A business-sensitive data is usually used in a secured way. It means that a functionality or application working with this data must support data encryption, working with certificates, etc. As the cloud version of Microsoft Dynamics 365 for Finance and Operations doesn’t support a local storage of certificates, customers need to use a key vault storage in this case. The Azure Key Vault provides opportunity to import cryptographic keys, certificates to Azure, and to manage them. Additional information on the Azure Key Vault: What is Azure Key Vault.
The following data is required to define the integration between Microsoft Dynamics 365 for Finance and Operations and Azure Key Vault:
- Key vault URL (DNS name),
- Client ID (application identifier),
- List of the certificates with their names,
- Secret key (key value).
Below, you can find a detailed description of setup steps:
Create a Key Vault storage
- Open the Microsoft Azure portal using the link: https://ms.portal.azure.com/.
- Click button "New" on the left panel to create a new service.
To make names of the buttons visible, click the top button on the left panel ("Show text labels").
Select the node "Security + Identity" and then click on the app "Key Vault".
- The page "Create key vault" is opened. Here you should define key vault storage parameters and then click button "Create":
- Specify "Name" of the key vault. This parameter is referred in "Setting up Azure Key Vault Client" as <KeyVaultName>
- Select your subscription.
- Choose a resource group. It’s like an internal directory inside the key vault storage. You may both use an existing resource group or create a new one.
- Select your location.
- Select a pricing tier.
- Click "Create".
Upload a certificate
Upload your certificates to the key vault storage.
- Click button "Dashboard" on the left panel to see the key vault created earlier.
- Select the appropriate Key vault to open it. The tab "Overview" shows essential parameters of the key vault storage, including a "DNS name".
Note: The DNS Name is a mandatory parameter for integration with the key vault, therefore it should be specified in the application, and referred in "Setting up Azure Key Vault Client" as <Key Vault URL> parameter.
- Click on tile "Secrets".
- Click button "Add" on the page "Secrets" to add a new certificate to the key vault storage. On the right side of the page you should define the certificate parameters:
- Select the value "Certificate" in the field "Upload options".
- In the field "Upload certificate", click on the icon with a folder and find an appropriate certificate in the table browser.
- Enter the certificate name in the field "Name".
Note: The Secret Name is a mandatory parameter for integration with the key vault, therefore it should be specified in the application. It is referred in "Setting up Azure Key Vault Client" as <SecretName> parameter.
- Enter a password if it’s required for the certificate.
- Enable the certificate.
- Press button "Create".
Note: The option "Certificate" in the field "Upload options" is applicable to the certificates that have the extension *.pfx only. The process of uploading a certificate with another extension is similar, but the following differences should be taken into account:
- Choose the option "Manual" in the field "Upload options".
- Open a certificate for editing and copy all its content including the beginning and closing tags.
- Paste the copied content in the field "Value".
- It's possible to upload several versions of the certificate and manage them in the key vault storage. If you need to upload a new version for an existing certificate, then select an appropriate certificate and click button "New version".
Current version should be defined in application setup, and is referred to in "Setting up Azure Key Vault Client" as <SecretVersion> parameter.
Create an entry point for your application
Create an entry point for your application that uses the key vault storage.
- Open the legacy portal https://manage.windowsazure.com/.
- Click on “ACTIVE DIRECTORY” from the left panel and select yours.
- Open the active directory and choose the tab "Applications".
- Click the button "Add" on the bottom panel to create a new application entry.
- Specify a "Name" of the application and select an appropriate type.
- Define properties of the application.
Note: Both fields should have a format http://<AppName>, where <AppName> is an application name specified on the previous page. <AppName> must be defined in the access policies for the key vault storage.
Configure your application
- Click on the tab "Configure".
- Generate a key. It’s used for a secured access to the key vault storage from the application.
You may create a key with the duration period equals one or two years. After clicking the button "Save" in the bottom part of the page, the Key Value becomes visible.
Note: The Key Value is a mandatory parameter for integration with the key vault. It should be copied and then specified in the application. It is referred in "Setting up Azure Key Vault Client" as <Key Vault secret key> parameter.
- Copy the value of "Client ID" from the configuration. It should be specified in the application, and referred in "Setting up Azure Key Vault Client" as <Key Vault Client> parameter.
Add an application to the key vault storage
Add your application to the key vault storage created before.
- Go back to the Microsoft Azure portal (https://ms.portal.azure.com/),
- Open your key vault storage and click on the tile "Access policies",
- Click on the button "Add new" and choose the option "Select principal". Then you should find your application by its name. When the application is found, click button "Select".
- Fill the field "Configure from template" and click button Ok.
Note: On this page you also may set up the key permissions if necessary.