How to protect your App Secrets in Power Automate Desktop


Securing any type of credentials, anywhere, is very important. Simply imagine testing a flow with someone looking over your shoulder? What about running that flow and see in plain text the content of the variable? Would you be happy if your API Key was accidentally visible? No.

In this blog post, we’ll see how we can protect our app secrets when building a Power Automate Desktop flow, and which one is better.

Read credentials from Text

Believe it or not, it’s still extremely common to have credentials in a Notepad! Username and password stored in plain text somewhere buried in the user’s computer file structure.

So we have our API Key in a text file, buried, and no context inside that file thinking nobody will know what this set of characters is about. Let’s use it in Power Automate Desktop (PAD) and see the results.


As you observe, the key is displayed at runtime! Not good.
Although there’s an option in PAD to mark variable outputs as sensitive, so let’s do that.

You can hover over the variable > click on the incognito icon, or click on the 3 dots and Mark as sensitive


Now, the content of that variable is not visible AND will not be written in the logs either.
This might be OK to use if you need to do a quick testing, but is definitely not secured.

Create variables

Another way is also to create variables and store the values inside from the get-go. You give them meaningful names (as every variable should always have!), and then you use them in your flows and subflows.

Now, the first problem you’ll see with this, is that the value will be displayed straight away when clicking on OK 😕 And it only takes a couple of seconds for someone to glance at it or take a picture (we never know!).

So you’ll have to mark them as sensitive (i.e.: incognito icon) for the value to be hidden IN the flow, as well as at runtime.


So… Is this better than reading from a text file? No, it isn’t. Again, this is not written in the logs, but unfortunately, not secure either.

App Registration + Azure Keyvault + Power Automate (cloud)

A more secure way would involve an Azure App Registration, Azure Keyvault and Power Automate (cloud flows). I know what you’re thinking: “This is a lot more work”. Yes and No.

Yes, more things to do compared to the other options, and No because the setup will be a one off activity AND this is the most secure way.

Once you have created your App Registration and your Azure Key Vault, you can then assign an Access Policy to make sure retrieving the secrets is possible only for specified users.

In the cloud flow, add the Get secret action to get the credentials from the Azure Key Vault.


Hide the Outputs
Make sure to go to the Settings of that action and toggle on ““Secure Outputs”. This way, the values will not be visible at runtime neither in the flow history.

The last step in our cloud flow is to call the Desktop flow and pass our secured secrets.


Hide the Inputs
This time, make sure to go to the Settings of that Desktop flow action and toggle on ““Secure Inputs”. This way, the values sent will not be visible.

The value passed on will be an Input variable in our dekstop flow, and also secured!

Thanks for reading 🙂