Power Nerd Insights – Power Platform Tips and Tricks

Essential Guide to Secure Inputs and Outputs in Power Automate

Power Automate allows users to secure sensitive data, such as passwords and tokens, through Secure Inputs and Secure Outputs. This feature hides input and output values from the run history. However, users must be cautious as indirect references can expose sensitive data if not properly secured. It’s vital to review all actions referencing secure data…

Power Nerd Insights
3–4 minutes
, , , , , ,

When working with sensitive data in Power Automate—like passwords, tokens, or personally identifiable information—it’s essential to prevent that data from being exposed in your flow’s run history.

Power Automate offers a built-in feature called Secure Inputs and Secure Outputs. By enabling these settings on individual actions, you can hide the values of the action’s input or output properties from the run history. Microsoft’s documentation on how to turn this on is available here.

However, there are critical behaviours that the documentation doesn’t make clear, and they can lead to unintentional data exposure if you’re not careful. Let’s walk through what those are, and more importantly, how to avoid them.

🔐 A Quick Recap: What Are Secure Inputs and Outputs?

  • Secure Inputs: Hides the data that was passed into the action during flow execution.
  • Secure Outputs: Hides the data that was returned by the action.

You can enable these settings by going into the action’s settings (click the ellipsis ... > Settings).

⚠️ The Hidden Behaviors You Need to Know

1. Downstream Actions Auto-Hide Inputs

When you enable Secure Outputs on an action, any action that references it using dynamic content will have Secure Inputs automatically enabled—even if you don’t explicitly turn it on.

This is a security feature meant to protect sensitive data from being used downstream where it might be exposed. That’s helpful, but there’s a catch…

2. Indirect References Can Leak Secure Data Unless You’re Thorough

This is the part most users miss—and the documentation doesn’t tell you:

If a downstream action indirectly references secure data (via another Compose, for example), and you don’t secure those intermediate steps, the sensitive data can leak into the run history.

Let me show you what that looks like.

📸 Example Scenario: Indirect Leak of Secure Data

Let’s walk through a real flow setup to illustrate how this works:

🧱 The Flow Structure

An image showing a basic power automate flow. This flow has 3 steps, the trigger action is the SharePoint when an item or file is modified. The following 2 actions are compose actions.

This flow has:

  • A trigger: “When an item is modified” (SharePoint)
  • A Compose action that references the trigger’s dynamic content (ID)
  • A second Compose that references the output of the first Compose

🔐 Trigger Settings

In this case, Secure Outputs is turned ON for the trigger, but Secure Inputs is OFF.

An image showing the settings of the trigger action. It shows that the Secure Outputs option is turned on for the trigger.

🧮 Compose 1 – Direct Reference to Secure Data

This Compose action uses the ID from the trigger. Even though we didn’t enable Secure Inputs explicitly…

This image shows that the first compose action is using the ID dynamic content from the trigger as it's input.
This image shows the settings for the compose action. It shows that secure inputs is turned off for this action.

…Power Automate automatically hides the inputs and outputs of this Compose because it directly uses secure data from the trigger.

🔁 Compose 2 – Indirect Reference via Compose 1

Compose 2 takes the output of Compose 1 and reuses it. We didn’t secure this action:

This image shows that the second compose action references the outputs dynamic content of the first compose action and uses it as it's inputs
This image shows the settings of the second compose action. It shows that the secure inputs option is turned off.

And here’s the result…

This image shows the flow run history for this example flow. It demonstrates that the outputs of the trigger action are hidden as it has secure outputs turned on. The first compose actions inputs and outputs are hidden as the action directly references dynamic content from the trigger and that the second compose actions inputs are visible despite it indirectly referencing dynamic content from the trigger.

🚨 The Run History Reveals the Leak

  • Trigger: ✅ Outputs are hidden due to secure configuration.
  • Compose 1: ✅ Inputs and outputs are hidden automatically.
  • Compose 2: ❌ Inputs and outputs are visible—even though they contain sensitive data indirectly pulled from the trigger.

This is a serious risk.

🧠 Key Takeaway: Secure Every Link in the Chain

If you secure an action’s output and reference it later, you must secure every single downstream action—even if it’s just manipulating or passing the value along.

This includes:

  • Compose actions
  • Condition checks
  • Data transformations
  • HTTP requests
  • Anything using dynamic content or expressions that trace back to the secured data

✅ Final Checklist Before Publishing Your Flow

Before deploying your flow into production, run through this checklist:

  • ✅ Have you enabled Secure Outputs on actions containing sensitive data?
  • ✅ Have you reviewed all actions that use that data—even indirectly?
  • ✅ Have you turned on Secure Inputs/Outputs for each of those actions?
  • ✅ Have you tested the flow and confirmed no sensitive info appears in run history?

🗣️ Your Turn

Have you encountered this security gap in your own flows? How do you manage data privacy in Power Automate?

Drop your thoughts in the comments—and don’t forget to secure those outputs!

Leave a comment

Trending