If you are storing secrets as plain text in Power Automate flows or environment variables, you can integrate Azure KeyVault in Power Automate to retrieve those credentials directly from Azure Key Vault.
If at any point you run into issues, you can reference Microsoft’s documentation here: Use Azure Key Vault secrets (preview)
Before getting started, we need to knock out some prerequisites in Azure.
Register a resource provider
We need to register Microsoft.PowerPlatform resource provider.
- Go to your Azure Portal
- Once in the portal, go to Subscriptions
- Select the subscription your Azure Key Vault will be in.
- Now, select the Resource Providers blade under Settings
- Search for Microsoft.PowerPlatform in the filter search bar
- Select Microsoft.PowerPlatform and select Register
- This will take a few minutes. Once registered, it should have a green check mark and show as registered.
Configure Azure Key Vault
Now that we have our Power Platform Resource Provider registered, we need to configure Azure Key Vault to allow Dataverse to access the resource.
- Go to your Azure Key Vault resource. (My key vault is named Power-Platform)
- Select the Access policies blade on the left
- Select Add Access Policy
- The Add access policy window will appear. Select None Selected on the Select Principal* line highlighted in red.
- The Principal blade will appear from the right. Search for Dataverse. Select the principal that says Dataverse. The principal ID is 00000007-0000-0000-c000-000000000000
- Once selected, click on Select at the bottom.
- Next, select the Secret Permissions drop-down and check Get.
- Click Add.
- This will bring you back to the main Access policies window. Select Save at the top to commit the changes.
Configure Environment Variable in Power Automate
Now that we have Azure Key Vault configured, we can set up environment variables inside a solution to retrieve secrets.
Note: A user who creates a Secret Environment Variable needs at least read permissions on the Azure Key Vault resource, or they will receive the following error when attempting to save it.
This variable didn’t save properly. User is not authorized to read secrets from ‘Azure Key Vault path’.
More information can be found here: Create a new environment variable for the Key Vault secret
- Go to a Solution that you’re developing in.
- In your Solution, create a new Environment Variable. Go to New > More > Environment Variable
- Enter a Display Name for your environment variable
- For the Data Type, choose Secret
- For Secret Store, choose Azure Key Vault
- Next, you can either choose to do a New Azure Key Vault Reference under the Current or Default value. I will use the Default for my example.
- Fill in the following fields. You’ll need to reference Azure Key Vault.
- Azure Subscription Id: This is the subscription your Key Vault is in. You can find it on the Key Vault Overview blade.
- Resource Group Name: The resource group your Key Vault is in.
- Azure Key Vault Name: The name of your Key Vault.
- Secret Name: The display name of your secret in Key Vault.
- Select Save
- Open the environment variable and copy the Name value. We will need this later.
If you run into any errors while saving the environment variable about Microsoft.PowerPlatform resource provider, you might wait 10-15 minutes before you try to save again.
Using Secret Environment Variables in Power Automate
Now that we have Azure configured and our environment variable configured, we can use it in our flows within our solution.
For this example, I’ll demonstrate how you can retrieve the secret utilizing the environment variable.
- Create a new manually-triggered instant flow.
- Select New Step and select Microsoft Dataverse from the actions.
- Select Perform an unbound action
- Once the Perform an unbound action loads, select the action name RetrieveEnvironmentVariableSecretValue
- In the EvironmentVariableName field, paste in the Name of the Environment Variable we created earlier. Example: msauto_PowerPlatform_GraphAPI
- Select ... > Settings on the top-right corner of the Perform an unbound action, action.
- Enable Secure Outputs. This will scrub the secret so it’s not in plain text in the flow run history.
- Select Save. Now, test your flow.
If successful, you’ll get your secret from Azure Key Vault as shown below. You can use this when making various REST API calls with the HTTP connector such as Microsoft Graph.
Want to do more with Azure Key Vault and Power Automate?
If you want to get a better idea of how you can use this in your flows, check out my blog post on using Microsoft Graph with the HTTP connector in Power Automate. You can combine what you learned on this post to securely pull the secret instead of storing it in plain text inside an environment variable.