Are there any security concerns/risks of using Power Automate Custom connectors

Valued Contributor

We want to start investing a lot in custom connectors inside our Power Platform to be used inside Power Apps & Power Automate. but we have a concern if using those custom connectors which will integrate with external systems can pose any security holes.

Currently we will be using those 3 security types (Basic, API Key & OAuthn 2.0):-3types.png

 

 

 

we would assume that ONLY if the user has the username/password then the user should be able to integrate with the external API using the username/password (in case the custom connector is using the basic authentication). Same applies the API key, so ONLY if the user has the API key then the user should be able to integrate with the external system (in case the custom connector is using the API Key authentication). And same thing applies to the OAuthn 2.0, so only if the user has the permission on his/her username the user should be able to use the external API??

so are our above assumptions correct? or users will be able to use existing connectors and connect to the external APIs? for example let take this scenario; ManagerABC who have the API key create a power automate flow or Power Apps and define the API key for the custom connector. then can any user create a new Power Automate or Power Apps and reuse the custom connection and get to the external API even if the user should not have the permission to do so?

Thanks
2 Replies
If you have E5 licenses (you can purchase the service if you E3 or lower), then you have access to Azure AD conditional access:

https://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-wit...

Conditional Access Policies could possibly reduce your attack surface by enforcing policies.

Good luck!

@Tristan999thanks !

but what does your reply has to do with my question ...