Power Automate is a massively scalable platform that can be easily integrated with an external line of business application within the Microsoft stack as well as the Non-Microsoft tech stack. Most of the time, the services provide a connector with which we can seamlessly connect to the services. But there are services where you will have to provide a client secret as an authentication mechanism to successfully connect to it. Storing such information as plain text within Power Automate is not advisable.
In this article, we will see how to use Azure Key Vault to store sensitive information which can be used within Power Automate.
Business Use Case
Let’s take the case of Microsoft Graph API where we will have to input the Client ID, Client Secret and Tenant ID for authentication to the Application we have registered in Azure. We will see how we can store the sensitive Client Secret in Azure Key Vault securely and fetch it from Power Automate for use with the Graph Calling HTTP Action.
As the first step, lets setup a Key Vault in Azure. Searching for Key Vault in the global search bar will help us navigate to the Key Vault.
Clicking on Create will open a right pane where we can specify the subscription, resource group within which the key vault by the specified name will be created.
After filling in the required key vault creation values, click on Review + Create which will initially do a review of the values that will be used for creation, and on successful validation click on Create to provision the key vault.
The Key Vault is created, and we can head over to the key vault to add the secret.
Select Secrets from the left tab and click on Generate/Import option.
Select the upload option as manual and enter the secret name and the actual secret value which you would have obtained while registering the App in Azure. We can also mention the expiration date for the Secret so that the access will be cut off by the expiration date. Click on create to add the secret to the vault.
Thus, we have the secret added to the key vault. Now we can head over to Power Automate to consume the key.
Consume Azure Key Vault from Power Automate.
The flow we will be using for this example is already explained in detailed in the previous article here where we are using Graph API to Write the SharePoint List items to excel . In addition to the flow we have used for the previous example, we are adding 3 actions.
- A variable to manually store the Tenant ID and Client ID inline. We are not storing these values in Vault
- Use the Get Secret Action to fetch the Secret value from Key Vault.
Specify the name of the secret in the Get Secret action to fetch the corresponding secret value
Ensure that the connection used for this action has the permission to the Key Vault, else we will get the below access denied error.
So as to secure the input and output value from being visible during run times, go to the settings of the Get Secret action and enable Secure Input and Outputs
Now that we have received the secret from the vault, we can easily use it within the Graph API HTTP call for authentication as below:
Test the flow
Now that we have setup the additional security in the existing flow, by storing and fetching the secret from the key vault, lets test it by triggering the flow. The flow has run successfully by fetching the secret and authenticating the Graph HTTP Call. We can also see that as we had set the Get Secret output to be secured, it does not show the returned secret value in the output which otherwise will be visible.
Thus, we saw how to use an Azure Key Vault with Power Automate to secure the client secret that we use within Graph HTTP call authentication which enhances the security of the processes we are building in the flow