Key Vault Secret Sync to Connection References
When a secret is rotated in Key Vault, the flow reads the current value and updates the mapped Power Platform environment-variable value in Dataverse (create or update), verifies admin connectivity across environments, and notifies makers in Teams. Keeps Power Platform credentials in lockstep with Key Vault.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow keeps Power Platform credentials in lockstep with Azure Key Vault. On a schedule it reads the current value of a rotated Key Vault secret and propagates it into the mapped Power Platform environment-variable value (Dataverse), upserting the value row (create or update), verifies admin connectivity across environments, and notifies makers in Teams.
Why it matters: secret rotations break Power Platform connections and flows that hold a stale value. Syncing the value automatically prevents failures after rotation, with an end-to-end correlation id for traceability.
Ships Off (demo). Prefer Key Vault-backed environment variables where possible; use this sync where values must be copied.
Use Case
A platform/security team rotates a secret in Key Vault and needs every dependent Power Platform environment variable updated automatically so flows keep working after the rotation. The flow reads the current secret value and writes it to the mapped environment-variable value record in Dataverse, then reports the outcome to makers.
Flow Architecture
Daily Check for Rotated Secret
RecurrenceDaily sync (swap for an Event Grid / Key Vault webhook trigger for real-time).
Initialize Trace & Config
Initialize variableMints a correlation id and binds the vault, secret name, secret-to-env-var map, target environments, and Teams ids; resolves the target env-var schema from the map.
Get Current Secret
Key Vault - GetSecretReads the current secret value.
Find Env-Var Definition
Dataverse - ListRecordsLooks up environmentvariabledefinitions by schema name and captures the definition id.
Upsert Env-Var Value
Dataverse - ListRecords + Update/CreateReads the existing environmentvariablevalue; updates it if present, otherwise creates it (binding the definition).
Verify Environments Reachable
Power Platform for Admins - Get-AdminEnvironmentConfirms admin connectivity across environments before declaring success.
Notify Makers
Teams - PostMessageToConversationPosts status, target env var, secret, and correlation id to the maker channel.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_KeyVaultName | String | kv-flowlibs-demo | Key Vault name (audit/display). |
| flowlibs_SyncSecretName | String | sql-conn-password | Secret to read and sync. |
| flowlibs_SecretEnvVarMap | String | {"sql-conn-password":"flowlibs_SqlConnectionPassword"} | Secret to env-var schema map (JSON). |
| flowlibs_TargetEnvironments | String | <your-environment-id> | Environments to keep in lockstep. |
| flowlibs_TeamsGroupId | String | <your-team-id> | Teams team (group) id. |
| flowlibs_TeamsChannelId | String | <your-channel-id> | Teams channel id. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Key Vault | shared_keyvault | GetSecret |
| Microsoft Dataverse | shared_commondataserviceforapps | ListRecords UpdateRecord CreateRecord |
| Power Platform for Admins | shared_powerplatformforadmins | Get-AdminEnvironment |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Real-time sync
- Replace the daily Recurrence with an Event Grid / Key Vault SecretNewVersionCreated webhook trigger.
- Multiple secrets
- Extend flowlibs_SecretEnvVarMap and wrap the read/upsert in an Apply to each over the map's keys.
- Staged rollout
- Use flowlibs_TargetEnvironments (dev to test to prod) and loop the write/verify per environment.
- Rollback
- On verify failure, revert the env-var value to the prior version and alert.
- Inventory
- Record which flows reference which secret/env var for impact analysis.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Resolve target env var
Maps the secret to its env-var schema name.
EXPR.02Value-row exists test
Decides update vs create.
EXPR.03Existing value-row id
The row to update.
EXPR.04Definition bind
OData bind for a new value row.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.