Integration Training Guide · Module 7

Secret Server
× Azure Key Vault

Hybrid Credential Architecture for Enterprise Organizations

A complete technical walkthrough for hybrid organizations synchronizing External Secrets between Delinea Secret Server and Azure Key Vault. Covers External Vault connector setup, secret template mapping, bidirectional sync rules, conflict resolution, and the shared security model for cross-platform credential delivery.

⇄ Bidirectional Sync
🔑 External Vault Integration
🛡 Azure AD Workload Identity
⚠ Restricted — Internal Only
30s
Min Sync Interval
AES-256
Transit Encryption
0
Plaintext In Transit
Custom Templates
01

Architecture Overview — External Vault Integration

In this integration model, Azure Key Vault functions as an External Vault — a secondary, cloud-native credential store that receives and, optionally, originates External Secrets synchronized from Secret Server. Secret Server remains the System of Record for privileged access governance: it owns rotation schedules, dependency tracking, access policies, and audit history.

The Azure Key Vault Sync Connector acts as a translation bridge — it handles field mapping between Secret Server's template model and Azure Key Vault's flat key-value secret format, manages sync state via version tokens, and enforces conflict resolution rules when both systems diverge between sync cycles.

🏢
Secret Server
Delinea PAM
System of Record
Policy Authority
TLS 1.3
OAuth 2.0
MSAL Token
AKV Sync Connector
External Vault Bridge
Field Mapper
Conflict Resolver
Azure REST API
Managed Identity
Key Vault RBAC
Azure Key Vault
External Vault
External Secrets
Cloud Native Delivery
External Vault sync channel
External Secret value flow
OAuth token / MSAL auth
ℹ️
External Vault vs. External Secret — Terminology

Throughout this guide, External Vault refers to Azure Key Vault as configured in Secret Server's Remote Password Changing → External Vault Connectors panel. An External Secret is any individual secret whose value is stored in or synchronized with that External Vault, with Secret Server retaining the canonical metadata record.

02

Prerequisites

All prerequisites must be validated in both environments before configuring the External Vault connector. Incomplete setup is the primary cause of failed initial External Secret synchronization.

  • Secret Server 11.2+ with Professional or Platinum edition
  • Azure Key Vault Sync Connector add-on installed (v3.2+)
  • Service account with Administer External Vault Connectors role permission
  • Distributed Engine installed if Secret Server is hosted on-premises
  • Audit logging enabled for External Secret access events
  • TLS certificate valid (not self-signed) on all engine nodes
  • Azure subscription with Key Vault resource provisioned in target region
  • Azure AD App Registration created for the External Vault connector
  • App Registration granted Key Vault Secrets Officer RBAC role on target vault
  • Client certificate or managed identity credential configured (not client secret)
  • Azure Monitor diagnostic logs enabled and routed to Log Analytics Workspace
  • Key Vault soft-delete and purge protection enabled (required for conflict recovery)
  • Azure Policy preventing vault access policy model (enforce RBAC authorization model)
  • Outbound HTTPS (443) from Distributed Engine to <vault-name>.vault.azure.net
  • Outbound HTTPS (443) to login.microsoftonline.com for MSAL token acquisition
  • Outbound HTTPS (443) to management.azure.com for ARM operations
  • If using Private Endpoint: DNS override configured for vault FQDN to private IP
  • Key Vault network firewall configured to allow engine subnet or Private Endpoint only
03

Configuring the Azure Key Vault Sync Connector

The External Vault connector is configured in three phases: Azure AD identity setup, Key Vault RBAC assignment, then connector registration within Secret Server's External Vault panel.

Phase 1 — Azure AD App Registration & Credential

Create the App Registration that the External Vault connector will use to authenticate to Azure Key Vault. Use a certificate credential — not a client secret — to avoid credential sprawl.

Azure CLI — App Registration & Certificate Credential
# Create the App Registration for the External Vault connector
az ad app create \
  --display-name "SecretServer-ExternalVault-Connector" \
  --sign-in-audience "AzureADMyOrg"

# Create a self-signed cert for connector auth (or use enterprise PKI)
az ad app credential reset \
  --id "<APP_OBJECT_ID>" \
  --cert "@/path/to/connector.crt" \
  --append

# Create a service principal for the App Registration
az ad sp create --id "<APP_CLIENT_ID>"

# Assign Key Vault Secrets Officer at vault scope
az role assignment create \
  --role "Key Vault Secrets Officer" \
  --assignee "<APP_CLIENT_ID>" \
  --scope "/subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.KeyVault/vaults/<VAULT>"
⚠️
Never Use Access Policies Model

Azure Key Vault access policies are a legacy authorization model. Always configure the vault to use Azure RBAC. Access policies cannot be scoped to individual secrets — any permitted identity can access all secrets in the vault, violating least-privilege for External Secret access.

Phase 2 — External Vault Registration in Secret Server

1
Open External Vault Connectors Panel
Navigate to Admin → Configuration → External Vault Connectors → Add New. Select Azure Key Vault from the connector type list. Name the connector using a convention that reflects the vault environment, e.g. akv-prod-eastus.
2
Enter Azure AD Credentials
Input your Tenant ID, Client (Application) ID, and upload the PFX certificate for the connector identity. Set the Key Vault URL in the form https://<vault-name>.vault.azure.net. For Distributed Engine deployments, select the engine pool that has network access to the vault.
3
Configure Sync Mode & Interval
Select Bidirectional, Push Only (SS → AKV), or Pull Only (AKV → SS) for this External Vault instance. Set the sync polling interval — minimum 30 seconds; recommended 300 seconds for production. Enable Delta Sync to use Key Vault's nextLink pagination for efficient incremental pulls.
4
Set External Secret Prefix & Tagging Rules
Define an External Secret Name Prefix — all secrets pushed by this connector will be named <prefix>-<ss-secret-id> in Key Vault. Enable Auto-Tag External Secrets to have the connector inject metadata tags (ss-managed, ss-template, ss-folder) onto every synced External Secret.
5
Test Connection & Activate
Click Test External Vault Connection. The connector performs an MSAL token acquisition, a Key Vault GetSecret probe, and a tag write test. All must succeed. Click Activate. The connector enters Initial Sync state and begins pushing External Secrets.
JSON — Connector Configuration Payload (API reference)
{
  "connectorType": "AzureKeyVault",
  "displayName": "akv-prod-eastus",
  "tenantId": "<AZURE_TENANT_ID>",
  "clientId": "<APP_CLIENT_ID>",
  "keyVaultUrl": "https://<vault-name>.vault.azure.net",
  "authMethod": "Certificate",          // Certificate | ManagedIdentity
  "syncMode": "Bidirectional",           // Bidirectional | PushOnly | PullOnly
  "syncIntervalSeconds": 300,
  "deltaSync": true,
  "externalSecretPrefix": "ss-prod",
  "autoTagExternalSecrets": true,
  "conflictResolution": "SecretServerWins",  // SecretServerWins | AzureWins | Manual
  "enginePoolId": 3
}
04

Mapping Secret Templates to External Vault Secret Types

Secret Server organizes credentials using typed Secret Templates with named fields. Azure Key Vault stores External Secrets as flat name/value pairs with optional JSON content types. The connector's External Vault Template Mapper serializes SS template fields into structured JSON for AKV, and deserializes them back during pull operations.

Built-In Template Mappings

Secret Server Template
Azure Key Vault External Secret Format
Direction
Active Directory Account
JSON: username, password, domain
⇄ BIDI
Unix Account (SSH)
JSON: username, password, private_key
⇄ BIDI
SQL Server Account
JSON: server, database, username, password
⇄ BIDI
Azure Service Principal
JSON: clientId, clientSecret, tenantId
→ PUSH
Web Password
JSON: url, username, password
⇄ BIDI
Certificate (PEM/PFX)
AKV Certificate object (native, not Secret)
→ PUSH
Generic Password (single field)
Plaintext string value
⇄ BIDI
Custom Template (any)
Freeform JSON — user-defined mapping
⇄ BIDI

Defining a Custom External Vault Template Mapping

YAML — Custom External Vault Template Map
# External Vault Template Mapping for Oracle Service Account
external_vault_template_maps:
  - ss_template: "Oracle Service Account"
    external_vault: "akv-prod-eastus"
    "external_secret_prefix": "oracle"   # results in "oracle-{ss-id}"
    sync_direction: bidirectional
    content_type: "application/json"
    field_map:
      - ss_field: "Username"
        akv_key: "username"
        sensitive: false
      - ss_field: "Password"
        akv_key: "password"
        sensitive: true     # SS wins on conflict for sensitive fields
      - ss_field: "Server"
        akv_key: "host"
        sensitive: false    # AKV wins on conflict for infra fields
      - ss_field: "Port"
        akv_key: "port"
        type_coerce: string  # AKV stores all values as strings
    external_secret_tags:
      environment: "production"
      ss-managed: "true"       # required for pull filter
      ss-template: "oracle-service-account"
💡
External Secret Naming Convention

Use <template-short>-<ss-secret-id> as the External Secret name in Azure Key Vault. Key Vault secret names must match ^[0-9a-zA-Z-]+$ — no underscores, spaces, or slashes. Avoid encoding folder hierarchy in the name; use tags instead. Example: oracle-4821, ad-svc-7703.

05

Bidirectional Synchronization Rules

The External Vault sync engine follows a deterministic rule set to decide the direction, timing, and content of each External Secret synchronization cycle. Understanding these rules is essential for predicting system behavior under concurrent modification scenarios.

External Secrets are pushed to Azure Key Vault when:

  • A secret is created or field-edited in Secret Server (event-driven webhook)
  • A Remote Password Change (RPC) rotation completes successfully in SS
  • A secret is moved into a folder governed by an External Vault sync rule
  • The scheduled full-sync interval fires and SS version is newer than AKV version
  • An operator manually triggers sync from Admin → External Vault → Force Sync
📌
What Gets Pushed

Only fields explicitly declared in the External Vault Template Map are pushed. Unmapped fields (e.g., notes, custom metadata, check-out history) are never written to the External Vault. External Secret tags are always pushed/updated on every sync cycle regardless of value changes.

External Secrets are pulled from Azure Key Vault into Secret Server when:

  • An Azure Event Grid subscription delivers a SecretNewVersionCreated event (near real-time)
  • Delta sync poll detects a version newer than the stored ss-sync-version tag value
  • Operator triggers a Pull from Admin → External Vault → Import External Secrets
⚠️
Pull Filter: ss-managed Tag is Mandatory

The connector pulls only External Secrets tagged with ss-managed: true. Any Azure Key Vault secret without this tag is invisible to the pull engine, preventing accidental import of non-SS-managed vault contents. Never remove this tag from External Secrets managed by the connector.

The connector tracks External Secret version state using a combination of Azure Key Vault's native version IDs and SS-managed tags written to each External Secret:

External Secret — Sync State Tags
# Tags injected by connector onto every External Secret in AKV
ss-managed:        "true"
ss-secret-id:     "4821"
ss-template:      "oracle-service-account"
ss-folder-path:   "Production/Oracle/East"
ss-sync-version:  "83"           # SS internal version counter
ss-last-synced:   "2026-04-02T14:33:09Z"
ss-connector-id:  "akv-prod-eastus"

The ss-sync-version tag is compared against Secret Server's internal version number on each poll. A mismatch triggers conflict detection logic before any write is performed.

INI — External Vault Throttle Configuration
# /etc/ss-engine/akv-throttle.ini

[azure_key_vault]
max_requests_per_10s  = 2000   # AKV default service limit
burst_capacity        = 500    # token bucket burst
retry_policy          = "exponential"
retry_max_attempts    = 5
retry_base_delay_ms   = 1000

[sync_batching]
external_secrets_per_batch  = 25
batch_interval_ms           = 400
parallel_template_workers   = 4   # concurrent template map workers
delta_page_size              = 25   # AKV list page size
06

Handling Sync Conflicts

A sync conflict occurs when an External Secret is modified in both Secret Server and Azure Key Vault between polling cycles. The connector detects conflicts by comparing the AKV secret's ss-sync-version tag against Secret Server's current version counter before committing any write.

Critical Concurrent Rotation Conflict — Both Systems Rotated

Scenario: Secret Server completes a scheduled Remote Password Change (RPC) and pushes a new External Secret version to AKV. Simultaneously, an Azure automation runbook independently updates the same secret value in AKV via SetSecret.

Detection: On next poll, connector sees AKV version is newer than ss-sync-version tag AND Secret Server version is also newer than the last successful sync point — a true write-write conflict.

Default Resolution (SecretServerWins): The SS-rotated value is written to AKV as the current version. The AKV-originated value is preserved as a prior version in Key Vault's automatic version history (never deleted, retrievable via version-specific URI). An ss-conflict-overwritten tag is added to the superseded AKV version for audit purposes.

⚠️
Consumer Stale Credential Window

Any Azure workload that fetched the AKV-originated External Secret before conflict resolution may hold a stale credential until its cache TTL expires. Mandate short cache TTLs (≤ 60 seconds) for all consumers of External Secrets managed by this connector.

High Field-Level Merge Conflict — Non-Overlapping Edits

Scenario: An infrastructure team updates the host field in AKV (server migrated) while Secret Server rotates the password field. Both changes are legitimate and non-overlapping.

Detection: Field-level diff shows disjoint field modification sets — no single field was changed in both systems.

Resolution (Merge): The connector performs a smart merge. Fields marked sensitive: true in the template map (passwords, keys, tokens) are governed by SS. Fields marked sensitive: false (host, port, database, URL) are governed by AKV. The merged External Secret is written back to both systems.

Conflict Resolution — Field-Level Policy
conflict_resolution:
  default_authority: secret_server
  merge_enabled: true
  sensitive_field_winner: secret_server
  infra_field_winner: azure_key_vault
  unresolvable_action: quarantine_and_alert
  alert_channel: "azure-monitor-webhook"
High External Secret Deleted from Azure Key Vault

Scenario: An Azure Key Vault External Secret is soft-deleted (by a cleanup script, policy, or operator error) while the corresponding secret remains active in Secret Server.

Detection: On next poll, connector receives a 404 Not Found or detects the secret in AKV's Deleted Secrets state.

Resolution: Secret Server's presence wins. The connector calls RecoverDeletedSecret via the AKV API and then overwrites the recovered External Secret with the current SS value. A SYNC_CONFLICT_RECOVERED event is logged and an Azure Monitor alert is triggered.

If soft-delete recovery fails (purge protection window exceeded), the connector creates a new External Secret with the same name prefix and current SS value, and an alert escalates to the External Vault admin queue.

Medium External Secret Deleted from Secret Server

Scenario: A secret is decommissioned and deleted from Secret Server. The corresponding External Secret still exists in Azure Key Vault.

Resolution: The connector does not automatically delete the External Secret from AKV. Instead, it tags the AKV secret with ss-decommissioned: true and ss-deleted-at: <timestamp>, then moves it to a configurable quarantine tag group. Operators must explicitly confirm AKV deletion via Admin → External Vault → Decommissioned Secrets. This prevents data loss from accidental SS deletions.

Low External Secret Tag Metadata Divergence

Scenario: An Azure governance team applies additional tags to External Secrets in AKV (e.g., data-classification: confidential, cost-center: eng-infra) for compliance or billing purposes.

Resolution: The connector preserves all tags whose keys do not begin with the ss- prefix. Non-SS tags are treated as Azure-owned metadata and are never overwritten during sync. This enables parallel governance — Secret Server controls ss-* tags; Azure teams control all other tags.

07

Security Model for Cross-Platform Credential Sharing

The integration's security architecture ensures that External Secret values never traverse the network in plaintext, access is governed by least-privilege identities on both platforms, and every operation produces a correlated, tamper-evident audit record across both systems.

🔐
Transport Encryption — TLS 1.3 + MSAL
All External Secret values are transmitted exclusively over TLS 1.3. The connector acquires a short-lived OAuth 2.0 Bearer token via MSAL (Microsoft Authentication Library) before each API session. Tokens have a 1-hour TTL and are cached in memory only — never persisted to disk or database.
🆔
Workload Identity — Certificate over Client Secret
The connector authenticates to Azure AD using a certificate credential (or a managed identity where available), not a client secret. Certificate-based credentials eliminate the risk of secret sprawl from the identity used to manage secrets — a critical separation of concerns. Certificates are rotated on a 90-day schedule via Secret Server's own RPC.
🛡
Azure RBAC — Key Vault Secrets Officer (Scoped)
The connector's service principal holds only Key Vault Secrets Officer, scoped to the specific Key Vault resource — not the subscription or resource group. It cannot create or delete vaults, access certificates or keys, or read secrets it did not create. Azure RBAC deny assignments can further restrict the connector's scope to only the ss-prod-* External Secret name prefix.
📋
Dual Correlated Audit Trail
Every External Secret sync operation produces events in both Secret Server's audit log and Azure Key Vault's diagnostic logs (routed to Log Analytics). A shared ss-correlation-id is injected into the AKV request's x-ms-client-request-id header, enabling cross-platform query correlation for incident response.
🔄
Rotation Integrity Guarantee
RPC rotation in Secret Server is committed locally before any push to the External Vault. If the AKV write fails (network error, throttle, RBAC denial), the rotation still succeeds in SS and is retried with exponential backoff. External consumers never receive a new credential value before SS has confirmed the rotation is complete and valid.
🌐
Network Isolation — Private Endpoint
In production, deploy Azure Key Vault with a Private Endpoint. The Distributed Engine subnet must have a VNet peer or ExpressRoute link to the AKV VNet. Disable public network access on the vault. This ensures External Secret values never traverse the public internet — all traffic stays within the Azure backbone and your private network.

Shared Responsibility Boundary

Cross-Platform Responsibility Matrix
┌────────────────────────────────┬──────────────────────┬──────────────────────┐
│ Domain                         │ Secret Server        │ Azure Key Vault      │
├────────────────────────────────┼──────────────────────┼──────────────────────┤
 Credential lifecycle / RPC      ✓ Owner               Replica              
 Access policy & check-out       ✓ Owner               IAM complement       
 Native cloud app delivery       Via External Secret   ✓ Owner              
 Key / cert custody (HSM)        AES-256 at-rest       ✓ Owner (FIPS HSM)   
 Rotation scheduling             ✓ Owner (RPC)         Triggered by push    
 Audit trail — PAM events        ✓ Owner               Correlated           
 Audit trail — API plane         Correlated            ✓ Owner (CloudTrail) 
 Conflict resolution authority   ✓ Configurable        Field-level override 
└────────────────────────────────┴──────────────────────┴──────────────────────┘
08

Knowledge Check

Validate your understanding before deployment. Each question covers a key concept from this guide.

QUESTION 01 OF 05
In this integration model, what term describes Azure Key Vault as configured within Secret Server's connector panel?
ARemote Secret Store
BExternal Vault
CSecondary Repository
DFederated Key Store
✓ Correct! Azure Key Vault is designated as an External Vault within Secret Server's External Vault Connectors panel. Individual synchronized credentials are called External Secrets.
QUESTION 02 OF 05
Which tag is mandatory on an Azure Key Vault secret for the connector's pull engine to include it in synchronization?
Ass-sync-enabled: true
Bss-secret-id: <id>
Css-managed: true
Dsync-direction: pull
✓ Correct! Only External Secrets tagged ss-managed: true are visible to the pull engine. This prevents accidental import of unmanaged vault contents into Secret Server.
QUESTION 03 OF 05
Why is certificate-based authentication preferred over a client secret for the External Vault connector's App Registration?
ACertificates are required by Azure policy — client secrets are not supported on App Registrations
BIt avoids credential sprawl — using a client secret would mean storing a secret to manage secrets, creating a circular dependency
CCertificates automatically rotate; client secrets must be manually renewed
DCertificate credentials provide higher RBAC permissions than client secrets
✓ Correct! Using a client secret to authenticate a system that manages secrets creates a circular dependency and credential sprawl risk. Certificate credentials (or managed identities) eliminate this and can themselves be managed by Secret Server's RPC.
QUESTION 04 OF 05
A field-level conflict occurs: AKV updated the host field (server migration); Secret Server rotated the password. Both fields are in the template map. What happens?
AThe entire External Secret is quarantined pending manual review
BSecret Server wins all fields — AKV's host change is discarded
CFields are merged: SS wins password (sensitive field); AKV wins host (infra field)
DThe most recently modified version overwrites all fields
✓ Correct! The smart merge applies field-level authority: sensitive: true fields are owned by Secret Server; sensitive: false infrastructure fields can be updated by AKV. The merged value is written to both systems.
QUESTION 05 OF 05
An External Secret is accidentally soft-deleted from Azure Key Vault while still active in Secret Server. What does the connector do by default?
ALogs a warning but takes no action — manual recovery is required
BDeletes the secret from Secret Server to keep both systems consistent
CCalls RecoverDeletedSecret to restore the AKV secret, then overwrites it with the current SS value
DCreates a new secret in Secret Server cloned from the AKV deleted version
✓ Correct! Secret Server's existence wins. The connector uses AKV's soft-delete recovery API to restore the External Secret, then syncs the authoritative SS value onto it. A SYNC_CONFLICT_RECOVERED alert is sent to the External Vault admin queue.
09

Deployment Checklist

Check off every item before promoting the External Vault connector to production. This tracks completion within your current session.

Azure Infrastructure Hardening

  • Key Vault configured with Azure RBAC authorization model (not access policies)
  • Connector service principal has only Key Vault Secrets Officer — no broader roles
  • Private Endpoint deployed; public network access disabled on the Key Vault
  • Soft-delete enabled (90-day retention) and purge protection enabled on vault
  • Azure Monitor diagnostic logs routed to Log Analytics Workspace
  • Azure Policy in place to enforce ss-managed tag on all connector-created secrets
  • Event Grid subscription configured for SecretNewVersionCreated events (near-RT pull)

Secret Server Configuration

  • External Vault connector connection test passes all three checks (MSAL, GetSecret, Tag write)
  • External Vault Template Maps validated against all in-scope secret templates in non-production
  • Conflict resolution policy set and reviewed by security team (SecretServerWins default)
  • External Secret prefix naming convention documented and applied to all template maps
  • Pull filter (ss-managed tag) verified to be injected on all connector-pushed External Secrets

Operational Readiness

  • Runbook created for manual conflict resolution and quarantine queue management
  • Azure Monitor alerts configured for: sync failures, conflict events, quota throttling
  • Rollback procedure documented (disable connector, restore prior AKV version)
  • Consumer application teams informed of max External Secret cache TTL (≤ 60s)
  • Cross-platform audit log correlation query validated in Log Analytics
  • Connector certificate rotation scheduled in Secret Server RPC (90-day cycle)
Secret Server × Azure Key Vault Integration Guide v4.1
Classification: INTERNAL · External Vault Connector: AKV Sync v3.2+