Document User Role cleanup behavior and provide solution for orphaned user false positives

[Copilot]

User asked whether Power Platform User Roles are ever removed from CoE inventory, experiencing false positives in custom sharing violation monitoring due to orphaned users appearing in counts.

Analysis

CoE Starter Kit does delete User Role records via two-stage process:

1. CLEANUP - Orphaned Users flow marks deleted/disabled users as admin_userisorphaned = true
2. CLEANUP HELPER flows (PowerAppsUserSharedWith v3.13+, CloudFlowUserSharedWith v4.29.5+) delete User Role records when sharing is removed by comparing actual Power Platform state vs. CoE inventory

Time lag between stages (weeks/months) causes orphaned users to persist in queries until cleanup runs complete.

Documentation Added

• FAQ-UserRolesCleanup.md (13 KB): Comprehensive coverage of cleanup flows, two-stage process, deletion logic, scheduling recommendations, and query patterns
• ISSUE-RESPONSE-UserRolesCleanup.md (6.4 KB): Detailed response with root cause analysis and recommended actions
• GITHUB-ISSUE-COMMENT.md (3 KB): Concise comment ready for posting with solution and action items
• PR-SUMMARY.md (3.9 KB): Technical analysis findings for maintainers

Solution

Filter orphaned users in custom queries for immediate accuracy:

CountIf(
    'Power Platform User Roles',
    'App'.'App' = ThisItem.'Display Name' && 
    'Role Name' <> "Owner" &&
    Not(IsBlank('User')) &&
    'User'.'Is Orphaned User' <> true
)

Provides real-time accurate counts without waiting for cleanup flows to complete deletion cycle.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CoE Starter Kit - QUESTION] Are Power Platform User Roles Ever removed?</issue_title>
<issue_description>### Does this question already exist in our backlog?

• I have checked and confirm this is a new question.

What is your question?

We are working on a custom solution to monitor app and flow sharing in our default environment, unfortunately due to license concerns - this environment cannot be managed, so we cannot use the built in sharing limit functionality - in the mean time we are actively checking the Apps and Flows tables for ones that violate our set limit - unfortunately this has proven to be unreliable especially in situations where the original flow creator has become orphaned - or other users have become orphaned. The list owners as admin returns everything orphaned or not so sometimes it sets of a false positive for violating our limit. I have had to resort to querying the User Roles table directly and having to double check if the count of non orphaned users is less than our violation limit. I was walking through the flows for the CoE and was looking if there is ever a cleanup of these orphaned users from the role table - obviously flow creators cant be removed - but was wondering if the other accounts get cleaned up at some set frequency?

What solution are you experiencing the issue with?

None

What solution version are you using?

October 2025

What app or flow are you having the issue with?

No response

What method are you using to get inventory and telemetry?

Cloud flows</issue_description>

<agent_instructions>Need troubleshoot of this question</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Custom agent used: CoE Custom Agent
Specialized agent for triaging and fixing issues in the CoE Starter Kit. Always consult the official CoE docs and the team’s SharePoint notes first, then mine prior GitHub issues and the CoE Common Responses playbook.

• Fixes [CoE Starter Kit - QUESTION] Are Power Platform User Roles Ever removed? #10561

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.