Back to previous page

Setting Up Azure Key Vault with an Azure Website (Web API)

1. Securing React App with Azure AD
2. Setting Up Azure Key Vault with an Azure Website (Web API) (this post)
3. Leveraging Office Pnp Core to run multi tenant specific operations (Create modern site, etc)
4. Creating communication sites templates and applying them to new sites in different tenants.

As you know from my previous post, I need to save a user password somewhere in order to be able to authenticate with the Office 365 tenant, even if we know that data stored in Cosmos DB is secure, the data there is plaintext, in this case I wanted to give a try to Azure Key Vault.

Azure Key Vault allows to store securely certificates, encryption keys, but also secrets or passwords. One of the advantages of Azure Key Vault is that you can secure the access to the vault to app themselves, so there is no way other APP or person can get access to it.

It works like an Azure AD App registration, its the same concept, you are basically allowing an external app (Azure Website/WEB API), to connect to your resource: Key Vault.

For this you will need the Azure CLI

The steps are:
1. Create your key vault in your region, not going to explain this here as the azure portal is pretty straightforward
2. Assign your web app an identity, the name parameter its what is front of the azurewebsite url:

  1. Take note of the principal id returned by the command.

  1. Set a policy to your key vault, the name parameter is your keyvault name, and the object id parameter its the principal id from the previous command. Please note that in the command below, I am only assigning GET, LIST and SET permissions, but there are some more

  1. If you want, use the below command to show the permissions given.

Now thats it, you can use the Azure Key Vault SDK to get and set your keys.

In my case, as the application its supposed to manage multiple Office 365 tenants, whenever I register a new tenant in my Cosmos DB Application, what I need to do is to create a new Key Vault Secret, and whenever I need to use the tenant for an operation, like creating a site collection, then I read from the key vault.

For that I created the below helper class:

Its a bunch of methods that allow you to get or set information from the key vault, so that when we need them we can just easily call a method.

And finally, in our TenantController, we can use something like this:

What does this method does? Well basically we receive a tenant information from our React Front End, the first thing is we need to verify if the password is correct by doing any operation, like getting a site collection title.

Then later, we instantiate our KeyVaultHelper with the tenant name and the tenant password, yes like a Key, Value Pair. As you can see this method is async, but once its finished, the SecretIdentifier will hold an URL that we will save on CosmosDB to get the password later when we need it.

As you can see the Secret Identifider holds the URL of the keyvault to get the secret.

Now, lets suppose you want to create a site collection for that tenant, easy, we can get the information from the tenant from CosmosDB, and then with the secret identifier, we can get the secret from the Key Vault.

The key part in this code is the .OnGetAsync, and we are using the secret identifier url to get exactly what we need.

About the Author:

Luis Valencia, CTO at Software Estrategico, Medellin, Colombia, independent blogger and still a coder, after 17 years of experience in the field and regardless of my position, and mostly with SharePoint/Office Products, I still love to code, open Visual Studio and bring solutions to users and to the community its what makes me wake up every morning.

Feel free to contact me via twitter direct messages, @levalencia


Valencia, V.  (2019). Setting Up Azure Key Vault with an Azure Website (Web API). Available at: [Accessed: 1st March 2019]

Share this on...

Leave a Reply

Back to previous page