Create Azure Key Vault to store Tenant ID, Client ID and Secret

Last modified date

Azure Key Vault is a cloud service that provides a secure store for secrets. And in the previous post on creating Power BI Service Principal Profile we added a secret. The Tenant ID, Client ID and Secret values give access to the Service Principal and whatever permission they have. So for that reason we are going to create an Azure Key Vault.

This post is part of the Power Automate and Power BI Rest API series

Create Azure Key Vault

The first step is to create the Azure Key Vault. Start at https://portal.azure.com/. From the Home screen, navigate to all services and find Key Vaults. Once on the Key Vaults page click on Create to start the process. This will navigate you to a screen to select Subscription and Resource group. Key vaults do cost money, in my case <1p but they do need an active subscription.

Same screen is also asks for a name, region and pricing tier. For this example the Standard tier is just fine. Click Review + Create to see the summary. Then click create to start the deployment of the service. After a minute or 2 it will be deployed and you can navigate to the newly created Key Vault.

Steps to create an Azure Key Vault

Add Role Assignment

Now we have create a new key vault to store our secrets the obvious place to go next is to Secrets. But if you take a look there you will see you do not have permission to play with secrets yet. And if you try to create one it will fail.

screen shot showing the statement "You are unauthorized to view these contents"

You do have the rights to give yourself permission. On the left hand side menu, click on Access Control (IAM). Click on +Add and from the drop down options select Add role assignment.

Access control in the Key Vault

When the next screen appears, we need to select a role based on Secrets. In the search box enter Secret and from the list select Key Vault Secrets Officer, that can read and write secrets. Click next to move to the Members tab. Click on + Select members and select yourself from the list and anyone else that needs access. When all the members are listed, click Review + Assign twice.

Adding members to the azure key vault role assignments

You can look at the list of role assignments or click on Check my access for confirmation. If you want a user to be able to read the secrets but not write them you would pick Key Vault Reader.

Add Secrets

When we now head to Secrets on the left hand menu, there are no warnings about being unauthorized. Click on + Generate/Import to open the Create a secret form. Upload can stay as Manual, enter in a name and the value. For naming I will use a common start for the Client ID and Secret so that in the flow in the next post I only need to ask for one parameter.

Steps to add a secret

I also add a secret to store the Tenant ID. This probably doesn’t need to be as secure but it makes it easy if everything is in the same location.

Conclusion

I now have a key vault with 3 values. I can now use either environment variables or a flow to pull through the values. I can add more secrets to the vault for other Power BI actions.

Over 20 year experience at being passionate about training, solving problems and loving a new challenge especially in the Microsoft's Power Platform suite.