"Changing" the secret for a Dataverse connection in Power Apps
For reasons best known to Microsoft, you can't change the secret used to authenticate a Microsoft Dataverse connection using a service principal (If you're not familiar with setting these up there's a good guide by Matthew Devaney). That's a bit of a pain when the secret expires, to say the least. There are some workaround for this, like having a very long lived secret, but that doesn't resolve the underlying issue. There is a 'Switch account' button that makes you think "oh, I'll click that and be able to re-authenticate", go on, try it....
Clicking on the button makes a pop-up window very briefly appear, and not a lot else.
It turns out that there is a way to deal with this, albeit it's a bit of a hack and it does rely on you using connection references in your flows. The process consists of:
- Creating a new secret
- Creating a new service principal backed connection
- Updating connection reference(s) that use the old connection
- Deleting the old connection
- Deleting the old secret
I'm going to assume that steps 1, 4, and 5 are simple enough that there's no need to go into detail. Instead, I'll focus on steps 2 and 3.
When you create the new secret, give it a name that'll let you tie it to the Dataverse connection you're going to create later. If the app registration is called "Dataverse Automation", you could call it "Dataverse Automation (May 2024)" to uniquely identify it.
Creating a new service principal backed connection
This is where the hack, workaround, bodge, call-it-what-you-will, comes into play. There genuinely doesn't appear to be any way to change the secret associated with a service principal backed connection, so the only thing for it is to create a new one. Now, what you don't want to do is click on the "+ New connection" button when you're viewing the list of connection:
There's no option there to create a service principal backed connection. Thanks, Microsoft!
Instead, you want to start creating a new flow (stick with it!):
In the "Build an automated cloud flow" window, give the flow any name you want as it's not going to stick around. Make sure you choose a Microsoft Dataverse trigger, I've opted for "When a row is added, modified or deleted":
Once the flow designer has finished loading you should be presented with the basic starting point of a flow that has nothing other than a trigger. This is the point at which we'll be able to create a new connection, using the new secret, to refresh the connection reference. To do this, click on the "..." menu at the top-right of the trigger and choose "+ Add new connection" and you'll see this:
From here, click on "Connect with service principal" at the bottom of the box and you'll be prompted to give the connection a name, enter the Client ID, Client Secret and Tenant for the connection. Give the connection a name, which is where the name you gave the secret comes in handy. In this example I'm going to call the connection "Dataverse Automation (May 2025)":
Click on 'Create' and, all being well, you'll be returned back to the previous step where you've got an empty flow with a trigger ready to be setup. Close the flow as you don't need to save it. Now that you've got the new connection, with the updated secret, it's time to update the connection reference(s) that use it.
Updating connection reference(s) that use the old connection
Now you've got a new connection for your service principal, go into your solution, into "Connection references" then click on the one that you want to update, so you see this:
Change the selected connection to the newly created one (in my example I'm changing from "Dataverse Automation (January 2025)" to "Dataverse Automation (May 2025)") and then click Save. You'll be prompted with a "Save changes to this connection reference?" message, click the "Save changes" button to continue.
After a few minutes (which the confirmation prompt mentions), everything will have been updated. You can load one of your flows and take a look at the "Connction References" box at the top-right to confirm:
The only thing left to do now is to delete the old connection (I said I wasn't going to mention this, but as there's a useful thing to mention, I'm going to), at which point you might see the Power Apps UI claim that it's still in use:
This is a fib, which is particularly obvious here to me as I deleted "My basic flow" ten minutes before taking the screenshot above...
:::: some time passes ::::
Even an hour later the Power Apps UI is still claming that the old connection is in use in both the flow that still exists (which is using the new connection via a connection reference) and the one that was deleted quite some time ago. It is safe to delete the connection, and that's exactly what I've done
In conclusion
Yes it's a work-around, but in the absence of a way to update an existing connection it's about as good as it gets. It's much better, at least in my opinion, than using a long lived secret. It also reinforces that having everything contained in a solution is the approach to take, as you can't use connection references outside of their solution. If Google, Bing, or your search engine of choice, has landed you here then hopefully this has helped!