[BUG] Client Secret with secret type environment variable does not keep reference when importing solution

[aagirre92]

Type of Connector

Custom Connector

Name of Connector

(not relevant)

Describe the bug

Title

Custom connector OAuth2 client secret via environment variable is not retained on managed solution import

---

Description

When using a custom connector in a Power Platform solution with OAuth2 (authorization code flow), and configuring the Client Secret property via a secret-typed environment variable, the following behaviour occurs:

• In Dev environment, the custom connector’s Client Secret is set to @environmentVariables("MySecretEnvVar").
• The secret-typed environment variable is part of the same solution.
• The solution is exported as managed.
• When imported into a target environment (e.g. Prod), the custom connector’s Client Secret does not retain the reference to the environment variable (i.e. the field is blank or static, with no link to the env var).
• Only after manually editing the custom connector in Prod (setting the Client Secret again to @environmentVariables("MySecretEnvVar")) and saving does the connector correctly pick up the secret via the environment variable.

This requires a manual fix step in the target environment, which undermines automation/ALM/CI-CD practices and can lead to misconfiguration or drift.

---

Is this a security bug?

Yes, this is a security bug

What is the severity of this bug?

Severity 1 - Connector is broken or there's a very serious issue

To Reproduce

Steps to Reproduce

1. In Dev environment, create a solution.
2. Add a secret‐typed environment variable named (for example) MySecretEnvVar.
3. Create or edit a custom connector (in the same solution) that uses OAuth2 Auth Code flow.
4. In the custom connector’s Security tab, set the Client Secret value to: @environmentVariables("MySecretEnvVar"))and then save.
5. Export the solution as managed.
6. Import into the target environment (e.g. Prod). and fill in the env variables with the prod. values (import is correctly done)
7. Inspect the custom connector → you’ll see the Client Secret is not referencing the environment variable (blank or static).
8. Manually open the connector in Prod, enter @environmentVariables("MySecretEnvVar") in Client Secret, save → connector then works.

Expected behavior

I would expect that this is done automatically! Having to point the client secret to the env variable again when importing the solution is not optimal

Environment summary

• Unmanaged solution created and tested in a dev type environment (Europe region)
• Managed solution imported to a managed environment type (Europe region)

Additional context

n/a

[troystaylor]

I haven't seen this bug in a while, but I do know at one point we had to deploy a solution with the environment variables first and then deploy the connector in a separate solution. Could you please try this and let me know? Also, can you tell me which region your environments are in?

[aagirre92]

Hi @troystaylor,

Thanks for the help. I have created a single solution and bundled everything there (the custom connector and all the environment variables). All my environments are hosted in Europe region

[aagirre92]

@troystaylor fyi, I have just performed the same operation having the default environment as target one and it worked without having to change anything -.-

[aagirre92]

I haven't seen this bug in a while, but I do know at one point we had to deploy a solution with the environment variables first and then deploy the connector in a separate solution. Could you please try this and let me know? Also, can you tell me which region your environments are in?

Tried this (creating 2 distinct solutions, 1 with the env variables and the other with the custom connector itself). I did the following:

1. Import the solution that contains the environment variables (all text types but client secret, which is secret type) as unmanaged one to target environment
2. Import the solution that contains the custom connector as managed one to target environment

In second step I had to wait for a while, as when trying to import the solution the following error prompted all the time

Connector import: FAILURE: Error occured while reading secret: Could not verify the user permission on '/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<vault-name>/secrets/clientSecretProd' resource. Make sure that Microsoft.PowerPlatform provider is registered in the Azure subscription.

After waiting a bit (5-10 minutes) I have tried importing the custom connector solution again and worked.

Even though this worked I don't see it working in a proper pipeline if we automate this...

[troystaylor]

@aagirre92 Yes, I agree proper pipeline might run into the same issue, but I think now that you've got it working, redeploying with a new connector version shouldn't break now.

[aagirre92]

@aagirre92 Yes, I agree proper pipeline might run into the same issue, but I think now that you've got it working, redeploying with a new connector version shouldn't break now.

when you wrote about using 2 solutions (1 for the env variables and another one for then custom connector), when you export the one with the custom connector, do you include de unmanaged dependencies of the first one? (i.e. the environment variables) 👍🏻

I did not include these (as they are part of the other solution and I like the idea of having an unmanaged solution with the environment variables in both environments)

[troystaylor]

You are right - you should not include them again as part of the connector solution.