Manish Solanki 4 months agoNovember 25, 2024

How to securely sign in to an application in Power Automate Desktop with the password stored in Azure Key Vault?

Full video tutorial is available on my YouTube channel:

Use Case

In UI automation, it is a standard process to sign in to an application (desktop or web) to process data in power automate desktop flow. Azure Key Vault is the safest place to securely store the application password. Storing password in Vault also allows rotation of passwords without editing flow.

Here I am going to demonstrate the steps to retrieve password from Azure Key Vault & securely sign in to web application (postman) in PAD.

Prerequisites

You need Azure Key Vault subscription & it should be in the same tenant as Power Platform environment
A secret key or application password is already stored in Azure Key Vault:

You may follow the steps in my previous blog for creating a secret key for storing passwords: Leverage credentials from Azure Key Vault for machine connection (manish-solanki.com)

Scenario

We already have a power automate desktop flow that performs actions to sign in to postman URL. Here, we have hardcoded the value of password & make it sensitive to secure it:

This desktop flow is being triggered by a cloud flow to perform sign in operation:

Both cloud & desktop flows are placed in the Solution:

Solution

Firstly, within the solution create an environment variable that stores the user password. Form the command bar, click ‘+ New -> More -> Environment variable‘:

Enter the Display name & description of environment variable. Choose ‘Secret’ as its data type and select ‘Azure Key Vault’ from the Secret Store drop down:

Click ‘New Azure Key Vault secret reference’ link button and enter the details of azure secret key.

Go back to Azure portal, navigate to azure key vault overview screen and copy the required values:

Enter all those values in the environment variable. The ‘Secret Name’ is the actual name of the secret used in azure:

Click ‘Save’ to save the secret environment variable.

Note: If you face access issue in reading the secret value, then refer my previous blog for granting appropriate access to Dataverse service principal: Leverage credentials from Azure Key Vault for machine connection (manish-solanki.com)

Next, open power automate desktop flow. Add a new input variable that holds the password text. Enter the name, external name & description. Toggle on ‘Mark as sensitive’ switch to mask the value in logs:

Click ‘Save’ to save the input variable.

We need to pass the value of input variable in ‘Populate text field in window’ action for entering password in web. Open the action & choose ‘Input as text, variable or expression’ from ‘the ‘Text To fill-in’ drop down. Select variable name from the window:

Click ‘Save’ to save the changes in the action & save the desktop flow.

Lastly, go back to cloud flow. We will make some changes to pass password text to PAD. Add ”” action to get the secret value from azure key vault. Select ” from the operation drop down. Enter the name of the of environment variable to get its value. Don’t enter display name of the environment variable:

Go to ‘Settings’ tab & toggle on ‘Secure Outputs’ switch to make the value of output parameters secure. This will hide the password value in the flow run instance.

Post that, open “Run a flow build with Power Automate for desktop” action & pass the output of previous action to the input parameter from the dynamic window:

Go to ‘Settings’ tab & toggle on ‘Secure Inputs’ option to hide showing password text in flow run instance history.

Save the cloud flow. Trigger the cloud flow to test the result.

Output

Cloud flow log after execution. It did not show the text of the password:

Similarly, password was hidden in Power Automate desktop logs. The sensitive input variable was hidden or masked:

Password was also not visible at action level:

Conclusion

We can use environment variables & “Perform an unbound action” action of Dataverse connector to retrieve the password from the Azure Key Vault.
Azure Key Vault is the secured place to store secrets or passwords.
Storing password in Azure Key Vault also allows rotation of passwords as environment variables always fetches the latest password from vault.
Password stored in Azure Key vault also solves the problem of avoiding editing desktop flow if password of an application changes.

Solution to call Dataverse action directly in PAD

I tried calling “Perform an unbound action in selected environment” cloud action directly in Power Automate Desktop flow but it failed:

The error message received was ‘Access denied’ but ideally it should retrieve the password using that action directly in PAD. I am not sure if it is bug or it is due to preview feature:

Correlation Id: e3e39374-2187-4bc0-87a8-1260d790a1b5

Additional info:
{
  "StatusCode": "403",
  "Message": "",
  "Body": {
    "error": {
      "code": "0x80040256",
      "message": "Access Denied."
    }
  }
}

Tagged Azure Key Vault, Dataverse, Password Management, Power Automate Desktop, UI Automation

admin_manish

Manish Solanki is a technology enthusiast with vast experience in Microsoft power platform technology stack. I specialize in designing and implementing solutions using low-code tools like Power Apps, Power Automate, AI builder, Dataverse etc. Experience in leveraging O365/M365 services such as SharePoint, Planner, Forms etc. to drive efficiency and innovation. I love writing technical blogs, collaborating in technical communities & basically anything & everything in technology.

Microsoft Power Platform