Adobe PDF Password-Protect and Secure Distribute
Before a sensitive PDF (payslip, report, statement) is sent, the flow applies password protection and permission restrictions with Adobe PDF Services, files the protected copy to SharePoint, and emails it with the password delivered out-of-band via a separate email or SMS. Prevents sensitive documents going out unprotected.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow automatically password-protects sensitive PDFs with Adobe PDF Services (the *Protect PDF* operation) and distributes the encrypted file to its recipient, delivering the open password out-of-band in a separate email so the document and its key never travel together.
Why it matters: Sending unprotected payslips, statements, or confidential reports is a data-leak risk. Automating the protection control enforces it consistently on every document, and out-of-band password delivery means an intercepted email alone cannot open the file.
Build note — Adobe via REST/HTTP, not the connector. The Power Automate Adobe PDF Services connector exposes its file input as a contentOnly multipart parameter that cannot be authored through the API/solution build path. This flow therefore calls the Adobe PDF Services REST API directly with the built-in HTTP action (token -> upload asset -> PUT bytes -> operation/protectpdf -> poll -> download), which needs no connection reference — credentials are passed as a bearer token from environment variables. This is the proven FlowLibs pattern for Adobe transform operations.
Use Case
HR, finance, and compliance teams distributing payslips, bank statements, board packs, or confidential reports want every PDF encrypted before it leaves the organisation, with the password delivered through a separate channel. A user (or an upstream process) drops a PDF into a watched SharePoint library; the flow protects it, archives the protected copy, emails it to the recipient, and sends the password separately.
Flow Architecture
When a PDF is added to the secure library
SharePoint — GetOnNewFileItems (5-min recurrence, splitOn)Fires once per file added to the watched pending secure distribution library.
Initialize configuration variables
Initialize Variable (x13)Bind every configurable value from environment variables (site URL, protected folder, recipient, password delivery, Adobe base/id/secret, encryption algorithm, allowed permissions, content scope); generate random open + owner passwords; seed the poll-status flag.
Check File Is PDF
Condition (endsWith .pdf)Only PDFs are processed; non-PDF uploads fall through the empty False branch and are ignored.
Get Source File Content
SharePoint — GetFileContentReads the new PDF bytes ($content = base64).
Get Adobe Access Token
HTTP — POST {base}/tokenExchanges client id/secret for a bearer access token.
Create Adobe Upload Asset
HTTP — POST {base}/assetsRequests a pre-signed upload URI + assetID.
Upload PDF To Adobe
HTTP — PUT {uploadUri}Uploads the PDF bytes (base64ToBinary).
Compose Protect Request
ComposeBuilds the protect body: user + owner password, encryption algorithm, allowed-permissions array, content scope.
Start Protect Job
HTTP — POST {base}/operation/protectpdfStarts the async protect job (returns 201 + a polling Location header).
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_SharePointSiteURL | String | https://your-tenant.sharepoint.com | Site hosting the pending + protected libraries. (reused) |
| flowlibs_SecurePendingLibrary | String | Documents | Library watched for PDFs awaiting protection (trigger table). |
| flowlibs_SecurePendingFolder | String | /Pending Secure Distribution | Sub-folder within the watched library (trigger folderPath). |
| flowlibs_ProtectedLibraryPath | String | /Shared Documents/FlowLibs - Secured Documents | Folder where the protected copy is filed. |
| flowlibs_DocumentRecipientEmail | String | secure-recipient@your-tenant.onmicrosoft.com | Recipient of the protected document. |
| flowlibs_PasswordDeliveryEmail | String | password-delivery@your-tenant.onmicrosoft.com | Out-of-band channel that receives the open password. |
| flowlibs_AdobePdfServicesBase | String | https://pdf-services.adobe.io | Adobe PDF Services REST base URL. (reused) |
| flowlibs_AdobeClientId | String | <configure> | Adobe API client id (X-API-Key + token request). (reused) |
| flowlibs_AdobeClientSecret |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| SharePoint | shared_sharepointonline | GetOnNewFileItems GetFileContent CreateFile |
| HTTP | http | POST /token POST /assets PUT {uploadUri} POST /operation/protectpdf GET status GET {downloadUri} |
| Office 365 Outlook | shared_office365 | SendEmailV2 |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- SMS out-of-band delivery
- Replace Send Password Out Of Band (Outlook) with a Twilio SendMessage to text the password to the recipient's phone — the strongest separate channel.
- Metadata-driven recipient
- Instead of the fixed flowlibs_DocumentRecipientEmail, switch the trigger to When a file is created (properties only) and read a RecipientEmail column from the library so each document routes to its own recipient.
- Hardened password generation
- The demo uses a guid()-derived password. In production, derive it from a known shared secret (e.g. employee DOB + last-4) or generate a strong random value and store it in Key Vault / Azure Function.
- Certificate-based protection
- For B2B exchange, use Adobe certificate protection instead of a password.
- Sensitivity label
- Apply a Microsoft Purview (MIP) label in addition to encryption.
- Tighten permissions
- Edit flowlibs_PdfAllowedPermissions (Adobe values: PRINT_LOW_QUALITY, PRINT_HIGH_QUALITY, EDIT_CONTENT, EDIT_DOCUMENT_ASSEMBLY, EDIT_ANNOTATIONS, EDIT_FILL_AND_SIGN_FORM_FIELDS, COPY_CONTENT). Anything omitted is blocked.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01PDF gate
Only files ending in .pdf are processed.
EXPR.02File bytes -> Adobe upload
Convert the SharePoint base64 content to binary for the Adobe PUT.
EXPR.03Adobe token body
Form-encoded client id/secret for the Adobe token request.
EXPR.04Poll location
Read the polling Location header (case-insensitive).
EXPR.05Loop exit
Exit the Until loop when the job is done or failed.
EXPR.06Protected download
Pre-signed download URI for the protected PDF.
EXPR.07Open password generator
Generate a random open password per run.
EXPR.08Email attachment
Attach the protected PDF to the recipient email.
Customize & download
Generate a ready-to-import copy of this solution with your environment-variable values baked in — available on Base, Pro, or Team.
Upgrade to customize
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.