Skip to main content
  • An Enkryptify workspace with admin access
  • An Azure subscription with an existing Key Vault
  • Permissions to create or update Microsoft Entra app registrations
  • Permissions to assign Key Vault data-plane roles
Enkryptify connects to Azure Key Vault using Microsoft Entra workload identity federation. You create a federated credential on an app registration, then grant that app access to your Key Vault.
  • Federated credential values:
    • Issuer: copied from Enkryptify during setup
    • Subject: copied from Enkryptify during setup
    • Audience: api://AzureADTokenExchange
  • Required Key Vault role:
    • Key Vault Secrets Officer at the Key Vault scope
Enkryptify does not store an Azure client secret. Azure exchanges a short-lived Enkryptify assertion for an access token when a sync runs.
Azure Key Vault secret names must be 1-127 characters and contain only letters, numbers, and hyphens.This sync stores one Azure Key Vault secret per Enkryptify secret. If an Enkryptify secret name contains unsupported characters such as _, that individual secret fails to sync until it is renamed.

Steps to complete

1

Create a new sync

  • Go to the Syncs tab of your project and click on Azure Key Vault.
2

Copy the federation values

  • Enkryptify shows an Issuer, Subject, Audience, and a JSON snippet.
  • Keep this screen open while you configure Microsoft Entra.
3

Create or select an app registration

  • In Azure, go to Microsoft Entra ID → App registrations.
  • Create a new app registration or open an existing one dedicated to this sync.
  • Copy the app’s Application (client) ID.
  • Copy your Directory (tenant) ID.
4

Add the federated credential

  • In the app registration, open Certificates & secretsFederated credentials.
  • Add a new credential and choose Other issuer.
  • Paste the Issuer, Subject, and Audience values from Enkryptify.
  • Use a name such as enkryptify-key-vault-sync.
{
  "issuer": "https://api.example.com",
  "subject": "enkryptify:sync:azure-key-vault:<connection-id>",
  "audiences": ["api://AzureADTokenExchange"]
}
5

Grant Key Vault access

  • Open your Key Vault → Access control (IAM).
  • Add a role assignment for Key Vault Secrets Officer.
  • Assign the role to the app registration’s service principal.
az role assignment create \
  --role "Key Vault Secrets Officer" \
  --assignee <application-client-id> \
  --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>
6

Connect in Enkryptify

  • Return to Enkryptify and continue.
  • Enter your Tenant ID, Client ID, and Key Vault URL, for example https://my-vault.vault.azure.net.
  • Optionally enter a prefix. Prefixes must also contain only letters, numbers, and hyphens.
7

Link an Enkryptify environment

  • Choose which Enkryptify environment to sync.
  • Enkryptify validates the connection by creating and deleting a temporary Key Vault secret.