Connection references best practices in Dataverse
How connection references decouple connector authentication from solutions — the ALM patterns, common pitfalls, and the operational rhythm for managing them at scale.
A Power Automate flow calling SharePoint, SQL, or any connector needs a connection — an authenticated session to that service. Hard-coding a specific connection in a flow couples the flow to one user / one credential / one environment. The connection reference is Microsoft's abstraction layer: the solution references an abstract handle; each environment binds it to a real connection.
Two distinct concepts.
- Connection — a real, authenticated session to a connector. Created by a specific user with their credentials or via service principal.
- Connection reference — an abstract handle in a solution. References a logical connection; bound to specific connections per environment.
Solutions contain connection references, not connections. Connections live in the environment.
Why connection references matter.
- Solutions deploy without baked-in credentials.
- Per-environment binding — dev uses dev credentials; prod uses prod.
- User changes don't break flows — change the connection binding, not the flow.
- Service principal connections for production-grade auth without user dependency.
Creating a connection reference. In a solution:
- Add new → Connection reference.
- Specify connector type (SharePoint, SQL, Salesforce, etc.).
- Specify connection (or leave unbound for later binding).
The connector defines what authentication is needed; the connection supplies it.
Using in a flow. When designing the flow:
- Action picks a connection reference instead of directly picking a connection.
- Solution-bound flow uses the reference.
- At runtime, the reference resolves to the bound connection.
Solution import behaviour. When importing a solution to a new environment:
- Connection references appear unbound.
- Admin must bind each to a real connection (or to be auto-bound by deployment automation).
- Without binding, flows can't run.
This is the deployment-time configuration step that ops must execute.
Service principal connections. Modern preference:
- Connection authenticates as a service principal, not a user.
- No dependency on a specific human's credentials.
- Survives user departures.
- More secure (managed identity, no human password).
For production, service principal connections are the recommended pattern.
User-context connections. Connections authenticated by a specific user:
- User's credentials.
- User's permissions in the target service.
- Breaks when user leaves or password changes.
Use only for personal scenarios or where service principal isn't supported.
Connection ownership.
- Connection owned by the user who created it.
- Sharing connection: share with specific users / teams.
- Reassign connection: change owner.
For team-shared flows, the connection should be shared with the flow's users.
Multi-tenant scenarios. Connection references work cleanly:
- Solution exported once.
- Imported into multiple customer environments.
- Each customer binds to their own connection.
This is the ISV pattern — distribute a solution; each customer configures connections.
Common connector patterns.
- SharePoint — to a specific site / library.
- SQL — to a database (connection string + credentials).
- Outlook — sending emails on behalf of a mailbox.
- HTTP — generic; often used for custom APIs.
- Custom connector — your own definition.
Each connector has different authentication requirements; service principal support varies.
Auditing connection usage.
- Power Platform admin centre — connection inventory.
- Identifies orphaned connections (no flow uses).
- Identifies high-use connections (many flows).
- Identifies connections owned by departed users.
Periodic audit catches drift.
ALM patterns.
- Solution checker — verify connection references defined.
- Deployment runbook — list every connection reference; how to bind.
- Automation — pipelines can bind connection references via API.
Automated binding via pipelines is the mature pattern; manual binding works for smaller scale.
Common pitfalls.
- Flow with hardcoded connection. Solution contains the connection ID; imports fail in other environments.
- User connection in production. User leaves; flows break.
- Connection reference unbound. Solution imported but reference not bound; flow fails at runtime.
- Multiple connections to same target. Confusion; consolidate.
- Connection share missing. Flow can run as creator but not for other users.
- Stale connections. Connections to systems no longer in use; clean up.
Migration from old patterns. Legacy flows with hardcoded connections:
- Create connection references in the solution.
- Update each flow to use the reference instead of direct connection.
- Test.
- Deploy.
- Remove unused direct connections.
This is technical debt worth paying down for any flow that needs to move between environments.
Operational rhythm.
- Per deployment — verify connection bindings in target environment.
- Per user departure — audit connections owned by departing user; reassign or migrate.
- Quarterly — connection inventory audit; cleanup.
- Per solution release — confirm all references properly bound.
Strategic positioning. Connection references are how production-grade Power Platform solutions handle authentication. The pattern is mature; the discipline of using them is what separates production-ready solutions from prototypes. Combined with service principal connections for production and environment variables for secrets, the architecture is secure, portable, and operable at scale. Invest in the pattern early; the alternative is a tangle of hardcoded connections that breaks on every user change and every environment promotion.
Related guides
- Connection records in DataverseHow connection records model record-to-record relationships beyond standard lookups — types, roles, use cases, and the limits of the mechanism.
- Async jobs in DataverseHow Dataverse runs background work — system jobs, async plug-ins, workflow runs, and how to monitor, troubleshoot, and prevent the async backlog from getting out of hand.
- Bulk delete jobs in DataverseHow Dataverse's bulk delete handles mass record cleanup — scheduling, filters, retention policies, and the operational discipline around storage management.
- Business rules in DataverseHow business rules let you add field-level logic to forms without code — set value, lock field, show error, recommendation, and the limits of the engine.
- Business units and teams in Dataverse — a deep diveHow business units, owner teams, access teams, and Microsoft 365 group teams compose the security model in Dataverse — what each is for, how they interact, and the common design mistakes.