Configure certificate-based authentication (preview)
[This article is prerelease documentation and is subject to change.]
Power Automate lets you create credentials using certificate-based authentication (CBA). Microsoft Entra ID certificate-based authentication helps meet multifactor authentication (MFA) requirements.
Important
- This is a preview feature.
- Preview features aren’t meant for production use and might have restricted functionality. These features are subject to supplemental terms of use, and are available before an official release so that customers can get early access and provide feedback.
How CBA credentials work in Power Automate
- Certificates are stored and managed in Azure Key Vault.
- Credentials are created in Power Automate and stored in Dataverse.
- Credentials are used in the desktop flow connection.
Note
CBA is supported for Windows session credentials (desktop flow connection) but cannot be used within the desktop flow or with other connectors.
How to configure Microsoft Entra certificate-based authentication
To use this feature, make sure you meet these prerequisites.
Note
These operations require an Entra ID tenant admin.
Follow the instructions in Configure the certification authorities to set up and use Microsoft Entra CBA for tenants in Office 365 Enterprise and US Government plans.
(Optional) Microsoft Entra ID CBA supports validating MFA requirements
Microsoft Entra CBA can be used as a second factor to meet MFA requirements with single-factor certificates.
Certificates are stored in Azure Key Vault
To use certificates with Power Automate, store them in Azure Key Vault. Learn more at how to import a certificate in Azure Key Vault.
Note
The certificate format must be .pfx (not PEM).
Create a credential
After completing these steps, create your Azure key vault credential.
Admin consent for unattended runs
Admin consent is required for unattended runs with certificate credentials on a Microsoft Entra ID joined device. Learn more at Admin consent for unattended runs.
Limitations and minimal requirements
- To use certificate-based authentication (CBA) credentials in Power Automate, store them in Azure Key Vault. Other vaults aren't supported today.
- Use Power Automate for desktop version 2.49 or later.
- If you're using Windows Server, version 2019 or later is supported.
- Target machines must be joined to Microsoft Entra ID.