SECURITY No secrets in this repo; all placeholders are generic. Use Managed Identities / Connection References where possible. Restrict Flow connections with least privilege (Graph scope: Group.ReadWrite.All only if required). Enforce MFA for all approvers and operators. CA policy continues to enforce MFA and modern auth during bypass. Logs: forward Sign-in and Audit logs to Sentinel; set alerts for anomalous geo access.