web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Access Key Vault Secre...
Power Apps
Answered

Access Key Vault Secret from Plugin

(1) ShareShare
ReportReport
Posted on by PDCM 25

Hi,

 

Currently, all our key vault secrets are accessible and linked to as Environment Variables. Power Automate flows are able to retrieve these environment variable secrets easily using the RetrieveEnvironmentVariableSecretValue action.

 

Now what I am aiming for is to retrieve the Environment Variable secrets in Plugins. Unfortunately, RetrieveEnvironmentVariableSecretValue cannot be called directly thru code and only available for Flow use (see link). I thought of the following work around:

1. Create an http request triggered flow, use the RetrieveEnvironmentVariableSecretValue action to retrieve the secret and return the secret value as response. Plugin will call the flow via http request.

- This can work. The only problem is that the flow has to be configured for public use because if this flow is to be configured as accessible only by 'anyone within tenant' or a 'specific user', calling this flow will still require a secret and it will still be the same problem. 

2. Retrieve the secret directly from azure key vault. - This approach will still require a secret. 

 

Are there any other possible ways I can retrieve key vault secrets in Dataverse plugin?

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Verified answer
    ivan_apps Profile Picture
    ivan_apps 2,189 Moderator on at

    I assume you're using C# plugins, not Low-Code plugins.  I have no idea if it's possible with low-code plugins but it should be with C#. 

     

    Take a look at this blog as I think this answers your questions on how to retrieve the secret via plugin: https://itmustbecode.com/azure-key-vault-secrets-in-dataverse/

     

    If you want to retrieve directly from KeyVault, then you'd need an App Registration with the appropriate access to the vault. Put your App Registration Secret into your Secure Configuration when registering the plugin. Your code should then be able to handle the call and authenticate via the app registration to retrieve the Secret value.

  • PDCM Profile Picture
    PDCM 25 on at

    Hi Ivan,

     

    Thanks for your response. 

     

    Yes, I am referring to the C# plugin. I have actually looked into the blog you shared before and unfortunately, this is using the RetrieveEnvironmentVariableSecretValue action. Looking at the comment section of the blog, this action seems to work before but later changed to only applicable for Flows and not thru code/api.

  • ivan_apps Profile Picture
    ivan_apps 2,189 Moderator on at

    that is indeed unfortunate. Your first method of calling power automate via HTTP endpoint should work, I imagine you want to add a custom Access Control List to limit who can execute this flow. Ultimately you will need the Azure App Registration created with sufficient access to the Vault. You put in the Azure App secret directly into the flow or you can force the flow to receive it as a parameter. Use the plug-in secure configs to enter the Azure App Secret and call the flow with your new credentials.

    If you are developing in different environments within the same tenant, your app registration just needs an account in each environment but otherwise it doesn’t have to change so you don’t need to store the App secret in environment variables. 

    your method #2 is probably a bit more straightforward rather than using power automate as an intermediate. Again an app registration is key, but don’t think that you need to put the secret for it in an EV. Putting it into the secure config should be sufficient. You can still put the Secret in the KeyVault directly for safe keeping but in order to programmatically access the rest of the secrets you have to manage that secret outside of EVs. Otherwise you’re just creating a circular dependency on the KeyVault without having access to retrieve the access key.

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @pdcmagno,
    Very good question, and I believe it is something in the backlog of the product but no ETA yet. The workaround I use is to leverage Azure aware plugins instead of traditional Dataverse plugins. With Azure aware plugins you can then access anything and add references to any desired library.

     

    You can also vote for the idea here: https://ideas.powerapps.com/d365community/idea/21c23c3b-4972-ee11-a81c-0022484e61f5

     

    Hope this helps!

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
Vish WR Profile Picture

Vish WR 1,009

#2
11manish Profile Picture

11manish 672

#3
Valantis Profile Picture

Valantis 628

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans