Using Azure Key Vault with Power Automate

Introduction

Power Automate is a massively scalable platform that can be easily integrated with an external line of business application within the Microsoft stack as well as the Non-Microsoft tech stack. Most of the time, the services provide a connector with which we can seamlessly connect to the services. But there are services where you will have to provide a client secret as an authentication mechanism to successfully connect to it. Storing such information as plain text within Power Automate is not advisable.

In this article, we will see how to use Azure Key Vault to store sensitive information which can be used within Power Automate.

Business Use Case

Let’s take the case of Microsoft Graph API where we will have to input the Client ID, Client Secret and Tenant ID for authentication to the Application we have registered in Azure. We will see how we can store the sensitive Client Secret in Azure Key Vault securely and fetch it from Power Automate for use with the Graph Calling HTTP Action.

Graphical user interface, application

Description automatically generated

Implementation

As the first step, lets setup a Key Vault in Azure. Searching for Key Vault in the global search bar will help us navigate to the Key Vault.

Graphical user interface, application

Description automatically generated

Clicking on Create will open a right pane where we can specify the subscription, resource group within which the key vault by the specified name will be created.

Graphical user interface, text, application

Description automatically generated

After filling in the required key vault creation values, click on Review + Create which will initially do a review of the values that will be used for creation, and on successful validation click on Create to provision the key vault.

Graphical user interface, application

Description automatically generated

The Key Vault is created, and we can head over to the key vault to add the secret.

Graphical user interface, text, application

Description automatically generated

Select Secrets from the left tab and click on Generate/Import option.

Graphical user interface, text, application, email

Description automatically generated

Select the upload option as manual and enter the secret name and the actual secret value which you would have obtained while registering the App in Azure. We can also mention the expiration date for the Secret so that the access will be cut off by the expiration date. Click on create to add the secret to the vault.

Graphical user interface, application

Description automatically generated

Thus, we have the secret added to the key vault. Now we can head over to Power Automate to consume the key.

Graphical user interface, text, application, email

Description automatically generated

Consume Azure Key Vault from Power Automate.

The flow we will be using for this example is already explained in detailed in the previous article here where we are using Graph API to Write the SharePoint List items to excel . In addition to the flow we have used for the previous example, we are adding 3 actions.

  • A variable to manually store the Tenant ID and Client ID inline. We are not storing these values in Vault
  • Use the Get Secret Action to fetch the Secret value from Key Vault.
Graphical user interface

Description automatically generated with medium confidence

Specify the name of the secret in the Get Secret action to fetch the corresponding secret value

Graphical user interface

Description automatically generated with low confidence

Ensure that the connection used for this action has the permission to the Key Vault, else we will get the below access denied error.

Graphical user interface, text, application, email

Description automatically generated

So as to secure the input and output value from being visible during run times, go to the settings of the Get Secret action and enable Secure Input and Outputs

Graphical user interface, text, application, email

Description automatically generated

Now that we have received the secret from the vault, we can easily use it within the Graph API HTTP call for authentication as below:

Graphical user interface, application

Description automatically generated

Test the flow

Now that we have setup the additional security in the existing flow, by storing and fetching the secret from the key vault, lets test it by triggering the flow. The flow has run successfully by fetching the secret and authenticating the Graph HTTP Call. We can also see that as we had set the Get Secret output to be secured, it does not show the returned secret value in the output which otherwise will be visible.

Graphical user interface, application

Description automatically generated

Summary

Thus, we saw how to use an Azure Key Vault with Power Automate to secure the client secret that we use within Graph HTTP call authentication which enhances the security of the processes we are building in the flow

Related Articles

Author

Author

Priyaranjan KS is a Modern Workplace Architect primarily focused on developing and architecting solutions around Office 365,Power Platform and Azure.He is also a Microsoft Most Valuable Professional(MVP) and a Microsoft Certified Trainer(MCT)

Latest Articles