Tutorials/Power Automate/Secure Your Power Platform Solutions with Azure Key Vault Environment Variable Secrets
Power Automateintermediate

Secure Your Power Platform Solutions with Azure Key Vault Environment Variable Secrets

Configure environment variable secrets in Power Platform to retrieve sensitive values from Azure Key Vault, keeping your API keys and passwords safe.

NA
Narmer Abader
@narmer · Published June 3, 2026

Storing secrets directly in your Power Automate flows or canvas apps is risky—anyone with access to the solution can see the values. Environment variable secrets provide a secure alternative by acting as a reference to a secret stored in Azure Key Vault. This article walks through the entire setup, from preparing your Key Vault to retrieving the secret in a flow.

Imagine your company, Contoso, needs to call a third‑party payment API from a Power Automate flow. The API key is stored as a secret in Azure Key Vault. You will create an environment variable secret that points to that Key Vault secret, then use an unbound action to read it securely inside the flow.

Prerequisites

  • An Azure subscription with permission to create Key Vaults and assign roles.
  • A Power Platform environment with Dataverse enabled.
  • The user who performs the configuration must have at least Contributor access to the Key Vault.

Step 1: Prepare Azure Key Vault

Go to the Azure portal and open the Key Vaults service. Create a new vault or use an existing one. Note down the Subscription ID, Resource Group name, and Key Vault name—you will need them when setting up the environment variable. For this example, use:

  • Key Vault name: contoso-payments-vault
  • Resource Group: payments-rg
  • Subscription ID: 00000000-0000-0000-0000-000000000000 (replace with your own)

Add a Secret

Inside the Key Vault, go to Secrets and select Generate/Import. Enter a name such as payment-gateway-key and the actual secret value. Optionally set an expiration date. After creation, the secret appears in the list.

Assign Permissions to Identities

Two identities need permission to read the secret:

  1. Your user account (the one that will configure the environment variable and run the flow).
  2. Dataverse – a Microsoft service principal that acts on behalf of Power Platform.

Navigate to Access control (IAM) and click Add role assignment. Select the built‑in role Key Vault Secrets User. Assign this role to both your user account and to the application named Dataverse (you can search for “Dataverse” in the principal picker).

Important
If you cannot find the Dataverse application, make sure the Microsoft.PowerPlatform resource provider is registered in your Azure subscription (see next section).

Then, under Access policies, create an access policy using the template Key, Secret, and Certificate Management. Add the same two principals (your user and Dataverse) to the policy. This step is required even after the IAM role assignment.

Register the Resource Provider

In your Azure subscription, open Resource Providers and verify that Microsoft.PowerPlatform shows a status of Registered. If not, select it and press Register.

Step 2: Create the Environment Variable Secret in Power Platform

Now switch to Power Automate (or Power Apps) and open the solution where you want to store the secret. Choose NewEnvironment Variable.

Fill in the fields with the following values:

FieldValue
Display NamePayment Gateway API Key
Nameenv_paymentgatewaykey
Data TypeSecret
Secret StoreAzure Key Vault

In the Current Azure Key Vault Secret section, enter the details you noted earlier:

  • Azure Subscription Id: 00000000-0000-0000-0000-000000000000
  • Resource Group Name: payments-rg
  • Azure Key Vault Name: contoso-payments-vault
  • Secret Name: payment-gateway-key

Save the environment variable. The connection to Key Vault is validated when you save.

Step 3: Retrieve the Secret in a Power Automate Flow

Create a new instant flow in Power Automate (the trigger is not important for this example). Add a step and search for the Dataverse connector. Select the action Perform an unbound action.

Configure the action as follows:

  • Action Name: RetrieveEnvironmentVariableSecretValue
  • EnvironmentVariableName: env_paymentgatewaykey

For testing, add a Compose action after it and use the dynamic output environmentVariableSecretValue from the unbound action.

powerfxCompose action input
outputs('Perform_an_unbound_action')['environmentVariableSecretValue']

Save and run the flow. The Compose output will display the actual secret value retrieved from Key Vault.

Step 4: Protect the Secret from Appearing in Run History

The secret value from the previous step is visible in the flow run logs by default. To prevent this, open the Settings of the Perform an unbound action step. Toggle Secure Inputs and Secure Outputs to On. After saving, all future runs will show “Content not shown due to security configuration” for that action, keeping the secret hidden.

Caution
Prior run history that was not secured will still expose the secret. Re‑run the flow after enabling secure settings to replace old logs.

Common Mistakes and Troubleshooting

  • Resource provider not registered – The error “Subscription not registered with Microsoft.PowerPlatform” appears. Register the provider as described in Step 1.
  • Missing IAM role – The environment variable cannot read the secret. Ensure both your user and “Dataverse” have the Key Vault Secrets User role at the Key Vault scope.
  • Access policy not created – Even with IAM, you must add the explicit access policy. The environment variable creation will fail without it.
  • Secret name mismatch – The environment variable’s secret name must exactly match the one in Key Vault (case‑insensitive, but avoid any extra spaces).
  • Expired secret – If the secret has an expiration date and it has passed, the retrieval fails. Renew the secret in Key Vault.
  • Flow run shows “Access Denied” – Verify the Dataverse application principal is correctly added to both the IAM role and access policy.

Best Practices

  • Use a separate Key Vault for each environment (dev, test, production) and restrict access accordingly.
  • Rotate secrets regularly and update the environment variable if the Key Vault secret name changes.
  • Combine secure inputs/outputs with scope‑level security on the flow to minimize exposure.
  • When using ALM pipelines, remember that environment variable secrets are environment‑specific and cannot be exported as plain text; configure them per environment.

Conclusion

Environment variable secrets offer a robust way to bring Azure Key Vault secrets into Power Platform solutions without hard‑coding sensitive data. By following the steps above, you can centralize your secrets, control access through Azure RBAC, and keep your flows and apps secure.

References