Non-Compliant Connector Usage Report
Power Automate for Admins lists all tenant flows, filters for those using connectors outside an approved allowlist stored in Dataverse, and emails a weekly report to admins.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow runs on a weekly schedule to give IT admins visibility into Power Automate flows that depend on connectors outside the organization's approved allowlist. It uses the Power Automate Management connector to enumerate every cloud flow in the tenant, inspects each flow's connection references, and compares those against an allowlist of connector API names stored in a Dataverse table. Any flow that references a non-approved connector is collected into an HTML report and emailed to the admin distribution group so the team can follow up with flow owners and either approve the connector, swap it for an approved alternative, or retire the flow.
Use Case
Tenants that take a governance-first approach to citizen development typically maintain a curated allowlist of connectors that have been reviewed for data-handling, licensing, and security posture. Without monitoring, makers can introduce flows that use connectors outside that list — leaking data to unmanaged SaaS, incurring unplanned premium-connector costs, or bypassing DLP boundaries. This flow gives the governance team a recurring, automated audit so non-compliant usage is surfaced and remediated proactively rather than discovered during an incident.
The flow is ideal for teams that:
- IT admins and Power Platform CoE teams enforcing a connector allowlist
- Tenants with formal DLP and governance policies that need ongoing compliance evidence
- Organizations rolling out citizen development who want guardrails without blocking makers outright
Flow Architecture
Weekly recurrence
RecurrenceRuns on a weekly schedule (configurable) to audit the tenant for flows using non-approved connectors.
Get approved connector allowlist
List rows (Dataverse)Retrieves the approved-connector allowlist rows from the configured Dataverse table; each row carries the connector API name that has been cleared for use.
Build allowlist array
SelectProjects the Dataverse rows down to a simple array of approved connector API names for easy membership checks later.
List tenant flows
List Flows as Admin (Power Automate Management)Enumerates every cloud flow in the tenant so each can be inspected for the connectors it references.
Inspect each flow for non-approved connectors
Apply to eachFor each flow returned: read its connection references, compare every referenced connector API name against the allowlist array, and if any references fall outside the allowlist, append the flow (owner, environment, display name, and the offending connectors) to a non-compliant collection.
If any non-compliant flows were found
If conditionDecides whether to send the report email based on whether any flows in the tenant referenced a non-approved connector this run.
- Build HTML report — Renders the non-compliant collection as an HTML table listing flow name, owner, environment, and the offending connector(s).
- Send report email — Emails the HTML report to the configured admin recipient using Outlook 365.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_ApprovedConnectorsTable | String | <configure> | Dataverse table (logical name) that stores the approved connector allowlist; each row should expose a column with the connector API name (for example, shared_office365). |
| flowlibs_ApprovedConnectorsApiNameColumn | String | <configure> | Logical name of the column on the approved-connectors table that holds the connector API name to compare against. |
| flowlibs_ReportRecipient | String | alerts@yourcompany.com | Email address (or distribution group) that receives the weekly non-compliant connector report. |
| flowlibs_ReportSubject | String | Weekly Non-Compliant Connector Usage Report | Subject line for the report email; edit to match your governance team's preferred naming. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Power Automate Management | shared_flowmanagement | ListFlowsAsAdmin (enumerates tenant flows) |
| Microsoft Dataverse | shared_commondataserviceforapps | ListRows (reads approved-connector allowlist) |
| Office 365 Outlook | shared_office365 | SendEmailV2 (sends the weekly report) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Manage the approved-connector allowlist in Dataverse
- Add or remove rows in the configured Dataverse table to change what the audit treats as compliant. Use connector API names (for example, shared_office365, shared_teams) rather than display names so the comparison is exact.
- Tune the recurrence schedule
- Update the recurrence trigger to match your review cadence — weekly is a reasonable default for active tenants, monthly is sufficient for smaller estates.
- Route the report to your governance distribution group
- Set flowlibs_ReportRecipient to the email address or DL that owns connector governance. For larger tenants, consider sending to a shared mailbox so remediation actions can be tracked.
- Brand the report email
- Adjust flowlibs_ReportSubject and the HTML body composition to include your internal remediation runbook link, support contact, or compliance citation so recipients know what to do with the findings.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.