After Lab 5.3 — Power Automate Approval Recap
After Lab 5.3 — Power Automate Approval Recap
You built a Power Automate flow that detects Azure Policy violations, asks for human approval, and then acts on the approver's behalf. Here's what you learned and how it fits into the bigger picture.
What You Built
Flow Steps
| Step | Action | Purpose |
|---|---|---|
| Trigger | When an Azure Policy violation is detected | Know when something is wrong |
| Condition | Is the violation safe to auto-fix? | Decide if human approval is needed |
| Approve path | Send Teams approval → Auto-remediate on approval | Fix it automatically with human consent |
| Reject path | Log violation → Alert for manual review | Don't act without permission |
Key Design Decisions
- Teams over email — faster response, visible in context, no need to open a separate app
- Condition check before approval — not all violations need human judgment (e.g., missing tags can be auto-fixed; public blob access needs approval)
- Timeout handling — if the approver doesn't respond, the flow should alert the security team so nothing falls through the cracks (note: this wasn't covered in Before Lab 5.3 — in practice, Power Automate approvals have a configurable timeout after which the approval expires and the Reject path is taken)
Human Approval vs Auto-Remediation
| Factor | Power Automate Approval | Auto-Remediation (Lab 5.5) |
|---|---|---|
| Speed | Slower (waits for human) | Instant |
| Accuracy | Human validates first | Automation may have false positives |
| Risk of wrong action | Low (human says yes first) | Higher (no human validation) |
| When to use | Critical resources, uncertain fixes | Repetitive, low-risk fixes |
Key insight: Human approval is not slower — it's smarter. It prevents wrong actions on critical resources while still automating the repetitive work.
What This Teaches
You now see the full automation spectrum:
- Alert Only — humans investigate and fix (Day 4 monitoring)
- Human Approval — automation asks, humans decide (this lab)
- Auto-Remediate — automation fixes without asking (Lab 5.5)
The right approach depends on the context — and you now have the tools to build all three.
Bridge to Lab 5.4
In the next lab, you'll explore what tags can do beyond compliance — cost tracking, incident response, automation triggers, and lifecycle management. Before starting, review the Security Automation theory page which explains the Auto-Remediate vs Alert-Only decision framework and the risks of over-automation.