the Key Vault connector only reads secrets/keys).
Use Case
Security and leadership want a recurring, no-touch Key Vault compliance scorecard: which vaults meet the hardening baseline, which do not, and exactly what to fix on each. The flow runs unattended weekly and lands results in both Teams (visibility) and Dataverse (trendable history for Power BI).
Flow Architecture
Weekly Posture Scan
RecurrenceWeekly (Mon 06:00) posture scan.
Initialize Trace, Config & Counters
Initialize variableMints a correlation id; binds the subscription, ARM api-version, parsed baseline, posture table, and Teams ids; seeds compliant/non-compliant tallies and the HTML rows.
List Key Vaults
ARM - Resources_ListInventories all Microsoft.KeyVault/vaults in the subscription.
For Each Vault
Apply to each (concurrency 1)Reads the vault's full management-plane config via ARM Resources_GetById, composes the remediation list and findings count vs baseline, derives Compliant/Non-Compliant, writes a posture snapshot to Dataverse, and appends an HTML scorecard row.
Compose & Post Scorecard
Compose + TeamsAssembles the full HTML scorecard (summary + table) and posts it to the security channel.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_KvAuditSubscriptionId | String | 00000000-0000-0000-0000-000000000000 | Azure subscription ID to inventory. |
| flowlibs_KvAuditArmApiVersion | String | 2023-07-01 | Key Vault ARM API version for Resources_GetById. |
| flowlibs_VaultBaseline | String | {"requireSoftDelete":true,"requirePurgeProtection":true,"requireRbacMode":true,"requirePublicNetworkDisabled":true,"minSoftDeleteRetentionDays":90} | JSON security baseline each vault is compared against. |
| flowlibs_PostureTable | String | flowlibs_kvpostures | Dataverse entity-set name for posture snapshots. |
| flowlibs_TeamsGroupId | String | <your-team-id> | Teams team the report is posted to. |
| flowlibs_TeamsChannelId | String | <your-channel-id> | Teams channel the report is posted to. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Resource Manager | shared_arm | Resources_List Resources_GetById |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Multi-subscription
- Wrap the list + loop in an outer Foreach over a JSON array of subscription IDs, or call ARM Subscriptions_List first.
- Tune the baseline
- Edit flowlibs_VaultBaseline to add/remove checks (e.g. drop public-network for dev, raise retention days).
- Auto-remediation
- For safe fixes (e.g. enabling purge protection), add an ARM Resources_CreateOrUpdateById in the non-compliant branch, gated behind an Approval.
- Power BI refresh
- Add a Power BI Refresh a dataset action after the loop, or point a report at the Dataverse table directly.
- Posture trend
- Chart findings count / compliance over snapshot date to show drift over time.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Resource group from vault id
Parses the RG from the resource id.
EXPR.02Short resource id for GetById
For the per-vault config read.
EXPR.03Findings count
Counts remediation segments.
EXPR.04Compliance status
Per-vault verdict.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.