Dependency Graph scan

The Dependency Graph at /governance/dependencies walks a tenant's Power Platform and SharePoint estate and maps which Power Apps and Power Automate flows depend on which lists, libraries, and sites. Run it before any restructuring or tenant-to-tenant migration so you know what will break if a list is moved or renamed — and what you need to rebind afterwards.

app.migrationfox.com/governance/dependencies

Dependency Scan — Complete

23 artifacts bound to contoso.sharepoint.com

scan_9f2c · 4 environments · 3m 41s

HEALTHY

POWER AUTOMATE FLOWS11 flows

HR Onboarding — New Hire Routerenv: Default · owner: j.tran

EXACT

Purchase Req → Approval → NAVenv: Finance · owner: svc-automation

EXACT

Weekly PTO Digest (Documents library)env: Default · owner: r.mehta

POSSIBLE

Contract Expiry Notifierenv: Legal-Prod · owner: c.yu

HEURISTIC

POWER APPS7 apps

Site Inspection Checklist (canvas)env: Field-Ops · owner: m.gomez

EXACT

Asset Tag Lookupenv: Default · owner: it.team

EXACT

Expense Submission (legacy)env: Finance · owner: (disabled)

POSSIBLE

TEAMS TABS & SPFX5 surfaces

Project Alpha · Documents tabchannel: General

EXACT

Design Reviews · Pinned listchannel: Design-Crits

EXACT

Example scan from a ~200-site tenant. Your results vary by estate size and environment count.

WHAT YOU'LL SEE

Every row is one binding — an app or flow that references a SharePoint object. Confidence badges (EXACT, POSSIBLE, HEURISTIC) tell you whether the binding is a hard reference, a title match, or a free-text hit. Sort/filter by confidence before you act.

Before you start

The scan reads from two surfaces: SharePoint REST/Graph and the Power Platform BAP (Business Application Platform) tenant admin API. Both need to be set up once per tenant.

SharePoint service-account credential with at least Site Collection Reader on every site you want inventoried, or tenant-wide SharePoint Administrator for a full scan.
BAP management app registration. The BAP admin endpoint only answers to an app explicitly enrolled as a management app. From PowerShell as Global Admin:
```
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Scope CurrentUser
Add-PowerAppsAccount
New-PowerAppManagementApp -ApplicationId <clientId>
```
Use the same <clientId> as the Azure AD app behind your SharePoint credential. The registration is idempotent.
Per-environment admin role. BAP also checks that the caller is an Environment Admin or System Administrator on each Dataverse environment. If your scan returns zero apps, this is the first thing to verify.
Licensing. Included on the Insight tier and above. Free accounts see a sampled teaser.

Running a scan

Go to Governance → Dependency Graph (/governance/dependencies).
BreadcrumbGovernance › Dependency Graph › New scan
Pick the SharePoint credential.
Credential picker
Credential:sp-contoso-reader· expires in 47 days
(Optional) narrow the scope to a single site collection. Blank = all reachable sites.
Scope
Site collection URL (optional)
Click Start scan. Runs server-side; typical runtime 3–12 minutes for a mid-size tenant.
Start scanEnumerating environments…
When status flips to Complete, the results table and interactive graph load at the bottom of the page.
Status✓ Complete · 23 artifacts · View graph

TIP

For a first scan on an unfamiliar tenant, leave scope blank. The cost of a broader scan is a few extra minutes of runtime — the benefit is a complete map. You can always re-scan a single site later.

Reading the results

Results are grouped by SharePoint artifact. Each row represents one list, library, or site, and lists every Power App and flow that references it, along with a match strength.

Match strength	What it means	How to act on it
Exact	The app or flow references the list by its stable `listId` GUID, or the flow's SharePoint trigger is bound to this list explicitly. Zero ambiguity.	Treat as a hard dependency. Any rename/move will break the binding and must be re-pointed post-migration.
Possible	The app references the site by URL and a list whose title matches (title only, no GUID). This is common in apps authored before modern SharePoint connectors. May be a real reference or a coincidental name match.	Verify manually. If the app was cloned from a template, it is often a real reference; if the list name is generic (`Documents`, `Tasks`), it may be a false positive.
Heuristic	The app or flow JSON contains the list title as a free-text string somewhere in a formula, label, or comment. No binding relationship.	Low signal. Use only to catch edge cases once you have cleared Exact and Possible matches.

Clicking a row opens the detail drawer with app/flow display name, owner UPN, environment, last modified date, and a deep link into Power Apps Studio / Power Automate.

RESULT

The typical first-run output for a 100-site tenant surfaces 15–40 artifacts. Anything under 5 almost always means BAP registration didn't take — head to Troubleshooting below.

v1 limitations

Custom connectors are inventoried but not traversed — underlying lists reached via a custom connector won't appear as dependencies.
Dataverse tables with SharePoint document-management enabled are not yet in the graph.
Environment-level DLP policies are not evaluated — the scan shows what could reference a list, not what runtime policy allows.

Troubleshooting

Scan completes but shows 0 apps or 0 flows

BAP management app not registered for this clientId. Re-run New-PowerAppManagementApp -ApplicationId <clientId>. A bad registration silently returns an empty environment list — no error is raised.
API version mismatch. We call api-version=2020-10-01. If sunset in your tenant's region, the scan logs bap.environments.empty. Open a support ticket with the scan ID.

Also verify the service account has Environment Admin on at least one Dataverse environment — tenant-level Power Platform Admin alone is not enough.

"SharePoint credential unauthorized"

Password rotated or app-only certificate expired. Re-test from Credentials → Test, then re-run.

What's next

SharePoint Modernization scan — pair with the graph to size the post-migration rebinding effort.
Migration Rehearsal dry-run — validate the migration plan against the dependency set before you cut over.
SharePoint Site Migration — cross-tenant site collection moves with metadata preservation.
M365 Assessment Suite overview — tier comparison, licensing, and the rest of the governance modules.