Using Microsoft Flows and UI Flows for Patch and Software Testing

Microsoft Power Automate Flows, UI Flows, & Automation Runbooks: Part One of a series.

 

A few of my peers are working on a vulnerability remediation project that will reduce the time-to-patch. During this process, we talked to several vendors. I asked each of them if clients verify that user workflows continue to function properly after pushing patches or software and security updates. The answer was an overwhelming “almost never.” The follow-up question I asked was, “Why?” The answer: because it takes too much time. This was an answer I knew, but I was looking for confirmation. I started to wonder if the user workflow verification part could be tested in an automated fashion using what was available to me in Microsoft’s Power Automate platform.

 

Power Automate is an automation platform very similar to Logic Apps. In fact, it uses Logic Apps under the hood with some slight licensing and Visual Studio integration differences. Power Automate also includes UI flows for Robotic Process Automation (RPA). Using Power Automate Flows and UI Flows I wanted to see if I could speed up the user workflow testing portion of the software patch or update cycles.

 

To execute my automation successfully, I would need to automagically create a test environment, have RPA execute a user workflow, prove successful workflow testing, and repeatably execute entire flow and UI flow with no human interaction. To properly execute this use case with Power Automate and Azure, there were a lot of technical questions I would need answered. Some of those questions are answered in this blog series and include:

 

  • What software and Azure services are needed to make this work?
  • How do I build out all the resources needed for the test environment?
  • How would I parse the body of the email to be used as variables later in the flow?
  • How would I bypass Flow checker in the Flow Designer?
  • How would I pass new WinAutomation processes to the VM?
  • How could I have each new VM preregistered as an On-Premise Data Gateway?
  • What does WinAutomation user agent not found mean?
  • How can I lock down access to Salesforce to a new VM that is ephemeral?
  • How can I write a script to a temp directory during runtime that is used at runtime?
  • How can I get commands to execute on a VM if I have already used my one custom script extension?

  • What can I use as proof that the UI flow executed successfully if the test environment is delete after the flow runs?
  • How can I upload screenshots from the VM to Azure Storage without any human interaction?
  • How can I add a blob to an email as an attachment?
  • How can I authenticate as a service principal?
  • How do I create mandatory parameters in an Automation Account Runbook?
  • How can I assign a specific IP address to the test VM each time it is spun up?
  • How can I update the WinAutomation processes on a VM without having to create new VM snapshots each time?
  • How can I copy a WinAutomation Processes.Dat file to a newly created VM?
  • How can I reference a blob as a variable when the blob doesn’t exist yet?
  • How can I slow do the UI flow so that page links can render before click attempts are made?

 

At a high-level this blog series will cover how I used Power Automate and Azure Automation Runbooks to validate a simple user workflow in a flow similar to the one shown in the Visio diagram below.

Microsoft Power Automate Flows_Part1_image 1
Creating a flow with an email trigger and extracting the body to use as variables.

 

Every automation flow starts with a trigger. When the trigger condition is met a series of actions, defined by the flow creator, are executed. For example, the trigger event I used was an email. Ideally, what I wanted to happen was that an email is sent from a user to a specific email address, and upon receipt of an email -- that meets certain conditions -- a flow is triggered. This step is fairly easy and is covered below.

 

Microsoft Power Automate Flows_Part1_image 2

 

The trigger that starts this flow is found in Office 0365 Outlook connector. The one I used is When a new email arrives (v3) show below.

 

Microsoft Power Automate Flows_Part1_image 3

 

Once a connection is made to the email account, additional conditions can be defined to narrow the scope of messages that trigger this flow. I kept it relatively simple and only specified the From and Subject fields as seen in the image below.

 

Microsoft Power Automate Flows_Part1_image 4

 

If the Service email account that is defined in the from field sends an email to the email account listed under My Connections, with the subject “Software or Security Update Workflow Test” the flow will trigger.

 

Current Flow

 

Microsoft Power Automate Flows_Part1_image 5

 

Not relevant to the flow trigger, but very relevant to future actions in the flow, is the email body. The body of this email contains three lines of text. Some of the text in the email body will serve as variables used in actions that follow. The text after Owner will be used as the tag for the Azure resource group created. Vendor will be the vendor and/or software being tested. Lastly, IP will be the source IP address allowed, by security group, to RDP to the newly created virtual machine if an issue arises.

 

Microsoft Power Automate Flows_Part1_image 6

 

I needed to extract specific contents of the email body to be used as variables later in the flow. I chose to use Plumsail Documents, a service free for 30 days, that enables pattern matching through regular expression. It was just easier than trying to figure out the correct Power Automate function. After registering for a free account, I used Plumsail to perform regex matches on the body to pull out information that I could use as variables further down the flow.

 

Microsoft Power Automate Flows_Part1_image 7

 

Plumsail has pretty good documentation on their site, but I ran into a nested loop issue when it came to performing multiple matches within a single pattern field and then passing those successfully as individual variables. To get this to work successfully, I created three parallel branches. Each branch has an action that searches for a single pattern in the dynamically defined Text field that was equal to the email body. For example, the image below shows the pattern matched used for the Owner information.

 

Microsoft Power Automate Flows_Part1_image 8

 

The image above is one of three regex patterns used. The other two patterns are configured similarly. Word replacements for Vendor and IP instead of vendor were used for the other two regex patterns. This can be seen in the image below.

 

Microsoft Power Automate Flows_Part1_image 9

 

Once the email is received, Plumsail will perform the pattern matches on the text listed in the email body as seen in the vendor match below.

 

Microsoft Power Automate Flows_Part1_image 10

 

I can use the output of each pattern matched as a variable in specific actions further in the flow. Before the flow knows that the matches are variables, I need to initalize and set each of the three variables.

 

Microsoft Power Automate Flows_Part1_image 11

 

The first action selected is to initialize the variable. Following the regex pattern match from above, I used the name Vendor, Type is defined as String and the variable value is left blank. This can be seen in the screenshot below.

 

Microsoft Power Automate Flows_Part1_image 12

 

Once the variable is labeled I needed to Set it by choosing the Set Variable operation. The name will again be vendor and the value will be a dynamic value selection. This dynamic value will be the regular expression match for vendor.

 

Microsoft Power Automate Flows_Part1_image 13

 

I also needed to create similar action steps for Owner and IP. With the steps expanded out, my flow looks like this.

 

Microsoft Power Automate Flows_Part1_image 14

 

With the Owner, Vendor, and IP variables defined, the next step in the process will be to pass these variables into an Azure Automation Action to create the resources needed for the test environment.

 

Current Flow

 

Microsoft Power Automate Flows_Part1_image 15

 

In the next blog in this series I’ll cover how to use an Azure Automation runbook to provision a test environment that will be used for robotic process automation.

 


Additional Reference Information:
Microsoft Power Automate: https://flow.microsoft.com/en-us/
UI Flows: https://flow.microsoft.com/en-us/ui-flows/
Azure Logic Apps: https://azure.microsoft.com/en-us/services/logic-apps/
Azure Logic Apps and Power Automate - Functions in Expressions: https://docs.microsoft.com/en-us/azure/logic-apps/workflow-definition-language-functions-reference
Plumsail: https://plumsail.com/documents/
https://docs.microsoft.com/en-us/connectors/plumsail/
Initialize a Variable: https://www.youtube.com/watch?v=fBS3wyWZo6Q

 


Here's a review of related posts on this series:

Dan Kiraly
Senior Research Scientist | Optiv
Dan Kiraly is senior research scientist on Optiv’s R&D team. In this role he's responsible for use case development and the vetting of security products for Optiv.