> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Key Vault Connection

> Learn how to configure a Azure Key Vault Connection for Infisical.

Infisical supports three methods for connecting to Azure Key Vault: OAuth, Client Secret, and Certificate (SPN with certificate).

<Accordion title="Self-Hosted Instance">
  Using the Azure Key Vault connection on a self-hosted instance of Infisical requires configuring an application in Azure
  and registering your instance with it.

  **Prerequisites:**

  * Set up Azure and have an existing Key Vault instance.

  <Steps>
    <Step title="Create an application in Azure">
      Navigate to Azure Active Directory > App registrations to create a new application.

      <Info>
        Azure Active Directory is now Microsoft Entra ID.
      </Info>

      <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/integrations/azure-app-configuration/config-aad.png" alt="Azure key vault" />

      <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/integrations/azure-app-configuration/config-new-app.png" alt="Azure key vault" />

      Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/organization/app-connections/azure/oauth/callback`.

      <Tip>
        The domain you defined in the Redirect URI should be equivalent to the `SITE_URL` configured in your Infisical instance.
      </Tip>

      <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/register-callback.png" alt="Azure key vault" />
    </Step>

    <Step title="Assign API permissions to the application">
      For the Azure Connection to work with Key Vault, you need to assign multiple permissions to the application.

      #### Azure Key Vault permissions

      Set the API permissions of the Azure application to include `user.impersonation` for the Key Vault API.

      <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/keyvault-azure-permissions.png" alt="Azure key vault" />
    </Step>

    <Step title="Add your application credentials to Infisical">
      Obtain the **Application (Client) ID** in Overview and generate a **Client Secret** in Certificate & secrets for your Azure application.

      <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/integrations/azure-app-configuration/config-credentials-1.png" alt="Azure key vault" />

      <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/integrations/azure-app-configuration/config-credentials-2.png" alt="Azure key vault" />

      <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/integrations/azure-app-configuration/config-credentials-3.png" alt="Azure key vault" />

      Back in your Infisical instance, add two new environment variables for the credentials of your Azure application.

      * `INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID`: The **Application (Client) ID** of your Azure application.
      * `INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET`: The **Client Secret** of your Azure application.

      Once added, restart your Infisical instance and use the Azure Key Vault connection.
    </Step>
  </Steps>
</Accordion>

<Accordion title="Client Secret Authentication">
  To use client secret authentication, ensure your Azure Service Principal has the required permissions and is connected to the Azure Key Vault instances you want to use.

  **Prerequisites:**

  * Set up Azure and have an existing Key Vault instance.
  * The service principal must be connected to your target Azure Key Vault instance(s)

  <Steps>
    <Step title="Assign API permissions to the service principal">
      Configure the required API permissions for your App Registration to interact with Azure Key Vault:

      #### Azure Key Vault permissions

      Set the API permissions of your Azure service principal to include `user_impersonation` for the Key Vault API.

      <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/keyvault-azure-permissions.png" alt="Azure key vault" />
    </Step>
  </Steps>
</Accordion>

<Accordion title="Certificate Authentication">
  To use certificate authentication, ensure your Azure Service Principal has access to the Azure Key Vault instances you want to use. You'll need a certificate uploaded to the App Registration and the matching private key kept locally.

  **Prerequisites:**

  * Set up Azure and have an existing Key Vault instance.
  * The service principal must be granted access to your target Azure Key Vault instance(s) via Access Policies or RBAC (e.g. the **Key Vault Secrets Officer** role).
  * A certificate (PEM) uploaded to your App Registration and the matching PEM private key.

  <Steps>
    <Step title="Upload your certificate to your Azure App Registration">
      In the Azure Portal, navigate to your App Registration and open the **Certificates & secrets** section. Choose the **Certificates** tab and press the **Upload certificate** button. Select and upload your public certificate (PEM/CER/CRT).

      You will need both the **certificate body** and the matching **private key** (in PEM format) to configure the connection in Infisical.
    </Step>
  </Steps>
</Accordion>

## Setup Azure Connection in Infisical

<Steps>
  <Step title="Navigate to App Connections">
    Navigate to the **Integrations** tab in the desired project, then select **App Connections**. <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/general/add-connection.png" alt="App Connections
    Tab" />
  </Step>

  <Step title="Add Connection">
    Select the **Azure Connection** option from the connection options modal. <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/key-vault/select-connection.png" alt="Select Azure Connection" />
  </Step>

  <Step title="Create Connection">
    <Tabs>
      <Tab title="OAuth">
        <Steps>
          <Step title="Authorize Connection">
            You can optionally authenticate against a specific tenant by providing the Azure Tenant or Directory ID.

            Now select the **OAuth** method and click **Connect to Azure**.

            <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/key-vault/create-oauth-method.png" alt="Connect via Azure OAUth" />
          </Step>

          <Step title="Grant Access">
            You will then be redirected to Azure to grant Infisical access to your Azure account. Once granted,
            you will redirect you back to Infisical's App Connections page. <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/grant-access.png" alt="Azure Key Vault
            Authorization" />
          </Step>
        </Steps>
      </Tab>

      <Tab title="Client Secret">
        <Steps>
          <Step title="Create Connection">
            Fill in the **Tenant ID**, **Client ID**, **Client Secret** fields with the Directory (Tenant) ID, Application (Client) ID, Client Secret you obtained in the previous step.

            <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/key-vault/create-client-secrets-method.png" alt="Connect via Azure OAUth" />

            <Tip>
              You can optionally enable **Automatic Credential Rotation** for this connection. See the [Automatic Credential Rotation](#automatic-credential-rotation) section below for details.
            </Tip>
          </Step>
        </Steps>
      </Tab>

      <Tab title="Certificate">
        <Steps>
          <Step title="Create Connection">
            Select the **Certificate** method and fill in the following fields:

            * **Tenant ID** — the Directory (Tenant) ID of your Azure App Registration.
            * **Client ID** — the Application (Client) ID of your Azure App Registration.
            * **Certificate** — the PEM-encoded public certificate that was uploaded to the App Registration.
            * **Private Key** — the PEM-encoded private key matching the certificate above.

                          <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/key-vault/create-certificate-method.png" alt="Connect via Certificate" />

            <Note>
              The private key is never transmitted to Azure; it is only used locally by Infisical to sign the client assertion used to authenticate with Azure.
            </Note>

            <Note>
              Automatic Credential Rotation is not available for the Certificate authentication method.
            </Note>
          </Step>
        </Steps>
      </Tab>
    </Tabs>
  </Step>

  <Step title="Connection Created">
    Your **Azure Key Vault Connection** is now available for use. <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/key-vault/oauth-connection.png" alt="Assume Role AWS Connection" />
  </Step>
</Steps>

## Automatic Credential Rotation

When using the **Client Secret** authentication method, Infisical can automatically rotate the Client Secret of your Azure application on a recurring schedule. When enabled, Infisical will immediately generate a new Client Secret on connection creation and revoke the original one, ensuring that no external party retains access using the credentials you provided.

<Note>
  Automatic Credential Rotation is only available for the **Client Secret** authentication method.
</Note>

<Steps>
  <Step title="Locate the Key ID of your Client Secret">
    Before enabling rotation, you'll need the **Key ID** of the Client Secret you are using to authenticate. Navigate to your App Registration in the Azure Portal, then go to **Certificates & secrets**. Copy the **Secret ID** (Key ID) of the secret you are providing to Infisical.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/key-vault/credential-rotation-key-id.png" alt="Azure Client Secret Key ID" />
  </Step>

  <Step title="Enable Automatic Credential Rotation">
    When creating or editing your connection, toggle on the **Automatic Credential Rotation** switch.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/key-vault/credential-rotation-toggle.png" alt="Enable Automatic Credential Rotation" />
  </Step>

  <Step title="Provide the Client Secret Key ID">
    Enter the **Key ID** you copied in the previous step into the **Client Secret Key ID** field. Infisical uses this to revoke your original secret after generating a new one.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/key-vault/credential-rotation-key-id-field.png" alt="Client Secret Key ID Field" />
  </Step>

  <Step title="Configure the Rotation Schedule">
    Set the **Rotation Interval** (in days) to define how often the credential should be rotated, and set **Rotate At** to the local time of day at which the rotation should occur.

    * **Rotation Interval** – How many days between each rotation.
    * **Rotate At** – The local time of day at which the rotation will be triggered.

          <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/azure/key-vault/credential-rotation-schedule.png" alt="Rotation Schedule" />
  </Step>
</Steps>
