Skip to content

Integrate Azure Key Vault with your Teams app

Jump to bottom
Jun Han edited this page May 25, 2023 · 2 revisions

Azure Key Vault is a secure storage solution to manage secrets, keys and certificates. It can be used to centralize application secrets, securely store secrets and keys, monitor access and use as well as simplify administration of application secrets.

Azure Key Vault provision and configuration

Teams Toolkit orchestrates cloud service provision and configuration with an infrastructure as code approach using a Domain Specific Language called Bicep.

Follow these steps to provision a new Azure Key Vault service with Teams Toolkit:

  1. Step 1: Create a new bicep file
  2. Step 2: Update existing bicep file
  3. Step 3: Execute provision command

Step 1: Create a new bicep file

Create a bicep file called keyVault.bicep under infra folder with below content for provisioning Aszure Key Vault service.

param keyVaultName string
param secretName string
@secure()
param secret string
param identityObjectId string

var tenantId = subscription().tenantId


resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
  name: keyVaultName
  location: resourceGroup().location
  properties: {
    tenantId: tenantId
    accessPolicies: []
    sku: {
      name: 'standard'
      family: 'A'
    }
  }
}

resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
  name: '${keyVaultName}/add'
  properties: {
    accessPolicies: [
      {
        tenantId: tenantId
        objectId: identityObjectId
        permissions: {
          secrets: [
            'get'
          ]
        }
      }
    ]
  }
  dependsOn: [
    keyVault
  ]
}

resource secretKv 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
  parent: keyVault
  name: secretName
  properties: {
    value: secret
  }
}

Step 2: Update existing bicep file

Update existing azure.bicep file under infra folder.

  1. Add below content for provisioning user-assigned managed identity and Azure Key Vault, and update <The secret to be stored in Key Vault>:

    var keyVaultName = resourceBaseName
var secretName = 'secret'
var secretReference = '@Microsoft.KeyVault(VaultName=${keyVaultName};SecretName=${secretName})'

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: resourceBaseName
location: resourceGroup().location
}

module keyVaultProvision './keyVault.bicep' = {
name: 'keyVaultProvision'
params: {
    keyVaultName: keyVaultName
    secretName: secretName
    secret: <The secret to be stored in Key Vault>
    identityObjectId: managedIdentity.properties.principalId
}
}

  2. Update the existing resource for accessing Azure Key Vault.

    E.g. If it is a Bot or Function project hosted on Azure Web App, you need to update the bicep content of webApp:

    1. Add below content under resource webApp:

      identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
    '${managedIdentity.id}': {}
    }
}
dependsOn: [ keyVaultProvision ]

    2. Add below content under properties of resource webApp:

      keyVaultReferenceIdentity: managedIdentity.id

  3. Update the secret value to Key Vault secret reference. E.g. If it is a Bot project, update for the value of BOT_PASSWORD under appSettings of resource webApp:

    {
    name: 'BOT_PASSWORD'
    value: secretReference
}

Step 3: Execute provision command

Follow this document to provision cloud resources.

Build Apps for Microsoft Teams | Build or Extend Microsoft Copilot for Microsoft 365 | Microsoft 365 Platform Blogs | Microsoft 365 Developer YouTube Channel

Build Custom Engine Copilots

Scenario-based Tutorials

Extend your app across Microsoft 365

App settings and Microsoft Entra Apps

Configure multiple capabilities

Add Authentication to your app

Connect to cloud resources

Deploy apps to production

Clone this wiki locally