Interactive Training Guide

Managing External Secrets
with Azure Key Vault

A step-by-step operational guide for integrating Delinea Secret Server with Azure Key Vault — covering identity setup, vault bridging, and secret synchronization.

Overall Progress

Establishing the Azure Identity

Before Delinea can interact with Azure, it requires a dedicated service principal — an App Registration — with the right credentials and RBAC permissions to read and write secrets in Key Vault.

🔐

Delinea Secret Server

→

🪪

App Registration
Service Principal

→

🏦

Azure Key Vault
RBAC: Secrets Officer

A — Register the Application

Click New registration and enter a descriptive name (e.g. delinea-keyvault-connector)

Set Supported account type to Accounts in this organizational directory only

B — Generate Authentication Credentials

Navigate to Certificates & secrets → Client secrets → New client secret

Set a descriptive name and an expiration period — 6 or 12 months is standard

Copy the Secret Value immediately after creation

Once you navigate away, this value is masked permanently — it cannot be retrieved again.

⚠️ Critical: The Client Secret value is only visible once — immediately after creation. Store it securely in a password manager or Delinea itself before navigating away.

C — Configure RBAC Permissions

Navigate to your Azure Key Vault resource in the Azure Portal

Go to Access control (IAM) → Add role assignment

Assign the role Key Vault Secrets Officer to your App Registration

This role is required because Delinea needs write access to update secrets during rotation cycles.

ℹ️ You'll need three values in the next step: Application (Client) ID, Directory (Tenant) ID, and the Client Secret Value. Gather these from the App Registration overview page.

Why is the Key Vault Secrets Officer role required — rather than a read-only role?

✓ Correct. During a password rotation cycle, Delinea must push the new credential value back into Azure Key Vault — which requires write permissions.

✗ Not quite. The key reason is that Delinea needs to write updated secrets back to Azure during rotation — a read-only role would break this workflow.

Configuring the Bridge in Delinea

With the Azure identity ready, you configure Delinea Secret Server to use those credentials to communicate with the Azure API — creating a secure, named connection to your Key Vault.

🔐

App Registration
Secret Template

→

🔗

External Vault Link
Administration

→

🏦

Azure Key Vault
API Connection

A — Create the Connection Secret

In Delinea Secret Server, create a new secret using the Azure App Registration template

Input the Application (Client) ID, Directory (Tenant) ID, and the Client Secret Value from Step 1

This secret stores the credentials Delinea uses to authenticate with your Azure subscription.

      # Fields required in the Azure App Registration secret template

      Application (Client) ID:  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

      Directory (Tenant) ID:   xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

      Client Secret Value:     ~Abc1234567890xyz~

B — Define the External Vault Link

Navigate to Administration → External Secrets (under the Integration section)

Click Create External Vault Link

Set Provider to Azure Key Vault and Credential Secret to the App Registration secret created above

Under Vault Selection, Delinea will use the API to list vaults — select your target Azure Key Vault from the dropdown

If the dropdown is empty, verify that the App Registration secret is correct and that the RBAC role was assigned in Step 1.

✅ A successful vault link means Delinea can authenticate with Azure and enumerate secrets. If the vault dropdown populates, your identity configuration from Step 1 is working correctly.

What is the purpose of the Credential Secret when creating the External Vault Link in Delinea?

✓ Correct. The Credential Secret holds the Client ID, Tenant ID, and Client Secret Value that Delinea presents to the Azure API to prove its identity.

✗ Not quite. The Credential Secret is the App Registration secret that Delinea uses to authenticate with Azure — it contains the Client ID, Tenant ID, and Secret Value.

Synchronizing and Mapping Secrets

With the vault link established, you now define exactly which Delinea secret fields map to which Azure Key Vault entries — including data transformation and verification.

A — Establish the Mapping

On the secret you wish to sync, click Add External Secret

Set Vault Link to the Azure Key Vault link you created in Step 2

Define the Secret Name in Azure — this is how the secret will appear inside Azure Key Vault

Example: Prod-VM-Admin-Pass

B — Data Transformation (Field Mapping)

Map the Delinea Password field → Azure Key Vault Value

This is the primary field mapping and is always required.

(Optional) Add the Username field as a Secret Tag in Azure Key Vault if you want to sync that as well

      # Field mapping overview

      Delinea Field: Password   →   Azure KV Field: Value

      Delinea Field: Username   →   Azure KV Tag:   username  (optional)

C — Verification

Click Save — Delinea will perform an immediate sync upon saving

Confirm the secret name exists and the value matches the current password in Delinea

✅ If the secret appears in Azure Key Vault with the correct value, the full integration pipeline is working — from Delinea storage through authentication to Azure synchronization.

During field mapping, the Delinea Password field maps to which Azure Key Vault field?

✓ Correct. The Password field from Delinea maps directly to the Value field of the Azure Key Vault secret.

✗ Not quite. The Delinea Password field maps to the Value field in Azure Key Vault — which is the actual secret content.

Integration Summary & Review

A consolidated reference of the full integration flow — key values, decisions made at each step, and common troubleshooting checkpoints.

Step	Action	Key Detail
1A — Register App	Create App Registration in Microsoft Entra ID	Account type: this organizational directory only
1B — Credentials	Generate Client Secret under Certificates & Secrets	Copy value immediately — only visible once
1C — RBAC	Assign role to App Registration on Key Vault	Role: Key Vault Secrets Officer (write access required)
2A — Connection Secret	Create secret in Delinea using Azure App Registration template	Inputs: Client ID, Tenant ID, Secret Value
2B — Vault Link	Create External Vault Link in Administration → External Secrets	Provider: Azure Key Vault; select target vault
3A — Mapping	Add External Secret, define secret name in Azure	Example name: `Prod-VM-Admin-Pass`
3B — Field Map	Map Delinea Password → Azure KV Value	Username can optionally be added as a Secret Tag
3C — Verify	Check Azure Portal → Key Vault → Secrets	Confirm secret name exists and value matches

🔧 Troubleshooting Tip: If the Vault Selection dropdown is empty during Step 2, double-check that the RBAC role was saved, the Credential Secret has the correct Tenant ID, and that the App Registration has not expired.

🔄 Ongoing Maintenance: Client secrets expire on the schedule set in Step 1B. Set a calendar reminder before expiry to rotate the credential secret in Delinea and in the App Registration to avoid sync failures.

Final Confirmation

I have reviewed all three steps and understand the full integration flow

I understand why the Key Vault Secrets Officer role is required for Delinea integration

I know what to do if the Client Secret expires and sync breaks

🏆

Training Complete

You've successfully completed the Azure Key Vault external secrets integration training. You're ready to configure and manage this integration in production.