{"kind":"Skill","metadata":{"namespace":"community","name":"flowstudio-power-automate-governance","version":"0.1.0"},"spec":{"description":"\u003e-","files":{"SKILL.md":"---\nname: flowstudio-power-automate-governance\ndescription: \u003e-\n  Govern Power Automate flows and Power Apps at scale using the FlowStudio MCP\n  cached store. Classify flows by business impact, detect orphaned resources,\n  audit connector usage, enforce compliance standards, manage notification rules,\n  and compute governance scores — all without Dataverse or the CoE Starter Kit.\n  Load this skill when asked to: tag or classify flows, set business impact,\n  assign ownership, detect orphans, audit connectors, check compliance, compute\n  archive scores, manage notification rules, run a governance review, generate\n  a compliance report, offboard a maker, or any task that involves writing\n  governance metadata to flows. Requires a FlowStudio for Teams or MCP Pro+\n  subscription — see https://mcp.flowstudio.app\n---\n\n# Power Automate Governance with FlowStudio MCP\n\nClassify, tag, and govern Power Automate flows at scale through the FlowStudio\nMCP **cached store** — without Dataverse, without the CoE Starter Kit, and\nwithout the Power Automate portal.\n\nThis skill uses the same `store_*` tool family as `flowstudio-power-automate-monitoring`,\nbut with a different *intent*: governance writes metadata (`update_store_flow`)\nand reads for *audit and classification* outcomes. Monitoring reads the same\ntools for *operational health* outcomes. Don't try to memorize which skill\n\"owns\" which tool — pick by what the user is doing. For health checks and\nfailure-rate dashboards, load `flowstudio-power-automate-monitoring` instead.\n\n\u003e **⚠️ Pro+ subscription required.** This skill calls `store_*` tools that\n\u003e only work for FlowStudio for Teams or MCP Pro+ subscribers.\n\u003e\n\u003e **If the user does not have Pro+ access:** the first `store_*` tool call\n\u003e will return a 403/404 error. When that happens:\n\u003e 1. STOP calling store tools\n\u003e 2. Tell the user governance features require a Pro+ subscription\n\u003e 3. Link them to https://mcp.flowstudio.app/pricing\n\u003e\n\u003e **Discovery:** load tool schemas via the meta-tools rather than `tools/list` —\n\u003e call `tool_search` with `query: \"skill:governance\"` for the canonical bundle,\n\u003e or `query: \"select:update_store_flow\"` for a single tool. This skill covers\n\u003e workflow patterns and field semantics — things `tool_search` cannot tell you.\n\u003e If this document disagrees with a real API response, the API wins.\n\n---\n\n## Critical: How to Extract Flow IDs\n\n`list_store_flows` returns `id` in format `\u003cenvironmentId\u003e.\u003cflowId\u003e`. **You must split\non the first `.`** to get `environmentName` and `flowName` for all other tools:\n\n```\nid = \"Default-\u003cenvGuid\u003e.\u003cflowGuid\u003e\"\nenvironmentName = \"Default-\u003cenvGuid\u003e\"    (everything before first \".\")\nflowName = \"\u003cflowGuid\u003e\"                  (everything after first \".\")\n```\n\nAlso: skip entries that have no `displayName` or have `state=Deleted` —\nthese are sparse records or flows that no longer exist in Power Automate.\nIf a deleted flow has `monitor=true`, suggest disabling monitoring\n(`update_store_flow` with `monitor=false`) to free up a monitoring slot\n(standard plan includes 20).\n\n---\n\n## The Write Tool: `update_store_flow`\n\n`update_store_flow` writes governance metadata to the **Flow Studio cache\nonly** — it does NOT modify the flow in Power Automate. These fields are\nnot visible via `get_live_flow` or the PA portal. They exist only in the\nFlow Studio store and are used by Flow Studio's scanning pipeline and\nnotification rules.\n\nThis means:\n- `ownerTeam` / `supportEmail` — sets who Flow Studio considers the\n  governance contact. Does NOT change the actual PA flow owner.\n- `rule_notify_email` — sets who receives Flow Studio failure/missing-run\n  notifications. Does NOT change Microsoft's built-in flow failure alerts.\n- `monitor` / `critical` / `businessImpact` — Flow Studio classification\n  only. Power Automate has no equivalent fields.\n\nMerge semantics — only fields you provide are updated. Returns the full\nupdated record (same shape as `get_store_flow`).\n\nRequired parameters: `environmentName`, `flowName`. All other fields optional.\n\n### Settable Fields\n\n| Field | Type | Purpose |\n|---|---|---|\n| `monitor` | bool | Enable run-level scanning (standard plan: 20 flows included) |\n| `rule_notify_onfail` | bool | Send email notification on any failed run |\n| `rule_notify_onmissingdays` | number | Send notification when flow hasn't run in N days (0 = disabled) |\n| `rule_notify_email` | string | Comma-separated notification recipients |\n| `description` | string | What the flow does |\n| `tags` | string | Classification tags (also auto-extracted from description `#hashtags`) |\n| `businessImpact` | string | Low / Medium / High / Critical |\n| `businessJustification` | string | Why the flow exists, what process it automates |\n| `businessValue` | string | Business value statement |\n| `ownerTeam` | string | Accountable team |\n| `ownerBusinessUnit` | string | Business unit |\n| `supportGroup` | string | Support escalation group |\n| `supportEmail` | string | Support contact email |\n| `critical` | bool | Designate as business-critical |\n| `tier` | string | Standard or Premium |\n| `security` | string | Security classification or notes |\n\n\u003e **Caution with `security`:** The `security` field on `get_store_flow`\n\u003e contains structured JSON (e.g. `{\"triggerRequestAuthenticationType\":\"All\"}`).\n\u003e Writing a plain string like `\"reviewed\"` will overwrite this. To mark a\n\u003e flow as security-reviewed, use `tags` instead.\n\n---\n\n## Governance Workflows\n\n### 1. Compliance Detail Review\n\nIdentify flows missing required governance metadata.\n\n```\n1. Ask the user which compliance fields they require\n2. list_store_flows\n3. For each active flow: split id, call get_store_flow, check required fields\n4. Report non-compliant flows with missing fields listed\n5. For updates: ask for values, then update_store_flow(...provided fields)\n```\n\nCommon compliance fields: `description`, `businessImpact`,\n`businessJustification`, `ownerTeam`, `supportEmail`, `monitor`,\n`rule_notify_onfail`, `critical`. Ask for the user's policy before flagging.\n\n### 2. Orphaned Resource Detection\n\nFind flows owned by deleted or disabled Azure AD accounts.\n\n```\n1. list_store_makers\n2. Filter where deleted=true AND ownerFlowCount \u003e 0\n3. list_store_flows → collect all flows\n4. For each active flow: split id, get_store_flow, parse owners JSON\n5. Match owner principalId against orphaned maker id\n6. Reassign governance contact or stop/tag for decommission\n```\n\n`update_store_flow` does not transfer actual PA ownership; use the admin center\nor PowerShell for that. Some orphaned-looking flows are system-generated; tag\nthem instead of reassigning when appropriate. Store coverage is only as fresh as\nthe latest scan.\n\n### 3. Archive Score Calculation\n\nCompute an inactivity score (0-7) per flow to identify cleanup candidates.\n\n```\n1. list_store_flows\n2. For each active flow: split id, get_store_flow\n3. Add 1 point each: created≈modified, test/demo/temp/copy name, age \u003e12mo,\n   stopped/suspended, no owners, no recent runs, complexity.actions \u003c 5\n4. Score 5-7: recommend archive; 3-4: tag #archive-review; 0-2: active\n5. For confirmed archive: set_live_flow_state(..., \"Stopped\") and append #archived\n```\n\nArchive via MCP means stop the flow and tag it. Deletion requires the portal or\nadmin PowerShell.\n\n### 4. Connector Audit\n\nAudit which connectors are in use across monitored flows. Useful for DLP\nimpact analysis and premium license planning.\n\n```\n1. list_store_flows(monitor=true)\n2. For each active flow: split id, get_store_flow, parse connections JSON\n3. Group by apiName; flag Premium tier, HTTP connectors, custom connectors\n4. Report inventory to user\n```\n\nScope to monitored flows where possible; each `get_store_flow` call costs time.\n`list_store_connections` lists connection instances, not connector usage per\nflow. DLP policies are not exposed; ask the user for connector classifications.\n\n### 5. Notification Rule Management\n\nConfigure monitoring and alerting for flows at scale.\n\n```\nEnable failure alerts on all critical flows:\n1. list_store_flows(monitor=true)\n2. For each active flow: split id, get_store_flow\n3. If critical=true and rule_notify_onfail is false, update_store_flow(...,\n   rule_notify_onfail=true, rule_notify_email=\"oncall@contoso.com\")\n\nEnable missing-run detection for scheduled flows:\n1. list_store_flows(monitor=true)\n2. For active Recurrence flows: get_store_flow\n3. If rule_notify_onmissingdays is 0/missing, update_store_flow(...,\n   rule_notify_onmissingdays=2)\n```\n\nCheck monitoring limits before bulk-enabling `monitor=true`. If no flows have\n`critical=true`, report that as a governance gap before configuring alerts.\n\n### 6. Classification and Tagging\n\nBulk-classify flows by connector type, business function, or risk level.\n\n```\nAuto-tag by connector:\n1. list_store_flows\n2. For each active flow: split id, get_store_flow, parse connections JSON\n3. Map apiName values to tags (#sharepoint, #teams, #email, #custom-connector)\n4. Read existing store tags, append new tags, update_store_flow(tags=...)\n```\n\nStore tags and description hashtags are separate systems. `tags=` overwrites\nstore tags, so read/append/write. Avoid overriding computed `tier` unless asked.\n\n### 7. Maker Offboarding\n\nWhen an employee leaves, identify their flows and apps, and reassign\nFlow Studio governance contacts and notification recipients.\n\n```\n1. get_store_maker(makerKey=\"\u003cdeparting-user-aad-oid\u003e\")\n   → check ownerFlowCount, ownerAppCount, deleted status\n2. list_store_flows → collect all flows\n3. For each active flow: split id, get_store_flow, parse owners JSON\n4. Flag flows whose owner principalId matches the departing user's OID\n5. list_store_power_apps → filter ownerId\n6. For kept flows: update ownerTeam/supportEmail/rule_notify_email; consider\n   add_live_flow_to_solution before account deletion\n7. For retired flows: set_live_flow_state(..., \"Stopped\") and tag #decommissioned\n8. Report: flows reassigned, flows migrated to solutions, flows stopped,\n   apps needing manual reassignment\n```\n\nThis changes Flow Studio governance contacts, not actual PA ownership. Power\nApps ownership changes are manual/admin-center work.\n\n### 8. Security Review\n\nReview flows for potential security concerns using cached store data.\n\n```\n1. list_store_flows(monitor=true)\n2. For each active flow: split id, get_store_flow\n3. Parse security/connections/referencedResources JSON; read sharingType top-level\n4. Report findings; for reviewed flows append #security-reviewed tag\n```\n\nSecurity signals: `security.triggerRequestAuthenticationType`, `sharingType`,\n`connections`, `referencedResources`, `tier`. Never overwrite the structured\n`security` field; tag reviewed flows instead.\n\n### 9. Environment Governance\n\nAudit environments for compliance and sprawl.\n\n```\n1. list_store_environments\n   Skip entries without displayName (tenant-level metadata rows)\n2. Flag:\n   - Developer environments\n   - Non-managed environments\n   - Environments where service account lacks admin access (isAdmin=false)\n3. list_store_flows → group by environmentName\n4. list_store_connections → group by environmentName\n```\n\n### 10. Governance Dashboard\n\nGenerate a tenant-wide governance summary.\n\n```\nEfficient metrics (list calls only):\n1. total_flows = len(list_store_flows())\n2. monitored = len(list_store_flows(monitor=true))\n3. with_onfail = len(list_store_flows(rule_notify_onfail=true))\n4. makers/apps/envs/conns = list_store_makers/list_store_power_apps/list_store_environments/list_store_connections\n5. Compute monitoring %, notification %, orphan count, high-failure count\n\nDetailed metrics (require get_store_flow per flow — expensive for large tenants):\n- Compliance %: flows with businessImpact set / total active flows\n- Undocumented count: flows without description\n- Tier breakdown: group by tier field\n```\n\n---\n\n## Field Reference: `get_store_flow` Fields Used in Governance\n\nAll fields below are confirmed present on the `get_store_flow` response.\nFields marked with `*` are also available on `list_store_flows` (cheaper).\n\n| Field | Type | Governance use |\n|---|---|---|\n| `displayName` * | string | Archive score (test/demo name detection) |\n| `state` * | string | Archive score, lifecycle management |\n| `tier` | string | License audit (Standard vs Premium) |\n| `monitor` * | bool | Is this flow being actively monitored? |\n| `critical` | bool | Business-critical designation (settable via update_store_flow) |\n| `businessImpact` | string | Compliance classification |\n| `businessJustification` | string | Compliance attestation |\n| `ownerTeam` | string | Ownership accountability |\n| `supportEmail` | string | Escalation contact |\n| `rule_notify_onfail` | bool | Failure alerting configured? |\n| `rule_notify_onmissingdays` | number | SLA monitoring configured? |\n| `rule_notify_email` | string | Alert recipients |\n| `description` | string | Documentation completeness |\n| `tags` | string | Classification — `list_store_flows` shows description-extracted hashtags only; store tags written by `update_store_flow` require `get_store_flow` to read back |\n| `runPeriodTotal` * | number | Activity level |\n| `runPeriodFailRate` * | number | Health status |\n| `runLast` | ISO string | Last run timestamp |\n| `scanned` | ISO string | Data freshness |\n| `deleted` | bool | Lifecycle tracking |\n| `createdTime` * | ISO string | Archive score (age) |\n| `lastModifiedTime` * | ISO string | Archive score (staleness) |\n| `owners` | JSON string | Orphan detection, ownership audit — parse with json.loads() |\n| `connections` | JSON string | Connector audit, tier — parse with json.loads() |\n| `complexity` | JSON string | Archive score (simplicity) — parse with json.loads() |\n| `security` | JSON string | Auth type audit — parse with json.loads(), contains `triggerRequestAuthenticationType` |\n| `sharingType` | string | Oversharing detection (top-level, NOT inside security) |\n| `referencedResources` | JSON string | URL audit — parse with json.loads() |\n\n---\n\n## Related Skills\n\n- `flowstudio-power-automate-monitoring` — Health checks, failure rates, inventory (read-only)\n- `flowstudio-power-automate-mcp` — Foundation skill: connection setup, MCP helper, tool discovery\n- `flowstudio-power-automate-debug` — Deep diagnosis with action-level inputs/outputs\n- `flowstudio-power-automate-build` — Build and deploy flow definitions\n"},"import":{"commit_sha":"541b7819d8c3545c6df122491af4fa1eae415779","imported_at":"2026-05-18T20:05:35Z","license_text":"MIT License\n\nCopyright GitHub, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","owner":"github","repo":"github/awesome-copilot","source_url":"https://github.com/github/awesome-copilot/tree/541b7819d8c3545c6df122491af4fa1eae415779/plugins/flowstudio-power-automate/skills/flowstudio-power-automate-governance"}},"content_hash":[26,157,73,40,185,49,211,153,206,20,168,135,128,15,54,95,247,69,216,66,94,31,162,90,116,146,195,233,67,194,201,170],"trust_level":"unsigned","yanked":false}