> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enkryptify.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Key Vault

<AccordionGroup>
  <Accordion title="Prerequisites" icon="list-check">
    * An Enkryptify workspace with admin access
    * An Azure subscription with an existing Key Vault
    * Permissions to create or update Microsoft Entra app registrations
    * Permissions to assign Key Vault data-plane roles
  </Accordion>

  <Accordion title="Permissions" icon="scroll-text">
    Enkryptify connects to Azure Key Vault using Microsoft Entra workload identity federation. You create a federated credential on an app registration, then grant that app access to your Key Vault.

    * Federated credential values:
      * Issuer: copied from Enkryptify during setup
      * Subject: copied from Enkryptify during setup
      * Audience: `api://AzureADTokenExchange`
    * Required Key Vault role:
      * `Key Vault Secrets Officer` at the Key Vault scope

    <Note>
      Enkryptify does not store an Azure client secret. Azure exchanges a short-lived Enkryptify assertion for an access token when a sync runs.
    </Note>
  </Accordion>

  <Accordion title="Secret names" icon="key-round">
    Azure Key Vault secret names must be 1-127 characters and contain only letters, numbers, and hyphens.

    This sync stores one Azure Key Vault secret per Enkryptify secret. If an Enkryptify secret name contains unsupported characters such as `_`, that individual secret fails to sync until it is renamed.
  </Accordion>
</AccordionGroup>

## Steps to complete

<Steps>
  <Step title="Create a new sync">
    * Go to the `Syncs` tab of your project and click on `Azure Key Vault`.
  </Step>

  <Step title="Copy the federation values">
    * Enkryptify shows an `Issuer`, `Subject`, `Audience`, and a JSON snippet.
    * Keep this screen open while you configure Microsoft Entra.
  </Step>

  <Step title="Create or select an app registration">
    * In Azure, go to Microsoft Entra ID → `App registrations`.
    * Create a new app registration or open an existing one dedicated to this sync.
    * Copy the app's `Application (client) ID`.
    * Copy your `Directory (tenant) ID`.
  </Step>

  <Step title="Add the federated credential">
    * In the app registration, open `Certificates & secrets` → `Federated credentials`.
    * Add a new credential and choose `Other issuer`.
    * Paste the `Issuer`, `Subject`, and `Audience` values from Enkryptify.
    * Use a name such as `enkryptify-key-vault-sync`.

    ```json theme={"dark"}
    {
      "issuer": "https://api.example.com",
      "subject": "enkryptify:sync:azure-key-vault:<connection-id>",
      "audiences": ["api://AzureADTokenExchange"]
    }
    ```
  </Step>

  <Step title="Grant Key Vault access">
    * Open your Key Vault → `Access control (IAM)`.
    * Add a role assignment for `Key Vault Secrets Officer`.
    * Assign the role to the app registration's service principal.

    ```bash theme={"dark"}
    az role assignment create \
      --role "Key Vault Secrets Officer" \
      --assignee <application-client-id> \
      --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>
    ```
  </Step>

  <Step title="Connect in Enkryptify">
    * Return to Enkryptify and continue.
    * Enter your `Tenant ID`, `Client ID`, and Key Vault URL, for example `https://my-vault.vault.azure.net`.
    * Optionally enter a prefix. Prefixes must also contain only letters, numbers, and hyphens.
  </Step>

  <Step title="Link an Enkryptify environment">
    * Choose which Enkryptify environment to sync.
    * Enkryptify validates the connection by creating and deleting a temporary Key Vault secret.
  </Step>
</Steps>