Azure Key Vault

Prerequisites

First, Identity Manager recommends reading:

• Azure Key Vault's overview documentation and Basic concepts;
• How to sign in to Azure and create a vault;
• About Azure Key Vault's secrets because secrets are the data that Identity Manager needs to collect.

Compatible Settings

Every key from appsettings.agent.json that has a string value can be saved as a secret into Microsoft Entra ID (formerly Azure AD) Key Vault. See the appsettings.agent topic for additional information.

Check the examples in connectors' credential protection sections. See the ServiceNow topic for additional information.

Write Settings to the Vault

After creating the Azure Key Vault, open its page on Azure's portal and add a secret.

The important part of adding a secret in Azure Key Vault is defining its name and value:

• As secrets' names can only contain alphanumeric characters and double dashes (--) as separator, the keys from the appsettings.agent.json file must contain only alphanumeric characters too;
• Secrets' values are simply the value associated with the key in the JSON file.

For example, for the Active Directory:

Code attributes enclosed with <> need to be replaced with a custom value before entering the script in the command line.

                        appsettings.agent.json
{
  ...
  "Connections": {
    ...
    "ADExport": {
      "Servers": [
        {
          "Server": "<paris.contoso.com>",
          "BaseDN": "<DC=paris,DC=com>"
        },
        {
          "Server": "<marseille.contoso.com>",
          "BaseDN": "<DC=defense,DC=marseille,DC=com>"
        }
      ],
      "AuthType": "<Basic>",
      "Login": "<login123>",
      "Password": "<password123>",
      "Filter": "(objectclass=*)",
      "EnableSSL": "false",
    }
  }
}
                    

To save the login to Azure Key Vault, create a secret whose name and value are respectively <Connections--ADExport--Login> and <login123>.

To save the second server, create a secret whose name and value are respectively <Connections--ADExport--Servers--1--Server> and <marseille.contoso.com>.

Remember, the index of the first element is 0.

This way, values from the Azure Key Vault take priority over the values from the appsettings files.

For example, if Login exists in both Azure Key Vault and appsettings.agent.json, then the value from Azure Key Vault is used.

Configure Usercube

Netwrix Identity Manager (formerly Usercube)uses the default Azure credentials to connect to the vault. Since the implementation of default Azure credential is controlled by Microsoft see the Default Azure Credential page additional information.

Name	Type	Description
Vault required	String	DNS Name found on the page of the vault in Azure's portal. Remember, usually in the format is https://yourVault.vault.azure.net/.