Working with Secure Columns in Microsoft Data Verse Using Power Automate
I recently encountered a scenario where I needed some additional protection on some specific data attributes. As a result, I Enabled Column Security on a column. More information on column(field) level security from the Microsoft Docs:
“You use field security tables to apply field-level security, which restricts field access to specified users and teams. The scope of field-level security is global, which means that it applies to all records within the organization, regardless of the business unit hierarchical level to which the record or the user belongs. Field security works in all Microsoft Dataverse clients, including the Web client, Dynamics 365 for Outlook, and Dynamics. It applies to all components, such as the Dataverse web services, reports, search, offline, filtered views, auditing, and duplicate detection. For this release, field security can be applied to both custom fields and many out-of-box (OOB) fields.”
Note: Using column security provides an additional layer of security, which is good. But, it doesn’t replace the need to use services like Azure Key Vault when it comes to storing security tokens and secrets. There are additional capabilities such as key rotation that makes Azure Key Vault a better solution for those requirements.
In addition, once you enable a user to access sensitive data using Power Automate, you still need to ensure that your Cloud flow does not become the weakest link. To ensure of this, please do use the Secure Input/Output feature to ensure sensitive data does not end up in Power Automate’s Run History.
After creating this secure column and then trying to access it with a non-Environment Admin account using Power Automate, I received the following error:
User with ID 736d2eff-923c-eb11-a813-000d3a99e112 does not have Create permissions for the cred1encryptedcolumn attribute in the cred1encryptedsample entity. Count secured attributes in entity 1. User has 0 secured attribute privileges. callerAp=null
To address this error, I performed the following steps:
Navigate to the Power Platform Admin center and then click the Environment URL link.
Click on Settings Gear
Click on Advanced Settings
Click on Settings and then Security
Find Field Security Profiles and then click it.
Click on New
Provide a Name and then click the Save icon.
Under Members, click on Users and then click Add.
Search for the appropriate users and then Select them and then click the Add button.
Click Field Permissions
Double click on the name of the Encrypted field and then set the appropriate permissions. Click OK and then click on Save and Close.
If we now go and run our flow that creates and reads data from encrypted columns, we will no longer run into any errors.
In this post, we discussed how we can leverage Encrypted Columns to add additional security to our data. However, as we learned, when we do so, we must create a Field Security Profile so that we can explicitly provide additional permissions for people to access it.