web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
You're Invited to Keeping It Real with the Power Platform
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Are there any security...
Power Apps
Unanswered

Are there any security concerns/risks of using Power Automate Custom connectors

(0) ShareShare
ReportReport
Posted on by johnjohn123 3,514

We want to start investing a lot in custom connectors inside our Power Platform to be used inside Power Apps & Power Automate. but we have a concern if using those custom connectors which will integrate with external systems can pose any security holes.

Currently we will be using those 3 security types (Basic, API Key & OAuthn 2.0)

 

3types.png

 

we would assume that ONLY if the user has the username/password then the user should be able to integrate with the external API using the username/password (in case the custom connector is using the basic authentication). Same applies the API key, so ONLY if the user has the API key then the user should be able to integrate with the external system (in case the custom connector is using the API Key authentication). And same thing applies to the OAuthn 2.0, so only if the user has the permission on his/her username the user should be able to use the external API??

so are our above assumptions correct? or users will be able to use existing connectors and connect to the external APIs? for example let take this scenario; ManagerABC who have the API key create a power automate flow or Power Apps and define the API key for the custom connector. then can any user creates a new Power automate or power app and reuse the custom connection and get to the external API even if the user should not have the permission to do so (they do not have the API key for example)?

Thanks

Categories:
Connector development
I have the same question (0)
  • hhaliman Profile Picture
    hhaliman 48 on at

    The authentication is at the API you are connecting to, not the authentication for the custom connector itself. The users you shared the connector can use this connector. So you could share the connector ONLY to users that allowed to use the API.
    Another way is to share the connector to everyone, and don't hardcode the api key in the custom connector itself, but put it as parameter to the custom connector. So only users who know the api key can use the connector.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
You're Invited to Keeping It Real with the Power Platform

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
11manish Profile Picture

11manish 519

#2
WarrenBelz Profile Picture

WarrenBelz 439 Most Valuable Professional

#3
Vish WR Profile Picture

Vish WR 433

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans