Posts Tagged ‘Environment variable’

[Step by Step] Configure and consume ‘Environment Variables’ of type ‘Secret’ using ‘Azure Key vault’

In this article, lets learn the steps to configure Environment Variables of type ‘Secret’ using Azure Key Vault and fetch them from a simple Power Automate Cloud Flow.

Lets first understand what is an Azure Key Vault and Environment Variables.

  • Azure Key Vault is a cloud-based service provided by Microsoft Azure that allows users to securely store and manage cryptographic keys, secrets, and certificates used for protecting sensitive data in cloud applications and services.
  • A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.

What is an Environment Variable:

  • In simple words, an Environment Variable is a way to store and manage configuration values that can be used across multiple environments.
  • One environment variable can be used across many different solution components – whether they’re the same type of component or different.
    • For example, a canvas app and a flow can use the same environment variable. When the value of the environment variable needs to change, you only need to change one value.

What is an Azure Key Vault:

Now that we know the basics of Environment Variables and Azure Key Vault, lets understand how these two can be used together.

High level design:

Consuming Azure Key Vault secrets in Environment Variables is two step process.

Lets learn the step by step process.

Steps to create new Key Vault and Secrets:

The prerequisite is to register the PowerPlatform resource provider in your Azure subscription.

Register the PowerPlatform resource provider:
  • Select the Subscription and click on ‘Resource providers’ and make sure ‘Microsoft.PowerPlatform’ is ‘Registered’ as shown below.
    • You can use ‘Re-register’ and ‘Unregister’ buttons to either register or unregister.

Create Azure Key Vault:
  • From the Azure Portal, go to Key vaults page and click on ‘Create’ to create a new Key Vault.
  • Provide the details and click on ‘Review + create’ to complete the creation of your new Key vault.
  • Next open the newly created ‘Key Vault’ and create the ‘Secret’ by clicking on ‘Secrets’ tab.
  • Click on ‘+ Generate/Import’.
  • Provide ‘Name’ and ‘Secret value’ and click on ‘Create’.
  • Next is the important step, which is granting ‘Key Vault’ access to the ‘Users/Service Principles’.

Setting Key Vault Access:

Azure Key Vault must have the Key Vault Secrets User role granted to the Dataverse service principal. Follow these steps.

  • Click on ‘Access control (IAM)’ tab and click on ‘Add role assignment’ as shown below.
  • Select ‘Assignment type‘ as ‘Job function roles’ and click ‘Next’.
  • Select ‘Key Vault Secrets User‘ role and click ‘Next’.
  • Click on ‘+ Select members’ and select ‘Dataverse’ under ‘Select members’ pane.
  • Click ‘Review + assign’ button and complete the step.
  • Next, as a last access step, click on ‘Access policies’ tab and click on ‘+ Create’.
  • Select the ‘Get’ permission under ‘Secret permissions’ and click ‘Next’.
  • In the next screen, select ‘Dataverse’ principal and click ‘Next’.
  • On the ‘Review + create’ tab, click on ‘Create’ to complete the step.

Copy the Key Vault details:

We are done with ‘Key Vault’ set up and copy following details, which we need in next steps.

  • From the ‘Overview’ tab, copy ‘Resource group’ and ‘Subscription ID’.
  • From ‘Secrets’ tab, copy the ‘Secret Name’ (i.e.,secUserID) and ‘Key Vault Name’ (i.e., DemoEnvironmentVariables).

We are done with ‘Key Vault’ side of configurations. Lets connect to PowerApps maker portal and set up ‘Environment Variable’.

Steps to configure ‘Environment Variable’ of type ‘Secret’:

From the PowerApps maker portal, create or open an existing Solution.

  • Click on ‘New -> Environment variable’.
  • Select the ‘Data Type’ as ‘Secret’ and click on ‘+ New Azure Key Vault secret reference’ link.
  • Select the ‘Secret Store’ as ‘Azure Key Vault’ and provide the ‘Azure Subscription Id’, ‘Resource Group Name’, ‘Azure Key Vault Name’ and ‘Secret Name’ values which we copied in the previous step.
  • Click on ‘Save’ and you should the newly created ‘Environment Variable’ in your solution as shown below.
  • Copy the name (i.e., raj_evdemosecret) which we need in next step.

We’ve completed the both ‘Key Vault’ set up and creation of Secure ‘Environment Variable’. Its time to create a cloud flow and test.

Create a cloud flow to read the secured ‘Environment Variable’ value:

  • Create a new ‘Instant’ flow.
  • Select ‘Manually trigger a flow’ option.
  • We have a RetrieveEnvironmentVariableSecretValue unbound Action, to read the secret Environment Variable.
  • So, in our flow, Select New step, select the Microsoft Dataverse connector, and then on the Actions tab select Perform an unbound action.
  • Select ‘Action Name’ as RetrieveEnvironmentVariableSecretValue and ‘EnvironmentVariableName’ as the ‘Environment Variable Name’ copied in previous section (i.e., raj_evdemosecret).
  • Save the flow and test. You should see ‘’ which is the secret value we configured in ‘Key Vault’.
  • You will notice a ‘Flow checker’ warning with a message to ‘Turn on secure outputs…’. This is to prevent the output of the action getting exposed in the flow run history.
  • Select  > Settings of  Perform an unbound action control.
  • Enable the Secure Outputs option in the settings, and then select Done.
  • Save the flow and warning in ‘Flow Checker’ should go way now.
  • Retest the flow and you should get outputs as below.

That’s it. Hope you’ve learnt the basics of using ‘Key Vault’ and secret ‘Environment Variables’.

Refer this documentation for more details.



Dataverse | Solution Import Error | Environment variable value cannot be an empty string

If you are unversed with ‘Environment Variables’, first understand by going through the Environment Variables Overview.

Coming to the intent of the article, I’ve encountered Environment variable value cannot be an empty string error while importing a Solution using pac solution import command along with a Settings file.

Reason and Fix:

  • Reason for the issue is straightforward. In my settings-file , I’ve an ‘Environment Variable’ with a ‘SchemaName’ ‘cat_CompanyName’ which has a blank value in the ‘Value’ field..
  • When used this Settings file in pac solution import , import failed with Environment variable value cannot be an empty string error.
  • Fix is that, you can’t pass empty string in the ‘Value’ tag of ‘EnvironmentVariables’ in settings-file.
  • Update the Settings file by providing a value in ‘Value’ tag.
  • Retry the import and it should work now.


  • I did not face this issue, while setting a blank ‘Environment Variable Value’ from Maker portal and imported to my target environment.
  • Below is my DEV environment, where the ‘Environment Variable Value’ is blank.
  • I’ve exported the Solution and imported to target with no errors. Below is how ‘Environment Variable Value’ looks in Target environment post import.