You’re offline. This is a read only version of the page.
Hello PowerApps Community,
I'm encountering an issue with an error message and I'm hoping someone can assist me. When attempting to set an environment variable as "Secret" with the data type as "Azure Key Vault" in my solution, I receive the following error message: "This variable didn't save properly. User is not authorized to read secrets from subscriptions ###".
I have verified that I have the necessary security permissions for the Key Vaults in my Azure subscription, and it appears that everything is in order. However, I still encounter this error message and I am unable to successfully save the variable.
Has anyone else experienced a similar issue or does anyone have any ideas on how to resolve this problem? Any hints or advice would be greatly appreciated.
I have a follow-up question regarding the Dataverse service principal. Is this simply an app registration that is named 'Dataverse' and has an API permission to Dynamics CRM?
Think I found a workaround on this:
1. Set access configuration on the vault to Vault Access Policy (even though the other one is the recommended one)
2. THEN save and go to "Access policies"
3. Now you can find the hidden "Dataverse" app registrion by clicking "Create", choose template secrete management, under the tab "Principal" look up "Dataverse" and confirm it has a GUID starting on "00000007-"
4. Save. And do the same with the user creating the environment variable.
Seems like you guys got this to work, but I am struggling abit... First, I do not understand the point with the dataverse service principal - as I'm creating the Environment Variable as me/myself/i. Anyway, I did go ahead and created a Dataverse Service Principal (ie app registration), with api rights to dynamics, and added this as an application user in the dataverse environment just in case this was some kind of magic going on. Still get the error while trying to create the environment variable.
logging into azure and checking my access rights (same user as the one I tried to create the environemt variable with) it looks OK...?
Anyone?
figure out my own problem here. in the instruction I needed to add service principal called Dataverse. I just wish they could have made emphasis on that like put a quote, bold type around that to make a noun.
Actually, the answer is obvious in my case 🙄. Even though I own the key vault, I still have to manually create the key in the Azure portal. It won't be done automatically when I create the secret environment variable. This time no errror and the key is safe and sound in the vault!
I also have the same issue.
This variable didn't save properly. User is not authorized to read secrets from '/subscriptions/<subscription>/resourceGroups/rg-dev-powerplatform/providers/Microsoft.KeyVault/vaults/PPDev-KeyVault/secrets/secKey' resource.
Firstly, I couldn't assign the Key Vault Secrets User role to Dataverse service principal, unless I toggled the permission model to Vault Access policy
Afterwhich,I toggled this back to Azure role based access as this seems to be the recommended way foward.
Next, I have added some candidate service principals to the Key Vault Secrets User role. Note, the Dataverse service principal below has the correct App Id as per the documentation.
I am the owner of the key vault, the Power Platfrom solution ( and admin) and tenant admin and yet I am still getting the above error.
Has anyone seen this issue ?
met all the pre-requisite and still the same error creating variable using azure key vault. what do you need from me to fix this?
Point no.5 in the Prerequisites of Configure Azure Key Vault is mentioned below. Can you double check the service account has the Key Vault Secrets User role?
Azure Key Vault must have the Key Vault Secrets User role granted to the Dataverse service principal.
Please also go through the other items in the prerequisites and make sure that it aligns with your current setup.
#1
WarrenBelz
637
Most Valuable Professional
#2
stampcoin
570
Super User 2025 Season 2
#3
Power Apps 1919
473
Share
Report
All responses (
Answers (
