To be secure one never wants to have a client secret in plain text in Power Automate. So set up a Key vault in Azure which is linked to an app registration with the necessary permissions.
First set up the app registration on portal.azure.com.
Fill in a name and best to stick to organization only for most use cases.
After it’s created, go to the resource, and fill in API permissions and Certificates & secrets.
In API permissions, add in what is required. Here I am adding Application permissions for Graph to access. Make sure Grant Admin consent is clicked to enable.
Go to Certificates & Secrets and + New Client Secret, and make sure you copy and paste the client secret value somewhere safe as it won’t be visible again.
Now go to Key Vaults and create a new vault, accepting the defaults for now.
After it’s created, set up the Secrets link and the Access policies. On the Secrets link, clink + Generate/Import
and then using the manual option, add in the name and secret value and click Create.
Now, the Key Vault will be available to yourself as the creator, but best to add a service principle account for security and deployment purposes. In Access policies, click +Access Policy.
In my case I am doing Secret management but there are many types, including user name and password mgt. Click on Select Principal and add in the app registration from the first step.
In Select permissions I have purely done List and Get as this will be used from Flow only to access Graph. Click on Add, and on the next screen click on Save or it will be lost !
Now we’re ready to go. Make an instant Flow to test. The action set is Azure Key Vault. Choose Get Secret ( I have found that connecting via service principal is hard to set up, seems buggy. List secrets seems to let you create the connection more easily). Click on Connect via Service Principal and enter the secret details you kept from earlier.
The Get Secret will let you pick the Name of the secret, but will bring it back in plain text. To prevent this, go into the Get Secret Settings and toggle Secure Outputs to On. A padlock sign will appear and hey presto, the secret is hidden forever.
See the following blog post for more details on this last bit