You’re offline. This is a read only version of the page.
5
Hey team,
Looking for a way to securely connect from a D365 plugin to an API external to D365 (e.g. an APIM endpoint in the same tenant; or a truly external third party's service) using certificate-based authentication.
In our case, we need it to be synchronous, so we've chosen a plugin over power automate.
We're able to connect using a certificate with HttpClient, however we have to pass in the very sensitive certificate details (including private key + password) via the plugin registration step's "Secure config" field. While workable in the short term, it is less than ideal as it exposes sensitive data to more people than strictly necessary.
At time of writing, the "Secure environment variable" feature is still in preview and isn't supported from plugins (yet). Once GA, this will let us grab the details from Azure KeyVault using a connection reference setup once in each environemnt, which would be awesome.
Hoping someone's come across a better way to inject sensitive info into plugins in the interim?
Dynamics 365 Customer Engagement.
Thanks for your thoughts Kosenurm, however those options really just push the problem back one step.
e.g. while getting the value from Keyvault keeps the certificate secure, we then have to pass in connection details for Keyvault itself. An added problem is that if the Keyvault credentials are compromised, it then risks exposing not only the certificate, but anything else in the keyvault.
For the short term, we'll be retrieving the values from a custom dataverse "configuration" table (key value pairs). Only system administrators have access to the table, so it is almost as secure as using the secure config value in the plugin step, with the added benefit of being easier to manage when deploying (higher environments are managed by different teams).
We'll revisit when the Secure Environment Variable becomes GA (we've logged it as technical debt in the backlog).
One possible solution to securely connect from a D365 plugin to an external API using certificate-based authentication is to use Azure Key Vault to store the sensitive certificate details, including the private key and password, and retrieve them securely during runtime.
Once the "Secure environment variable" feature becomes generally available and supported from plugins, it can be used to retrieve the details from Azure Key Vault using a connection reference set up once in each environment.
In the meantime, another option could be to encrypt the sensitive information using a symmetric encryption algorithm and store the encrypted value in the "Secure config" field, and then decrypt it during runtime in the plugin code using a shared secret key or password. However, this method requires the secure storage and management of the shared secret key or password.
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
#1
André Arnaud de Cal...
291,240
Super User 2024 Season 2
#2
Martin Dráb
230,149
Most Valuable Professional
#3
nmaenpaa
101,156
Share
Report
All responses (
Answers (
