Sometimes it is hard to keep up with whom folders and files on a SharePoint site are shared. Especially over a longer period when your users generate more and more content it becomes difficult to keep an overview of who has access to what. The following Power Automate solution is meant for those sites that need some extra governance. Like sites with high business impact data.
The below solution audits SharePoint permission changes on a weekly base (but you could change this to daily our hourly if you like) and sends you (or somebody else) an email if anything has changed. It is based on the out of the box "Permission report". Let's begin :-)
In the SharePoint that you would like to audit your permissions go to the 'Documents' library and create a 'Reports' folder. Within this 'Reports' folder create 2 new folders: 'Permission reports' (the permission reports will be written to (and read from) this folder) and a 'Last run' folder. The previous permission report will be written to (and read from) the 'Last run' folder. Your folder structure should look like this:
We will use 2 Flows. Both Power Automate packages are attached at the bottom if this blog to download. For more information on importing a Power Automate package see https://manueltgomes.com/microsoft/flow-how-to-import-a-flow-template/
The first Flow automatically generates a weekly site sharing report by calling the 'Site Sharing Report Helper' API.
When you import the package please make sure that the yellow parts of the configuration correspond to your settings. This flow will weekly create a permission report in the 'Reports/Permission reports' folder of your 'Shared Documents' library.
Now, the second flow is a little more complex. When a new report is created in location 'Reports/Permission reports' by the previous Flow, this Flow will read both the newly created sharing report, and fetch the report from last week (if available). It will check if every row in last weeks sharing report also appears in this weeks report and vice versa. If yes: there are no changes, so nothing to worry about. However, if the 2 reports do not match there was a change in SharePoint permissions.
If a change is detected the flow will send an email containing the changed permissions.
When you import the second Flow package make sure you change the following settings:
Bonus: if you remove the "Create Last Run" action from the above flow and you place your Desired State permissions csv (make sure to name it sharingreportlastweek.csv) in the 'Last Run' folder it will not be overwritten each time a new sharing report is generated. In other words: the Flow will then compare each weeks report with your desired permissions state and warn you is something has changed.
Power Automate packages: