Interactive Training Guide

Managing External Secrets
with Azure Key Vault

A step-by-step operational guide for integrating Delinea Secret Server with Azure Key Vault — covering identity setup, vault bridging, and secret synchronization.

Overall Progress
0%
01
Establishing the Azure Identity
Before Delinea can interact with Azure, it requires a dedicated service principal — an App Registration — with the right credentials and RBAC permissions to read and write secrets in Key Vault.
🔐
Delinea Secret Server
🪪
App Registration
Service Principal
🏦
Azure Key Vault
RBAC: Secrets Officer
A — Register the Application
Log in to the Azure Portal and navigate to Microsoft Entra ID → App registrations
Click New registration and enter a descriptive name (e.g. delinea-keyvault-connector)
Set Supported account type to Accounts in this organizational directory only
B — Generate Authentication Credentials
Navigate to Certificates & secrets → Client secrets → New client secret
Set a descriptive name and an expiration period — 6 or 12 months is standard
Copy the Secret Value immediately after creation
Once you navigate away, this value is masked permanently — it cannot be retrieved again.
⚠️ Critical: The Client Secret value is only visible once — immediately after creation. Store it securely in a password manager or Delinea itself before navigating away.
C — Configure RBAC Permissions
Navigate to your Azure Key Vault resource in the Azure Portal
Go to Access control (IAM) → Add role assignment
Assign the role Key Vault Secrets Officer to your App Registration
This role is required because Delinea needs write access to update secrets during rotation cycles.
ℹ️ You'll need three values in the next step: Application (Client) ID, Directory (Tenant) ID, and the Client Secret Value. Gather these from the App Registration overview page.
Why is the Key Vault Secrets Officer role required — rather than a read-only role?
✓ Correct. During a password rotation cycle, Delinea must push the new credential value back into Azure Key Vault — which requires write permissions.
✗ Not quite. The key reason is that Delinea needs to write updated secrets back to Azure during rotation — a read-only role would break this workflow.
02
Configuring the Bridge in Delinea
With the Azure identity ready, you configure Delinea Secret Server to use those credentials to communicate with the Azure API — creating a secure, named connection to your Key Vault.
🔐
App Registration
Secret Template
🔗
External Vault Link
Administration
🏦
Azure Key Vault
API Connection
A — Create the Connection Secret
In Delinea Secret Server, create a new secret using the Azure App Registration template
Input the Application (Client) ID, Directory (Tenant) ID, and the Client Secret Value from Step 1
This secret stores the credentials Delinea uses to authenticate with your Azure subscription.
# Fields required in the Azure App Registration secret template

Application (Client) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Directory (Tenant) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client Secret Value: ~Abc1234567890xyz~
B — Define the External Vault Link
Navigate to Administration → External Secrets (under the Integration section)
Click Create External Vault Link
Set Provider to Azure Key Vault and Credential Secret to the App Registration secret created above
Under Vault Selection, Delinea will use the API to list vaults — select your target Azure Key Vault from the dropdown
If the dropdown is empty, verify that the App Registration secret is correct and that the RBAC role was assigned in Step 1.
A successful vault link means Delinea can authenticate with Azure and enumerate secrets. If the vault dropdown populates, your identity configuration from Step 1 is working correctly.
What is the purpose of the Credential Secret when creating the External Vault Link in Delinea?
✓ Correct. The Credential Secret holds the Client ID, Tenant ID, and Client Secret Value that Delinea presents to the Azure API to prove its identity.
✗ Not quite. The Credential Secret is the App Registration secret that Delinea uses to authenticate with Azure — it contains the Client ID, Tenant ID, and Secret Value.
03
Synchronizing and Mapping Secrets
With the vault link established, you now define exactly which Delinea secret fields map to which Azure Key Vault entries — including data transformation and verification.
A — Establish the Mapping
On the secret you wish to sync, click Add External Secret
Set Vault Link to the Azure Key Vault link you created in Step 2
Define the Secret Name in Azure — this is how the secret will appear inside Azure Key Vault
Example: Prod-VM-Admin-Pass
B — Data Transformation (Field Mapping)
Map the Delinea Password field → Azure Key Vault Value
This is the primary field mapping and is always required.
(Optional) Add the Username field as a Secret Tag in Azure Key Vault if you want to sync that as well
# Field mapping overview

Delinea Field: PasswordAzure KV Field: Value
Delinea Field: UsernameAzure KV Tag: username (optional)
C — Verification
Click Save — Delinea will perform an immediate sync upon saving
Log in to the Azure Portal → Key Vault → Secrets
Confirm the secret name exists and the value matches the current password in Delinea
If the secret appears in Azure Key Vault with the correct value, the full integration pipeline is working — from Delinea storage through authentication to Azure synchronization.
During field mapping, the Delinea Password field maps to which Azure Key Vault field?
✓ Correct. The Password field from Delinea maps directly to the Value field of the Azure Key Vault secret.
✗ Not quite. The Delinea Password field maps to the Value field in Azure Key Vault — which is the actual secret content.
04
Integration Summary & Review
A consolidated reference of the full integration flow — key values, decisions made at each step, and common troubleshooting checkpoints.
Step Action Key Detail
1A — Register App Create App Registration in Microsoft Entra ID Account type: this organizational directory only
1B — Credentials Generate Client Secret under Certificates & Secrets Copy value immediately — only visible once
1C — RBAC Assign role to App Registration on Key Vault Role: Key Vault Secrets Officer (write access required)
2A — Connection Secret Create secret in Delinea using Azure App Registration template Inputs: Client ID, Tenant ID, Secret Value
2B — Vault Link Create External Vault Link in Administration → External Secrets Provider: Azure Key Vault; select target vault
3A — Mapping Add External Secret, define secret name in Azure Example name: Prod-VM-Admin-Pass
3B — Field Map Map Delinea Password → Azure KV Value Username can optionally be added as a Secret Tag
3C — Verify Check Azure Portal → Key Vault → Secrets Confirm secret name exists and value matches
🔧 Troubleshooting Tip: If the Vault Selection dropdown is empty during Step 2, double-check that the RBAC role was saved, the Credential Secret has the correct Tenant ID, and that the App Registration has not expired.
🔄 Ongoing Maintenance: Client secrets expire on the schedule set in Step 1B. Set a calendar reminder before expiry to rotate the credential secret in Delinea and in the App Registration to avoid sync failures.
Final Confirmation
I have reviewed all three steps and understand the full integration flow
I understand why the Key Vault Secrets Officer role is required for Delinea integration
I know what to do if the Client Secret expires and sync breaks
🏆

Training Complete

You've successfully completed the Azure Key Vault external secrets integration training. You're ready to configure and manage this integration in production.