D365FO - Setting Up Azure Key Vault Client

The Key Vault client may not be a widely recognized feature in D365FO, but when I implemented it for a customer, I discovered it to be straightforward and beneficial. However, a significant drawback is that Key Vault parameters are saved per-company rather than as a global application configuration. To use identical parameters across different legal entities, you must either replicate the parameters for each legal entity or develop a custom method within your model to access secrets across legal entities.

A key application of the key vault client is in custom integrations with external applications, where it securely stores credentials and connectivity parameters in an Azure key vault. These can then be accessed within D365FO using standard X++ code. D365FO already includes all required classes and libraries to retrieve secret values from the Azure key vault, requiring only minimal configuration to get started.

Here’s a high-level overview of how the components interact:

1. D365FO Application: This is where the business processes are executed, and it requires access to secrets stored in Azure Key Vault for operations like authentication, data encryption, etc.
2. Azure Active Directory (AAD / Entra): It provides identity services and is used to authenticate the Key vault client app registered in the AAD to access the Azure Key Vault.
3. Azure Key Vault: This is the centralized cloud service for storing sensitive information like secrets, keys, and certificates.
4. Key Vault Client: This is the component within the D365FO application that interacts with the Azure Key Vault. It uses service principal credentials in the AAD to authenticate and retrieve secrets.
5. Azure Key Vault Service: The cloud service that the Key Vault client communicates with to retrieve the necessary secrets for the D365FO application.

Here’s a simplified representation of the architecture:

To set up the Azure Key Vault client in your D365FO application, you would typically:

• Create and configure a new Key Vault in the Azure portal. Work with your IT team to secure the key vault like allowing only access from specific IP ranges. Microsoft D365 IP ranges are published by Microsoft.
• Register a new application in Azure AAD for key vault client and note the App Id & Secret value for later.
• Set up permissions and access policies in Azure AD for the D365FO application to access the Key Vault.

• Configure the D365FO application with the Key Vault URL, client ID, and secret key for authentication.
• key vault URL : e.g. https://keyvaulttesting.vault.azure.net/
• Key vault client : The App Id registered for key vault client in the earlier step.
• Key vault secret key : The Client secret value for the key vault client from the app registration step.
• In the Secrets grid, add a new secret. Give a name & description as per your choice.
• The secret must be mentioned in the format vault://<KeyVaultName*>/<SecretName>/<SecretVersion*>. The * represents that the attribute is optional. You can also mention the secret in the format vault:///<SecretName>. The vault URL just gets defaulted from the value setup above.
• e.g. vault://manishkeyvaulttesting.vault.azure.net/secret1/2fdb1138a64d4878ba3bf81e5ab2e90a OR
• e.g. vault://///secret1
• Click validate to ensure the validation is successful and the D365FO is able to access the key vault secrets.

Now that you have configured the key vault client in D365FO, you can access the secret in your X++ code easily.

Here's a sample code to pass the secret name (as configured in the "Name" column in the key vault parameters screen) to one of the standard methods and get the secret value based on that record. There are more methods available in KeyVaultCertificateTable & KeyVaultCertificateHelper class for use as per your requirement.

sample code:

Assuming, you will keep setups for each connection parameter for your integration. just pass each secret name to the method for retrieving their values.

secret 1 =  myClass::getSecretValue(secretname);        

public static str getSecretValue(str _name)
{        
        KeyVaultCertificateTable    certTable = KeyVaultCertificateTable::findByName(_name);
        
        return KeyVaultCertificateHelper::getManualSecretValue(certTable.RecId);
 }