Setting up Azure Key Vault Client

Aplícase a: Dynamics 365 for Operations

Advanced certificates storage functionality provides an opportunity to define what type of storage for certificates will be used in Microsoft Dynamics 365 for Finance and Operations.

There are two possible options for storing certificates that are available with the new functionality. You can define the option by setting new parameter Use advanced certificate store in System parameters (System administration \ Setup \ System parameters, tab General):

  • Local storage. This option can be used with On-premises deployment option, as well as on any kind of On-premises development environments. In this case, you should set Use advanced certificate store parameter to No. This option is recommended to be set for DEV environment for development and validation purposes, where it is necessary to validate the certificate and work with it.
  • Azure Key Vault storage. This option must be used with Cloud deployment option, and can be used with On-premises deployed environments, and with any kind of On-premises development environments. You need to set Use advanced certificate store parameter to Yes. This is the only option for PROD environment in Azure Cloud.

This image shows you how to set up a Key Vault Client.

Working with certificates stored in the Azure Key Vault requires preliminarily steps to be accomplished. All necessary settings described in the article 4040294 "Maintaining Azure Key Vault storage". After setting up Azure Key Vault storage, you should setup link to the certificates in Microsoft Dynamics 365 for Finance and Operations.

As soon as the certificate is installed in Azure KeyVault, it must be setup in application. Setup instruction is:

  1. Open the form "Key Vault parameters" in the System administration module (System administration \ Setup \ Key Vault parameters). Create a new instance of Key Vault parameter, define a name and a description for it.
  2. Go to tab "General" and specify the mandatory parameters used for the integration with Azure Key Vault storage:
  • Key Vault URL - a default key vault URL if it's not defined by the secret reference.
  • Key Vault client - an interactive Client ID of the AD application associated with Azure Key Vault storage for authentication. 
  • Key Vault secret key - a Secret Key associated with the AD application used for authentication to Azure Key Vault storage.

This image shows you how to set up a Key Vault Client.

Note: When several key vault storages are used, each of them should have a separate instance of Key Vault parameters created in the Microsoft Dynamics 365 for Finance and Operations.

  1. Go to tab "Certificates" and add your certificates there by clicking button "Add". For each certificate, you should enter the following data:
  • Name and description.
  • Key Vault certificate secret - a secret reference to the certificate.

Note: A Key Vault certificate secret must have the format like in the example:

vault://<KeyVaultName*>/<SecretName>/<SecretVersion*>

The attributes marked with the sign "*" are optional, and the attribute <SecretName> is mandatory. So, in most cases it’s enough to define a Key Vault secret key in the format:

vault:///<SecretName>

If the Key Vault secret key doesn't contain a secret version, then system retrieve an active certificate with the latest expiration date.

Note: The Azure Key Vault storage functionality has been extended with a caching of certificates. So, it is highly recommended to do the following:

  • Specify a Secret version in the Key Vault certificate secret.
  • After uploading a new version of the existing certificate to the Key Vault storage, you should update a Secret version in the "Key Vault certificate secret" parameter in the Microsoft Dynamics 365 for Finance and Operations.

You can use Validate function to check if you have defined reference to the Certificate correctly, and Certificate is valid.