Policy packs / Power Automate
Power Platform CoE Toolkit Aligned
Cross-platform governance floor for Power Automate makers.
Why this pack
Microsoft's Power Platform CoE Starter Kit enforces connection-reference governance, DLP policy compliance, and maker auditing. Flowcerta's catalog does not yet have Power Automate-native detectors, so this pack applies our cross-platform credential, PII, and resilience rules to PA flow exports. The rules below run today against any uploaded flow export; the slate of PA-specific detectors will land in a follow-up release and flow into this pack automatically.
Aligned with: Microsoft Power Platform CoE Starter Kit · Power Platform DLP policies
Environment profiles
The pack ships with severity thresholds tuned per environment so the same workflow gets stricter as it promotes toward production.
Surface findings without blocking the flow check-in.
Catch-all environment. Same posture as development.
Block deploys with credential or PII findings before they reach prod.
Rules included (10)
PA flows should reference Connections, not embed credentials in actions or expressions.
API key values in Compose or Initialize Variable actions leak the moment the flow is exported.
A Configure run after = Failed scope with no Terminate or notify is invisible to ops.
HTTP actions need Scope-with-Configure-Run-After or the flow turns transient failures into incidents.
CoE Toolkit expects every PII-touching flow to log who/when via the audit connector.
A flow that logs the SSN it just processed is now exporting PII into your log store.
Test PII baked into a Compose default ships to production with the flow.
Power Automate retry policy with no max defeats throttling and racks up consumption.
External connectors fail transiently. Retry policy belongs on every connector action.
CoE Toolkit auditing depends on flows emitting structured logs. Silent flows skip the audit trail.