Use Azure Key Vault to secure your Graph API connection in Power Automate

Power Automate

I`ve been lately playing around with Power Automate and Logic Apps and connecting these to Graph API to get some (Intune/ Autopilot) stuff done. But as there are no build-in triggers to connect to the Graph directly, we need to set up a custom connector or use an HTTP trigger to get the job done. If we use for example an HTTP trigger to connect to the Graph, authentication is done using an Azure App registration and its client secret. Something I don’t like about this approach, the client secret is shown in plain-text in the HTTP trigger. With all the unintended consequences that this entails.

But we can overcome this by using Azure Key Vault and securing the secret with an Azure Key Vault trigger in the flow.

Let`s see how Azure Key Vault is setup and used in a flow.

Create Azure Key Vault

We`re able to securely store the client secret of our App Registration in an Key Vault in Azure. Follow below steps to setup the Key vault.

  • Sign in to the Azure portal
  • Open the service Key Vault
  • Click the Create key vault button
  • Choose the correct Subscription
  • Choose a Resource group (or create a new resource group)
  • Enter a Key vault name
  • Choose the Region
  • Choose the Pricing tier
  • Click Review + Create
  • Open the Key vault as soon as it`s created
  • Open the Secrets tab
  • Click Generate/ import
  • Choose Manual as Upload option
  • Enter a Name for the Secret
  • Enter the client secret of the App registration you use in your flow
  • Set Enabled to Yes
  • Click Create

On the Access policies tab, you can create an Access policy and assign rights on the Key vault. By default, the user which created the vault is already added with default permissions.
If you`re working with for example a service account, you can add that account on this tab and limit the permissions to only the permissions which are needed.

The Secret permissions Get and List are enough for using in a flow.

After setting the required permission, we`re ready to switch over to the Power Automate portal.

Setup a flow using the Get secret trigger

Now that we have saved our client secret in the Key Vault, it`s time to use it in a Power Automate (or Logic Apps) flow.

  • Sign in to the Power Automate portal
  • Open the Flow which contains the HTTP trigger you want to secure
  • Add a new action (one step before the HTTP trigger) and search for get secret
  • Select the Get secret (Azure Key Vault) action

After adding the new action, you might see an Invalid connection error when you click on the three dots. Because of this, the name of the secret can`t be resolved.

Switch to the Connections tab (under Data) shows a Parameter value missing error. Click on the three dots to edit the connection.

Enter the Key Vault name and click Save.

You might now see another error; Can`t sign in.
Click Fix connection and sign-in with your (service) account.

And the connection is successfully connected.

Switch back to the flow. Choose the correct Key Vault name from the drop-down list, which holds your key.

By default, the client secret is still shown in plain-text when running the flow. To resolve this we can use a preview feature to secure the input and output.
Click on the three dots again and choose Settings. Switch Secure inputs and Secure outputs to On. Click Done.

If you don`t want to use a preview function, you can also use additional actions in your flow. The Encrypt and Decrypt data with Key.

Open the settings of the HTTP trigger. Remove the (plain-text) client secret, which we will replace with dynamic content.
Search for secret and select value (value of the secret).

That`s it!

When we now run the flow with the HTTP trigger, the client secret isn`t shown any more.

That`s it for my first Power Automate blog post. Hope you enjoyed it and more Power Automate posts might follow which can be found here 🙂

Be the first to comment

Leave a Reply

Your email address will not be published.