Azure key vault for secrets

Configuration

Microsoft Entra admin center

1. From the left side menu, navigate to Applications -> App registrations -> New registration.

2. On this screen, enter a suitable name for the app, for instance "InterForm" and select "Accounts in this organizational directory only (XXX.XXX only - Single tenant)". Leave "redirect URI" undefined and press the "Register" button.

3. An Application (client) ID and Directory (tenant) ID have been generated for you. Now click the link "Add a certificate or secret" next to "Client credentials".

4. Under "Client Secrets" use the "New client secret" button to create a secret. Select any expiry time that you like, but note that you have to create a new secret when it expires.

5. Now that you have created a secret, immediately make a copy of the value in the "Value" column, as you will not be able to see this again later.

Next you need to assign permissions to the app registration on the Azure Portal. This process can be scripted, but this is outside the scope of this document. Below is a description of how to do it manually on Microsoft Azure

1. Create a new key vault or select an existing one to use. Make sure the key vault is configured for Azure role-based access control”.

2. In the left-side menu, select "Access control (IAM)", then Add → Add role assignment.

3. Select the role “Key Vault Secrets User” then press the “Next” button.

4. Select Next → select members. Here type the name of the previously created app registration and select it. 

5. Now use the button "Review + assign" two times to complete the process.

Now log in as admin on InterFormNG2 and configure the connection in the system settings.

• AZURE_CLIENT_ID: Client ID of the Microsoft Entra application.

• AZURE_TENANT_ID: Directory ID of the Microsoft Entra tenant.

• AZURE_CLIENT_SECRET: One of the application's client secrets.

If InterFormNG2 is not hosted on Azure, then disable the switch “use default credentials” and enter the app registration credentials in the InterFormNG2 settings.

To test that the connection is working, as “secret name” enter the name of a secret that exists in the Azure Key Vault and then use the button “Test connection”. If the connection is working, the text “Successfully read secret” will be displayed. Otherwise an error is displayed. For obvious security reasons, the value of the secret is not displayed.

The configuration is now complete.

Using secrets from Azure Key Vault

The secrets need to be created in the Azure Key Vault through scripting or the Azure Portal UI. InterFormNG2 will not create secrets in the vault, it can only read secrets that already exist in the vault.

In all password / secret fields in the InterFormNG2 settings and workflow components, it is possible to refer to a secret from the vault instead of using InterFormNG2’s own encryption. To refer to a secret in Azure Key Vault, it must be entered as “{AZV}secretname” where “secretname” is the name of the secret in the vault. The {AZV} prefix indicates that this is an ID from the vault rather than a literal value.