Azure Key Vault en MSDyn365FO: Configuración de certificados y contraseñas

Azure Key Vault & MSDyn365FO: Setup Certificates and Passwords

From time to time I have to configure the electronic certificate to be used in the SII (Immediate Information Supply) module and it always happens the same, I don’t remember exactly what I had to do. That is why I have decided to write this post, with a detailed step by step detailed so that I don’t have to spend more time googling how to do it, and hey, if I also help someone in the same situation, not that bad!

This post will be divided into three main parts. The first two parts are, as I said, the ones we need to use the SII module. In the third part, we will see how we can use these Key Vaults in our developments to store passwords and secrets in a secure way.

Upload certificate to an Azure Key Vault

The first thing we will do is upload our electronic certificate to an Azure Key Vault, but what is a Key Vault?

Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets.

In this link you can get more details about the advantages of using this service.

Therefore, in order to upload our certificate, the first thing we will have to do is create a Key Vault within our Azure subscription. To do this, we go to the azure portal, click on the Create new resource button, search for “Key Vault” in the marketplace search engine and click on the Create button.

Create new Key vault in azure portal

The next step will be to configure the necessary data requested by the Key Vault, such as the resources group (it can be a new or existing one), the name that we associate to the Key Vault, or the region in which we want to deploy it.

Create new key vault in azure portal

Once filled, click on the Review and Create button, and when creation is complete, the following notification will appear in the panel.

Created key vault notification

Now that we have the Key Vault created, we can proceed with the upload of the certificate. To do this, we will run the following PowerShell script setting the required values. In order to run this script, some minimum requirements are necessary:

  • The certificate must have a .pfx extension (I have tested it with .p12 and it also works).
  • The .Net Framework 4.7.2 or later must be installed.
  • The Azure PowerShell module must be installed.
  • The user running the script must have sufficient permissions within the Azure subscription.

In this script you must set the following values:

  • $pfxFilePath = Path where the certificate is located
  • $pwd = Certificate password (if required)
  • $secretName = Name of the secret that will be created in our key vault and will contain the certificate
  • $keyVaultName = Name of the key vault that we have previously created

Once executed, Azure credentials will be requested.

Insert azure credentials to load the certificate

Now, we go back to the Key Vault from the Azure portal, and we see that a new Secret has been created within it.

New secret created that contains the certificate

The next step will be to create a new Azure Active Directory App registration. Thanks to this, we can impersonate Dynamics 365 access to the Key Vault.

To do this, we go to Azure Active Directory. and we create a new app registration.

Create new azure active directory app registration

Once the app registration is created, we will create a secret, which will be used by Dynamics to authenticate and use the Key Vault. To do this, we go to Certificates & secrets and add a new one. We will have to put the name and when we want it to expire. Once the secret is generated, we copy it to a safe place to use it later.

Create new secret within azure active directory app registration

To finish with the configuration within the Azure portal, we are going to add an access policy within the Key Vault that will give the necessary permissions to the app registration that we have just generated. To do this, we go to the Key Vault, Access Policies, and add a new policy. In it, we select the necessary template to associate the required permissions, and we select the application registry that we previously created.

Add access policy to key vault

Finally, we click on the save button. With this, we would already have all the necessary configuration on the Azure side.

Add access policy to key vault

Set up Key Vault in Microsoft Dynamics 365 Finance

Now, it’s time to go to Dynamics 365 Finance to make the necessary settings. For this we go to System Administration > Key Vault Parameters. We create a new record and fill it with the following values:

Key vault parameters in Microsoft Dynamics 365 Finance and Operations
  • Key Vault URL: DNS Name (Key Vault)
DNS Name of key vault
  • Key Vault client: Application ID (App reg. AAD)
Appication Id of azure active directory app registration
  • Key Vault secret key: Secret generated by us (App reg. AAD)

Finally, add a new secret:

  • Secret: vault://KeyVault_Name/Secret_Name/[Secret_Version] (In our case, we only have one version of the secret, so it is not necessary to indicate it).
  • Secret type: Certificate

Now, click on the Validate button, and if everything went well, the following info should appear:

Validate secret in Microsoft Dynamics 365 Finance and Operations

And with this, we would already have completed the configuration of the certificate to use in the SII, so that our colleagues can continue with the configuration and testing of the module.

Store passwords in Key Vault and use them from X++

Yes, apart from using Key Vaults to store our certificates for the SII, we can use these key stores to securely store the passwords we need, for example, to integrate with third-party applications from X++. With this, we would avoid storing them in our database, and of course, we would avoid having the passwords directly in the code (yes, in the code, believe it or not, it exists) and we would be able to centralize all this information in a single repository.

All we need is to add a new secret to the Key Vault manually by clicking on the Generate/Import button.

Create new secret in key vault

We enter the name of the secret and the password that we want to keep in the Value field.

Create new secret in key vault

And we configure it within Dynamics 365 Finance in the same way that we saw in the previous point.

Set up manual secret in key vault parameteres

The only difference with the previous configuration is that in this case the Secret Type is Manual.

Now, we can just use the secret from our x++ code, and this can be done quite simply, using the getManualSecretValue method of the KeyVaultCertificateHelper class.

This method will return the value of the secret that we have configured, as can be seen in the following image.

Get password from key vault secret with x++

I hope you find it useful! 🙂

14 comments / Add your comment below

  1. Can you please review your Certificate import script as (possible due to copying) contains a few errors: “[” should be replaced by a simple” [”
    and please be aware that if there are multiple subscriptions you need to add Set-AzContext -subscription

  2. //Get ClientId
    certificateTableClientID =KeyVaultCertificateTable::findByName(IntegrationAPIDetails.ClientIDName);
    clientIDPassword = KeyVaultCertificateHelper::getManualSecretValue(certificateTableClientID.RecId);

    But we are facing below error

    Access denied to field Key Vault secret key (SecretKey) in table Key Vault parameters (KeyVaultParameters).

  3. Hi Ja.tomas

    Thanks for the blog it is really helpful in configuring the key vault with D365.
    I need clarification on upload certificate, What certificate to upload in the key vault and where we will get this certificate, I am setting up sealed bidding functionality for D365 FNO and not sure what certificate to upload to key Vault.
    Vinod Bhandari

    1. Hi Vinod,
      Thanks for commenting. In this case, the certificate is a .pfx or a .cer, and, once imported, you can finde it into the secrets.


  4. Al obtener la clave secreta, me da este error: ‘No se puede encontrar el valor secreto manual’

    Alguien que me pueda ayudar a que se debe o que debo realizar.

  5. Hi Ja.tomas

    I am getting ‘Unable to find the digital certificate.’ error when I use secret type as ‘Key’ in d365 FO.
    I have added public-private key pair on azure vault under “Keys”.


    1. Hi Hemang,

      Did you get a solution for the above.
      I am facing the same issue.

      Thanks in advance.


      1. Hi Pratham and Hemang,

        I’ve never used this setup with the secret type “Key”, so I’m afraid I cannot help you with this specific point, but try the following just in case:

        Instead of using this structure in the secret field: vault://KeyVault_Name/Secret_Name/[Secret_Version]

        Try ommiting the key vault name:

  6. Great post! Actually, have a requirement to use key vault with FO currently

  7. Some users are getting the same error as reported above: “Access denied to field Key Vault secret key (SecretKey) in table Key Vault parameters (KeyVaultParameters)”.

    Are these permissions in D365 or Azure that need to be added to the Users?

    1. Hi Javier, thanks for commenting!!

      Could you please give me some more context? When is the error thrown? And the user that gets the error, which security roles has this user assigned?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Uso de cookies

Este sitio web utiliza cookies para que usted tenga la mejor experiencia de usuario. Si continúa navegando está dando su consentimiento para la aceptación de las mencionadas cookies y la aceptación de nuestra política de cookies, pinche el enlace para mayor información. ACEPTAR

Aviso de cookies