Custom connectors are how Power Automate and Power Apps reach systems Microsoft has not built a connector for. The OpenAPI-based authoring is straightforward. The production patterns for security, versioning, and lifecycle are not.
The OAuth setup that works
Microsoft Entra-protected APIs are the easiest integration. Register an app in Entra, expose a scope, configure the connector with OAuth 2.0 -> Microsoft Entra ID, and use service principal authentication for production.
For third-party APIs (Stripe, Twilio, anything outside Entra), use API key or generic OAuth 2.0. API key is simpler but every user needs the key. OAuth 2.0 is harder to set up but supports per-user authorization without sharing secrets.
Versioning is your responsibility
Custom connectors do not have built-in version management. If you change a connector’s schema, every flow using it can break silently. The pattern that works:
- Treat each connector as an artifact in source control via the
paconnCLI. - For breaking changes, create a new connector (
MyAPI v2) rather than mutating the existing one. - Migrate flows one at a time to the new version.
paconn download -e [environment] -c [connector-id]
git commit -am "connector v1.3 baseline"
paconn create -p ./properties.json -a ./apiDefinition.swagger.jsonThe 30-second timeout
Power Automate Dataverse-triggered flows allow a 30-second sync response from a custom connector. Beyond that, the call times out. For long-running APIs, return 202 Accepted with a status URL and poll asynchronously. Build a Get Status action into the same connector for the polling.
Throttling at the connector level
Each connector has its own throttling. Default is 100 requests per minute per connection. Heavy workloads need either:
- A premium-tier connector with higher limits (paid).
- Distribute calls across multiple service principals.
- Add explicit delay actions in flows that loop over the connector.
Connection references and ALM
A custom connector deployed via solution requires a connection reference that maps to an environment-specific connection. Without the reference, the connector appears in dev and breaks in production. Always include the connection reference in the solution and rebind during deployment (covered in the Pipelines article).
The “test from connector” trap
The “Test” feature in the connector UI uses your interactive credentials. Tests pass for you. Production runs use a service principal. Tests pass for one identity, fail for another. Always test using the service principal that production will use, not your admin account.
Triggers vs actions
Custom connectors can expose triggers (webhook-style) and actions (request/response). Webhook triggers are vastly more efficient than polling actions. If your API supports webhooks, define them in the connector’s swagger and Flow will subscribe correctly.
What to do this week
List your custom connectors. For each, document: auth method, versioning policy, timeout handling, throttle limit, owning service principal. Connectors missing any of these are tech debt waiting to fire.
