Hi, I'm working on a flow for our user onboarding process, and I could use some help with secure inputs and secure strings.
The flow creates the user's account in Entra ID, then adds them to groups, gives them licences, creates planner tasks etc. The user's password is generated using a compose action in power automate To hide the password from the logs I have turned on Secure inputs on the compose action.
At the end of the flow, I want to send the user's password to an azure automation runbook, where it will be added to our password manager (Keeper) and shared with the appropriate manager.
In the runbook, I have the password parameter set up at the start of the script, which is where I will pass through the password from the compose action earlier. To keep the password secret in the runbook, I made the parameter type SecureString.
These are the parameters at the start of the runbook:
Param (
[string] $DisplayName = "",
[string] $UPN = "",
[SecureString] $UserPassword = "",
[string] $Manager = ""
)
However it appears the the SecureString of the runbook is not compatible with the Secure input of the power automate flow. I receive the error message when the runbook runs:
Cannot process argument transformation on parameter 'UserPassword'. Cannot convert the "Pa55w0rd!" value of type "System.String" to type "System.Security.SecureString".
Is there a simple way to pass a secured password from Power Automate into a secure string in Azure Automation? Maybe convert it into a different encrypted variable in the flow, and then decrypt it in the runbook or something like that?
I have looked online, and I see one solution posted a lot where the password is saved to an Azure Key Vault in the flow, and then retrieved from the runbook. However, that doesn't work for me because to access a key vault from the runbook, the runbook needs to be run as a hybrid runbook worker (or the key vault firewall needs to be left open). I don't really have anywhere to run a hybrid runbook worker (and spinning up a VM purely for that purpose seems expensive), and it also seems far more complicated and overkill than just putting the password as a parameter in the Azure Automation action to pass it straight through to the runbook.
Any suggestions would be much appreciated.