Recommended Alternatives (No Account Key Exposure)
1. Use Azure Blob Storage instead (AAD‑based auth supported)
If you can change the storage type:
- The Azure Blob Storage connector supports Azure AD authentication
- Works with:
- User identity
- Service principal
- Managed identity (indirectly via Logic Apps / Functions)
- Fine‑grained RBAC (Storage Blob Data Contributor, etc.)
Best option if design flexibility exists
Many teams migrate file‑like workloads to Blob containers to avoid key‑based access altogether.
2. Expose Azure Files via SFTP (Azure Storage SFTP)
Azure Files can be accessed through Azure Storage SFTP and Power Automate can connect using the SFTP – SSH connector.
How it works
- Enable SFTP on the storage account
- Create local SFTP users or integrate with identity
- Connect using:
- SSH key (preferred)
- Credential vault / secret store
Pros
- No storage account key in Power Automate
- Strong security controls
- Supported, stable connector
Cons
- Requires SFTP setup
- Slightly more operational overhead
Very common security‑approved workaround
3. Azure Function + Managed Identity (Proxy Pattern)
This is the most secure and flexible pattern.
Architecture
Power Automate
↓ (HTTPS, OAuth)
Azure Function (Managed Identity)
↓
Azure Files (RBAC / REST API)
Details
- Function uses Managed Identity
- Function calls Azure Storage REST API
- Power Automate:
- Calls the Function via OAuth / AAD
- No storage secrets involved
Pros
- Zero keys or SAS in Flow
- Centralized auditing
- Fine‑grained control & throttling
Cons
- Requires small amount of Azure dev work
Enterprise‑grade solution
4. Logic Apps (instead of Power Automate)
If this is a backend integration rather than citizen automation:
- Logic Apps (Standard) can use:
- Managed Identity
- VNET integration
- Can call Azure Storage REST APIs securely
Logic Apps often pass security reviews where Power Automate does not.
5. On‑premises Data Gateway (SMB Share Access)
If the Azure File Share is mounted:
- Mount Azure File Share to a VM
- Use File System connector via On‑Prem Data Gateway
Pros
- No account key in Flow
- Uses OS‑level security
Cons
- Requires VM
- Not cloud‑native
- Operational overhead
What You Can’t Do (Yet)
- Use Azure AD / OAuth directly with the Azure File Storage connector
- Use Managed Identity directly in Power Automate for Azure Files
- Avoid secrets entirely without an intermediary (Function / SFTP / Blob)
Security‑Friendly Recommendation Matrix
| Requirement |
Best Option |
| Zero secrets in Power Automate |
Azure Function + Managed Identity |
| Lowest effort |
Azure Blob Storage |
| File share semantics required |
Azure Files via SFTP |
| Backend integration |
Logic Apps |
| Legacy SMB compatibility |
Gateway + VM |
Bottom Line
Your security team is correct to block storage account keys in Power Automate.
The cleanest long‑term options are:
- Blob Storage with Azure AD, or
- Azure Function + Managed Identity proxy
✅ If this answer helped resolve your issue, please mark it as Accepted so it can help others with the same problem.
👍 Feel free to Like the post if you found it useful.