Skip to main content

Notifications

Power Automate - Building Flows
Unanswered

How to Pass a Secret from Power Automate to Azure Automation without Exposing it

(0) ShareShare
ReportReport
Posted on by 10
Hi, I'm working on a flow for our user onboarding process, and I could use some help with secure inputs and secure strings.
 
The flow creates the user's account in Entra ID, then adds them to groups, gives them licences, creates planner tasks etc. The user's password is generated using a compose action in power automate To hide the password from the logs I have turned on Secure inputs on the compose action.
 
At the end of the flow, I want to send the user's password to an azure automation runbook, where it will be added to our password manager (Keeper) and shared with the appropriate manager.
 
In the runbook, I have the password parameter set up at the start of the script, which is where I will pass through the password from the compose action earlier. To keep the password secret in the runbook, I made the parameter type SecureString.
 
These are the parameters at the start of the runbook:
 
Param (
 [string] $DisplayName = "",
 [string] $UPN = "",
 [SecureString] $UserPassword = "",
 [string] $Manager = ""
 )
However it appears the the SecureString of the runbook is not compatible with the Secure input of the power automate flow. I receive the error message when the runbook runs:
Cannot process argument transformation on parameter 'UserPassword'. Cannot convert the "Pa55w0rd!" value of type "System.String" to type "System.Security.SecureString".
Is there a simple way to pass a secured password from Power Automate into a secure string in Azure Automation? Maybe convert it into a different encrypted variable in the flow, and then decrypt it in the runbook or something like that?
 
I have looked online, and I see one solution posted a lot where the password is saved to an Azure Key Vault in the flow, and then retrieved from the runbook. However, that doesn't work for me because to access a key vault from the runbook, the runbook needs to be run as a hybrid runbook worker (or the key vault firewall needs to be left open). I don't really have anywhere to run a hybrid runbook worker (and spinning up a VM purely for that purpose seems expensive), and it also seems far more complicated and overkill than just putting the password as a parameter in the Azure Automation action to pass it straight through to the runbook.
 
Any suggestions would be much appreciated.
  • AlexEncodian Profile Picture
    AlexEncodian 4,302 on at
    How to Pass a Secret from Power Automate to Azure Automation without Exposing it
  • Janddy Profile Picture
    Janddy 10 on at
    How to Pass a Secret from Power Automate to Azure Automation without Exposing it
    Thanks for the reply, however the article does not really solve my problem. As I said, I can't use the Azure Key Vault because I don't have a VM to host a hybrid runbook worker for the Azure Automation script, which is required to access the Azure Key Vault securely from Azure Automation.
  • narayan225 Profile Picture
    narayan225 2,390 on at
    How to Pass a Secret from Power Automate to Azure Automation without Exposing it
    I have not done this myself but it seems like the below article might help you.
     
     
    Hope this helps.
    Cheers!

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Microsoft Kickstarter Events…

Register for Microsoft Kickstarter Events…

Announcing Our 2025 Season 1 Super Users!

A new season of Super Users has arrived, and we are so grateful for the daily…

Announcing Forum Attachment Improvements!

We're excited to announce that attachments for replies in forums and improved…

Leaderboard

#1
WarrenBelz Profile Picture

WarrenBelz 145,445

#2
RandyHayes Profile Picture

RandyHayes 76,287

#3
Pstork1 Profile Picture

Pstork1 64,741

Leaderboard