Have you ever asked yourself how to protect your sensitive data in a Logic App? Today, we’re talking about how Azure Logic Apps can help protect sensitive data within your workflows, ensuring that confidential information, such as credentials and tokens, isn’t exposed in execution logs.
Welcome to another Friday Fact, where we’ll dive into protecting your Sensitive Data inside Logic Apps with Secure Inputs and Secure Outputs, explaining how they work and why they’re crucial for maintaining data security.
Why is it important?
In many workflows, especially those that handle sensitive information (such as authentication tokens, credentials, or personal data), it’s essential to ensure this information isn’t exposed in the Logic App’s execution history. If such data were visible in the logs, unauthorized individuals could access it, posing significant risks to security and privacy risks.
📝 One-Minute Brief
In this blog post we’ll dive into Secure Inputs and Secure Outputs, explaining how they work and why they’re crucial for maintaining data security.
Did you know that Logic Apps can automatically hide sensitive data from the run history?
By default, each action in a Logic App stores both what it receives (inputs) and what it returns (outputs) in the run history. While that’s great for debugging, it can also be a security risk — especially when your workflows handle tokens, passwords, personal data (PII), or confidential business information.
How It Works
In many actions and triggers — whether standard, managed, or even custom connectors — you can enable the following options:
- Secure Inputs
- Secure Outputs
When enabled, Logic Apps completely masks the content of those sections in the run history. That means even the workflow owner cannot view the actual data in the Azure Portal or logs.
Practical Example
Imagine a workflow that:
- Receives an authentication token through an HTTP trigger
- Uses that token to call an internal API
- Stores the response in a Data Lake
- Sends an email with a summary of the results
Without protection, the token, API response, or even the email contents could appear in the run history — visible to anyone with access to the Logic App.
With Secure Inputs and Secure Outputs enabled, those values won’t appear.
Simple, but highly effective.
How to activate it?
To activate this feature:
- Open your Logic App and add an HTTP Request trigger (for this example).
- Use a sample payload to generate the data schema:
You can use this payload :
{
"to": "recipient@organization.com",
"subject": "Testing Secure Inputs",
"body": "<h3>Hello!</h3><p>This is an email sent by a Logic App 🚀</p>",
"cc": "user@organization.com"
}- Navigate to the Settings option of the trigger.
- Enable both Secure Inputs and Secure Outputs to protect your data.
- Add Office 365 Outlook > Send an email (V2) connector and fill the parameters.
- Add the Response connector to return a confirmation message.
- Save the Logic App and test it using the previous payload as a template.
From that point on, this data will no longer be recorded in the run history. Even the logs in Azure Monitor or Application Insights will only contain masked values — which you can verify in the Run History of your Logic App.
Best Practices
Use Secure Inputs/Outputs in critical actions, such as:
- HTTP actions that include authentication tokens.
- Connectors that send passwords or personal data.
- Calls to internal APIs.
- Email connectors (e.g., Office 365 Outlook – Send an email (V2)) that may expose confidential information in the body or attachments.
- Combine this with Azure Key Vault to securely store credentials — helping you avoid exposing secrets at both design time and runtime.
- Document within the workflow which actions have this protection enabled — this can be extremely helpful during audits.
Conclusion and Benefits
This is an essential practice, particularly when dealing with personal or confidential information. Enabling Secure Inputs and Secure Outputs in Azure Logic Apps is a simple yet powerful way to ensure that your workflows follow the best security and privacy practices. If you’re building automation solutions in Azure, always enable these options when working with sensitive data to protect your information and reduce the risk of unintended exposure.
To lazy to read? We’ve got you covered! Check out our video version of this content!
Hope you find this helpful! If you enjoyed the content or found it useful and wish to support our efforts to create more, you can contribute towards purchasing a Sauron’s Action Figure for Sandro’s son, yep, not for me!
