Announcing General Availability of Customer Managed Keys for new environments in Power Automate

We are excited to announce the General Availability of Customer Managed encryption keys for Power Automate for new environments following a successful public preview! We would like to take the opportunity to thank all of our customers for utilizing the capabilities in Preview and sharing your feedback. If you missed the Preview announcement or want to learn more about this capability, here’s a short summary.

As customers move more workloads from on-premises to the cloud, some need greater control over their data. With Customer Managed Encryption Keys (CMK), customers can bring their own encryption keys to secure all their cloud data at rest, to provide them with added control. While all customer data is encrypted using Microsoft-managed encryption keys by default, CMK provides added protection, especially for highly regulated industries like Healthcare and Financial Services, to protect their cloud assets using their own key. As we move to unlock such use cases, we are excited to announce general availability of CMK for Power Automate.

With CMK, customers leverage an encryption key from their own Azure Key Vault, which Microsoft does not have access to. Then, they can configure an enterprise policy with that encryption key and apply it to any new Power Platform environment. Once this policy is applied, all the services that have support for CMK will be protected using customer’s key. This operation is purely an admin-led operation and is invisible to low code developers and other makers who continue to use the service exactly the way they do today.

Once CMK is applied, flow definitions and flow run history are protected using the customer’s encryption keys. Power Automate CMK is currently supported for new environments that do not contain any flows. If the CMK operation is performed on an environment that already contain flows, the flows will continue to be encrypted with the default Microsoft-managed keys. You can read more details about Power Automate support for customer managed encryption keys here.

You can find the step-by step instructions on how to use Azure Key Vault to generate a key, and then apply an enterprise policy using that key to leverage CMK here.


If an admin chooses to “lock” an environment, then all the assets that were encrypted with customer’s encryption keys would be inaccessible to Microsoft services, ensuing total lockdown of your data, even when they are stored in the Microsoft cloud. You can find more about operations like Lock and Unlock environments here.

Please feel free to provide your questions and feedback in the Power Automate Community. Happy Automating!