Secure vs. Unsecure vs. Environment Variables. Configuration in Dataverse: What’s the Real Difference?
In Microsoft Dataverse plugin development, Secure Configuration and Unsecure Configuration are optional parameters provided at the time of plugin registration. These parameters are used to pass configuration data into a plugin without hardcoding values into the codebase. Secure Configuration is specifically designed for sensitive information such as API keys, secrets, or credentials. It is encrypted and can only be viewed or edited by users with system administrator privileges, making it a secure way to store confidential data. On the other hand, Unsecure Configuration is intended for non-sensitive settings such as feature toggles, flags, or environment names (like "Dev" or "Prod"). This data is stored in plain text and is visible to users who have access to register plugins. Both configurations are passed into the plugin constructor as string parameters, allowing the plugin logic to use them during execution. By separating sensitive and non-sensitive data in this way, developers can enhance the maintainability, flexibility, and security of their plugin implementations.
- A plain text string that you provide when you register a plugin step in the Plugin Registration Tool (PRT).
- Visible to all users who have access to the plugin registration.
- Stored in plain text in Dataverse.
- Store non-sensitive configuration values, like default messages, thresholds, or entity names.
- A string that stores sensitive information like API keys, connection strings, or secrets.
- Only accessible to users with the System Administrator or Plugin Registration privilege.
- Stored encrypted in Dataverse.
- Store credentials or sensitive tokens required for plugin execution.
- Use Secure Configuration for anything sensitive to protect secrets and comply with least privilege principles.
- Configuration can be updated without redeploying the plugin assembly.
- Keep logic in the plugin and environment-specific details in configuration.
- Combine Secure (for secrets) and Unsecure (for general info) for flexibility.
- Secure Configuration: Store the API key.
- Unsecure Configuration: Store the API endpoint URL.
public class AccountCreatePlugin : IPlugin{private readonly string _secureConfig;private readonly string _unsecureConfig;public AccountCreatePlugin(string unsecureConfig, string secureConfig){_unsecureConfig = unsecureConfig;_secureConfig = secureConfig;}public void Execute(IServiceProvider serviceProvider){// Example usagestring apiEndpoint = _unsecureConfig;string apiKey = _secureConfig;// Plugin logic here}}
- Centralized and solution-aware.
- Easily configurable via Power Platform admin or solution layers.
- Can be combined with Azure Key Vault for secrets.
Published on:
Learn more