Secure vs. Unsecure vs. Environment Variables. Configuration in Dataverse: What’s the Real Difference?

In Microsoft Dataverse plugin development, Secure Configuration and Unsecure Configuration are optional parameters provided at the time of plugin registration. These parameters are used to pass configuration data into a plugin without hardcoding values into the codebase. Secure Configuration is specifically designed for sensitive information such as API keys, secrets, or credentials. It is encrypted and can only be viewed or edited by users with system administrator privileges, making it a secure way to store confidential data. On the other hand, Unsecure Configuration is intended for non-sensitive settings such as feature toggles, flags, or environment names (like "Dev" or "Prod"). This data is stored in plain text and is visible to users who have access to register plugins. Both configurations are passed into the plugin constructor as string parameters, allowing the plugin logic to use them during execution. By separating sensitive and non-sensitive data in this way, developers can enhance the maintainability, flexibility, and security of their plugin implementations.

In Microsoft Dataverse plugin development, Secure Configuration and Unsecure Configuration are two ways to pass parameters to your plugins at runtime. They are primarily used to store values like API URLs, keys, or any settings required for the plugin logic, without hardcoding them in the code.

1. Unsecure Configuration

Definition:

• A plain text string that you provide when you register a plugin step in the Plugin Registration Tool (PRT).

Scope:

• Visible to all users who have access to the plugin registration.
• Stored in plain text in Dataverse.

Usage:

• Store non-sensitive configuration values, like default messages, thresholds, or entity names.

Example: `"DefaultCaseType = Support"`

Access in Code:

string unsecureConfig = this.UnsecureConfig;

2. Secure Configuration

Definition:

• A string that stores sensitive information like API keys, connection strings, or secrets.

Scope:

• Only accessible to users with the System Administrator or Plugin Registration privilege.
• Stored encrypted in Dataverse.

Usage:

• Store credentials or sensitive tokens required for plugin execution.

Example: `"APIKey = xxxxx-xxxx-xxxx"`

Access in Code:

 string secureConfig = this.SecureConfig;

Key Points for Architects

Security:

• Use Secure Configuration for anything sensitive to protect secrets and comply with least privilege principles.

Maintenance:

• Configuration can be updated without redeploying the plugin assembly.

Best Practice:

• Keep logic in the plugin and environment-specific details in configuration.
• Combine Secure (for secrets) and Unsecure (for general info) for flexibility.

Example Scenario

Requirement: A plugin needs to call an external API when an account is created.

• Secure Configuration: Store the API key.
• Unsecure Configuration: Store the API endpoint URL.

Code Snippet:

public class AccountCreatePlugin : IPlugin

{

    private readonly string _secureConfig;

    private readonly string _unsecureConfig;

    public AccountCreatePlugin(string unsecureConfig, string secureConfig)

    {

        _unsecureConfig = unsecureConfig;

        _secureConfig = secureConfig;

    }

    public void Execute(IServiceProvider serviceProvider)

    {

        // Example usage

        string apiEndpoint = _unsecureConfig;

        string apiKey = _secureConfig;

        

        // Plugin logic here

    }

}

 3. Environment Variables

 Stored: As Dataverse environment variable records.

 Used for: Dynamic configurations across environments (Dev/Test/Prod).

 Pros:

•  Centralized and solution-aware.
•  Easily configurable via Power Platform admin or solution layers.
•  Can be combined with Azure Key Vault for secrets.

 Cons:

•  Requires an extra lookup in your plugin code.
•  Less secure than Secure Config unless combined with Key Vault.

Summary:

When developing plugins in Microsoft Dataverse, it's crucial to choose the right method for passing external data or configuration values. Secure Configuration is used to store sensitive data like API keys or credentials securely and can only be accessed by users with appropriate privileges. Unsecure Configuration, on the other hand, is intended for non-sensitive values such as feature toggles or default parameters and is visible to all admins. While both are configured at the plugin registration level and remain static unless re-registered, Environment Variables offer a more flexible and scalable solution. They allow configuration values to be set per environment (e.g., dev, test, prod), are easier to manage and update without redeploying plugins, and can be accessed not just in plugins but across Canvas Apps, Power Automate, and other parts of the Power Platform. Choosing the right method depends on the sensitivity of the data, the need for runtime flexibility, and the broader solution architecture.