Use Case

To mitigate the risk of saving static machine credential in desktop flow action in cloud, we can leverage Azure Key Vault feature. This feature also addresses password rotation policy that most of the organizations follows.

With ‘Credentials‘ feature in power platform, we can pull the latest password stored in Azure Key Vault and connect to a machine for executing power automate desktop flow.

Prerequisites

1. You need an Azure subscription. Both Power platform environment & Azure should be on same tenant.

2. Microsoft Power Platform resource provider is registered in Azure subscription. To check if this is enabled, go to Azure Subscription & select the subscription name. Navigate to “Resource providers” and search for power platform. Register power platform provider if not registered:

Solution

Store password in Azure Key Vault:

1. Create a new “Key vault” to store the password of a user. Set the subscription, resource group, vault name, region & price tier:

Next, go to “Objects->Secrets” from left navigation:

If you find access related issue, then go “Access control (IAM)” tab from the left navigation. Click ‘Add’ button on the command bar & select “Add role assignment” from the sub menu:

Search & select “Key vault Administrator” in “Role” tab:

In “Members” tab, click “Select Member” button. Search user(s) & select from the list in right panel. Click ‘Select’ to add members:

Click “Review + assign” button to grant the privilege to add secret in the Key Vault:

Now, navigate to “Object->Secrets” from left navigation. The error message related to access privilege does not disappear. Click “Generate/Import” button to add a password or secret:

Enter name of the secret and enter the actual password in “Secret value”. Set the optional parameter as per your need:

Click “Create” button to save the secret or password.

We have stored the password in Azure Key Vault which will be used for machine connection when executing power automate desktop flow.

Next, we will create a solution in power platform and add an environment variable that holds the value of password or secret stored in Azure Key Vault.

Create environment variable in Solution

Create a new solution. Enter the solution name and select the publisher:

Add new environment variable inside solution. Go to “New -> More -> Environment variable”:

Enter the name of the variable & select ‘Secret’ from data type drop down. Select ‘Azure Key Vault’ from secret source drop down:

Click ‘Advanced’ button to enter values from Azure portal:

To get these values, go back to Azure portal & navigate to key vault. Click ‘Overview’ tab to get details for subscription Id, resource group name & key vault name:

To get secret name, navigate to “Objects -> Secrets” from left navigation:

Enter all the details in secret environment variable:

Finally, click ‘Save’ button to save the changes.

You may face access issue to read secret from Azure Key Vault:

No worries, lets grant “Dataverse service principal” required access to read secret. Go back to Azure portal & select the key vault. Navigate to “Access Control (IAM)” tab. Click ‘Add’ button on command bar & select ‘Add role assignment’ from sub menu:

Under ‘Role’ tab. Search for ‘Key Vault Secrets User’ role and select that row from the grid:

Go to ‘Members’ tab and click ‘Select members’ button. Search ‘Dataverse’ in the panel. Select Dataverse from the result & click ‘Select’ button:

Click ‘Review + assign’ button to go to next tab:

Finally, click ‘Review + assign’ button to grant access to Dataverse service principal for reading secret values:

Post granting access to read secret value, go back to environment & try saving it. The secret environment will save this time:

Create another environment variable with datatype text to store the username of the machine credentials:

The solution will look like with both environment variable:

Go back to Power Automate make portal & select ‘More’ from left navigation menu. Click ‘Discover all’ button:

Scroll down to locate ‘Credential’ and click its name:

Click ‘New Credential’ from top command bar and enter the name of the credential & click ‘Next’:

Next, select ‘Azure key vault’ from store drop down & click ‘Next’ button:

Finally, choose username & password from the respective drop down:

Click ‘Save’ button to save the credential:

Power Automate to use credential as connection

Go back to solution & create a cloud flow to test the credential in desktop flow connection:

Add an action “Run a flow built with Power Automate for desktop” in cloud flow. It will prompt to add user credential to connect to machine. Select ‘Connect with username and password ‘& machine name from respective dropdowns. Click ‘Switch to credentials’ button to enter credentials from azure key vault:

Select the credential created before from the drop down & click ‘Create’ to save the changes:

Choose desktop flow from the drop down & select the run mode:

Save the cloud flow & run it.

Output

The cloud flow executed successfully with secret fetching from azure key vault:

Conclusion

Following are the takeaways:

• Users can execute desktop flows on Windows machines with credentials from Azure Key Vault.
• Credentials also supports password rotation as windows machine gets the latest password at runtime.
• This enables desktop flows to keep running successfully even when the administrator changes the password.