Announcing public preview of customer managed encryption keys for Power Automate

As customers move more workloads from traditional systems to the cloud, there is a need to provide enterprise customers with greater control over their data. With Customer Managed encryption Keys (CMK), customers can bring their own encryption keys to secure all their cloud data at rest, to provide them with added control. While every customer data is encrypted using Microsoft-managed encryption keys by default, CMK provides added protection, especially for highly regulated industries like Healthcare and Financial Services, to encrypt their cloud assets using their own key. As we move to unlock such use cases, we are excited to announce the public preview of CMK for Power Automate.

With CMK, customers leverage an encryption key from their own Azure Key Vault, which Microsoft does not have access to. Then, they can configure an enterprise policy with that encryption key and apply it to any Power Platform environment. Once this policy is applied, all the services that have support for CMK will be encrypted using customer’s key. This operation is purely an admin-led operation and is totally invisible to low code developers and other makers who continue to use the service exactly the way they do today.

Once CMK is applied, all the core Power Automate assets like flow definitions, flow run history etc are encrypted using the customer’s encryption keys. For such environments, Power Automate flows would be running on a dedicated infrastructure, ensuring isolation of customer assets at both rest and runtime. At preview, we support only environments that do not contain any flows for CMK. If the CMK operation is performed on an environment that already contain flows, the flows will continue to be encrypted with the default Microsoft-managed keys. You can read more details about Power Automate support for customer managed encryption keys here.

You can find the step-by step instructions on how to use Azure Key Vault to generate a key, and then apply an enterprise policy using that key to leverage CMK here.

If an admin chooses to “lock” an environment, then all the assets that were encrypted with customer’s encryption keys would be inaccessible to Microsoft services, ensuing total lockdown of your data, even when they are stored in the Microsoft cloud. You can find more about operations like Lock and Unlock environments here.

Please feel free to provide your questions and feedback in the Power Automate Community. Happy Automating!