Skip to content
Posted by Thijs Lecomte Powershell

Auditing used Power Automate Connections

While Power Automate is an amazing product, it’s a very dangerous tool to leave unmanaged as it is a common attack vector for data exfiltration.

In previous blogs, I have talked about my hate relationship with Power Automate, but that doesn’t change the fact that it has valid business cases. As a security admin you should be ready to manage and secure it.

Power Automate is often unmanaged, but there is two things every security admin should enforce:

  • Restrict automatic forwarding (as Power Automate bypasses some generic restrictions in EXO)
  • Setup Data Policies in order to divide business and non-business connectors. This will ensure business data can only be shared to ‘allowed applications’.

Setting up the restrictions for automatic forwarding is pretty straight forward, but configuring the data policies can be a little bit tricky. Before you configure them, you should be aware of the potential impact on the environment, eg what connectors are currently used.

Below you can find a quick and dirty script which will retrieve all current Power Automate Flows and dump them into a CSV file. This will contain:

  • Owner
  • Name of the flow
  • Environment
  • Used connectors

By using this script, you can validate what kind of connectors are in use for your organization and what kind you need to add to your data policy.

This script is also available on GitHub.

Connect-AzureAD

$flows = Get-AdminFlow
$enrichedData = @()
foreach($flow in $flows){
    $UPN = $null
    try{
        $AADUser = Get-AzureADUser -ObjectId $flow.CreatedBy.ObjectId
        $UPN = $AADUser.UserPrincipalName
    }
    catch{
        $UPN = "None"
    }

    #Need to retrieve additional details for the Connector Overview
    $flowDetails = Get-AdminFlow -FlowName $flow.FlowName -EnvironmentName $flow.EnvironmentName

    $Environment = Get-AdminPowerAppEnvironment $flow.EnvironmentName

    $connectors = $flowDetails.Internal.properties.connectionReferences
    $connectorOverview = ''
    $connectors.PSObject.Properties | ForEach-Object {
         $connectorOverview += $_.Value.DisplayName + ","
    }

    $enrichedData += [PSCustomObject]@{
        Creator = $AADUser.UserPrincipalName
        Name = $flow.DisplayName
        ID = $flow.FlowName
        State = $flow.Enabled
        CreatedTime = $flow.CreatedTime
        Environment = $Environment.DisplayName
        Connectors = $connectorOverview
    }
}

$enrichedData | Select-Object Creator, ID, State, Name, CreatedTime, Environment, Connectors| Export-csv -notypeinformation -path "C:\temp\flows.csv"

Categories

Powershell, Security

Tags

, , ,

Thijs Lecomte View All

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: