Cloud FlowCloud FlowsAdvanced

Secure Environment Variable Provisioner

Admin-triggered flow retrieves connection strings, API keys, and other sensitive configuration values from Azure Key Vault using the native Key Vault connector, then writes them to Dataverse environment variable current values. Eliminates manual copy-paste of secrets during solution deployments. Logs each provisioning event and emails a confirmation to the requesting developer.

Azure Key VaultMicrosoft DataverseOffice 365 Outlook

Unique name

flowLibsSecureEnvVarProvisioner

Publisher

FlowLibs (flowlibs)

Version

1.0.0.0

Components

2 env vars + 1 cloud flow

Request access

Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.

What it does

Overview

The Secure Environment Variable Provisioner is an admin-triggered instant flow that retrieves secrets from Azure Key Vault using the native Key Vault connector (shared_keyvault / GetSecret operation), then writes them to Dataverse environment variable current values. For each secret, the flow queries whether a matching environment variable definition exists, checks for an existing current value, and either creates or updates accordingly. It logs every provisioning event and emails an HTML summary report to the requesting developer.

Why you'd use it

Use Case

IT administrators and DevOps teams deploying Power Platform solutions across environments need a reliable way to push connection strings, API keys, and other secrets from Azure Key Vault into Dataverse environment variables without manual copy-paste. This flow automates that handoff — run the button, and every secret in the comma-separated list is fetched from Key Vault via the native connector and provisioned into the matching environment variable. The HTML email report provides an auditable confirmation of what was provisioned, updated, or skipped.

The flow is ideal for teams that:

IT administrators provisioning secrets during Power Platform solution deployments
DevOps teams managing Dataverse environment variables across dev/test/prod
Security-conscious orgs centralizing API keys and connection strings in Azure Key Vault
Teams needing an auditable email trail of secret provisioning events

Step-by-step

Flow Architecture

Manually trigger a flow

Button (Request)

Admin clicks the Run button to start provisioning.

Init_varNotificationEmail through Init_varFailureCount

Initialize Variable (x8, parallel)

Reads env vars for notification email and target environment; initializes secret names, env var prefix, log string, and success/failure counters.

Parse_Secret_Names_Array

Compose

Splits the comma-delimited secret names string into an array via `split(variables('varSecretNames'), ',')`.

For_Each_Secret_Name

Foreach

Iterates over each secret name in the parsed array. For each iteration: retrieves the secret from Key Vault, then conditionally creates or updates the matching Dataverse environment variable current value (see nested condition steps below).

Get_Secret_From_Key_Vault

Azure Key Vault (GetSecret)

Inside the loop: uses the native `shared_keyvault` connector to retrieve the secret value by name (secure outputs enabled). Run After configured to include Failed so the next condition can handle retrieval errors.

If Check_If_Secret_Retrieved_Successfully

If condition

Checks whether the Key Vault secret value output is not empty.

If true (secret retrieved)2 actions run in series

Query_Existing_Env_Var_Definition — Dataverse ListRecords on `environmentvariabledefinitions` filtered by schema name = prefix + secret name.
Check_If_Env_Var_Exists (nested If) — If a definition was returned: query `environmentvariablevalues` for an existing current value; if one exists, update it (secure inputs); otherwise create a new current value with `@odata.bind` lookup to the definition (secure inputs). Each branch appends to the log and increments the success counter. If no definition is returned, log a skip warning and increment the failure counter.

Solution config

Environment Variables

Schema name	Type	Default	Description
flowlibs_NotificationEmailAddress	String	<configure>	Email recipient for the provisioning confirmation report. Set to the admin or DevOps distribution list that should receive the HTML summary.
flowlibs_TargetEnvironmentURL	String	<configure>	Dataverse org URL of the target environment (e.g. `https://orgXXXXXXXX.api.crm.dynamics.com`). Used for display in the HTML report only.

Auth dependencies

Connectors & Connections

Connector	API name	Actions used
Azure Key Vault	shared_keyvault	GetSecret (Retrieves secret values from the configured Key Vault)
Microsoft Dataverse	shared_commondataserviceforapps	ListRecords (Queries environmentvariabledefinitions and environmentvariablevalues) CreateRecord (Creates new environment variable current values) UpdateRecord (Updates existing environment variable current values)
Office 365 Outlook	shared_office365	SendEmailV2 (Sends the HTML provisioning confirmation report)

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Tweaks & variations

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Key Vault Connection: The flow uses the native Azure Key Vault connector. When importing to a new environment, create a Key Vault connection signed in with an account (or service principal) that has Get permission on secrets. The shared_keyvault connection reference will prompt during solution import.
Secret Names: Edit the varSecretNames variable default value to a comma-separated list of secret names in your vault that match your Dataverse environment variable names (minus the prefix), e.g. ApiKey,ConnectionString,StorageKey.
Env Var Prefix: Edit the varEnvVarPrefix variable if your publisher prefix differs from flowlibs_.
Turn the flow on: Set the flow state to On after configuring all variables and verifying the Key Vault connection is active. The solution ships in Stopped state by design.
Scheduled provisioning: Replace the manual trigger with a Recurrence trigger to sync secrets on a schedule (e.g. daily at 2 AM) so rotated secrets propagate automatically.
Multi-environment fan-out: Parameterize the target Dataverse org URL and loop over multiple environments to provision secrets across dev/test/prod from a single run.
Teams notification: Add a Teams PostMessageToConversation action to notify a DevOps channel alongside or instead of the email.
Secret versioning: Swap GetSecret for GetSecretVersion to retrieve a specific secret version rather than the latest, useful when you need to pin to a known-good version.

Helpers & literals

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

EXPR.01Split secret names

Turns the comma-delimited input string into an array the Foreach loop iterates over.

workflow definition language

split(variables('varSecretNames'), ',')

EXPR.02Trim secret name in loop

Defensive trim on each loop item so accidental spaces in the input list don't break the Key Vault lookup.

workflow definition language

trim(items('For_Each_Secret_Name'))

EXPR.03Dynamic schema name

Builds the Dataverse environment variable schema name by concatenating the publisher prefix with the trimmed secret name.

workflow definition language

@{variables('varEnvVarPrefix')}@{trim(items('For_Each_Secret_Name'))}

EXPR.04Check secret retrieved successfully

Used in the post-retrieval If condition to confirm Key Vault returned a non-empty value before attempting to write it.

workflow definition language

not(equals(outputs('Get_Secret_From_Key_Vault')?['body/value'], ''))

EXPR.05Extract definition ID

Pulls the GUID of the matched environment variable definition from the ListRecords response so it can be bound to the new current value.

workflow definition language

first(outputs('Query_Existing_Env_Var_Definition')?['body/value'])?['environmentvariabledefinitionid']

EXPR.06OData bind for definition lookup

Value assigned to `item/EnvironmentVariableDefinitionId@odata.bind` on the CreateRecord action — the correct pattern for setting Dataverse lookup fields. Flow Checker may show a 'Schema Name is required' warning here; it is a designer-only false positive and does not affect runtime.

workflow definition language

/environmentvariabledefinitions({definitionId})

EXPR.07Secret value extraction

Reads the secret value from the Key Vault action output. Both the GetSecret action and the consuming Update/Create actions have secure inputs/outputs enabled.

workflow definition language

outputs('Get_Secret_From_Key_Vault')?['body/value']

Secure Environment Variable Provisioner

Overview

Use Case

Flow Architecture

Manually trigger a flow

Init_varNotificationEmail through Init_varFailureCount

Parse_Secret_Names_Array

For_Each_Secret_Name

Get_Secret_From_Key_Vault

If Check_If_Secret_Retrieved_Successfully

Environment Variables

Connectors & Connections

Customization Guide

Key Expressions

EXPR.01Split secret names

EXPR.02Trim secret name in loop

EXPR.03Dynamic schema name

EXPR.04Check secret retrieved successfully

EXPR.05Extract definition ID

EXPR.06OData bind for definition lookup

EXPR.07Secret value extraction

Compose_Email_Body

Send_Provisioning_Confirmation_Email

Comments