Use Logic Apps to receive email about status changes of key vault secrets

In this guide, you will learn how to respond to Azure Key Vault events that are received via Azure Event Grid by using Azure Logic Apps. By the end, you will have an Azure logic app set up to send a notification email every time a secret is created in Azure Key Vault.

For an overview of Azure Key Vault / Azure Event Grid integration, see Monitoring Key Vault with Azure Event Grid.


Create a Logic App via Event Grid

First, create Logic App with Event Grid handler and subscribe to Azure Key Vault "SecretNewVersionCreated" events.

To create an Azure Event Grid subscription, follow these steps:

  1. In the Azure portal, go to your key vault, select Events > Get Started and select Logic Apps

    Key Vault - events page

  2. On Logic Apps Designer validate the connection and select Continue

    Logic App Designer - connection

  3. On the When a resource event occurs screen, do the following:

    • Leave Subscription and Resource Name as default.
    • Select Microsoft.KeyVault.vaults for the Resource Type.
    • Select Microsoft.KeyVault.SecretNewVersionCreated for Event Type Item - 1.

    Logic App Designer - event handler

  4. Select + New Step This will open a window to Choose an action.

  5. Search for Email. Based on your email provider, find and select the matching connector. This tutorial uses Office 365 Outlook. The steps for other email providers are similar.

  6. Select the Send an email (V2) action.

    Logic App Designer - send email

  7. Build your email template:

    • To: Enter the email address to receive the notification emails. For this tutorial, use an email account that you can access for testing.
    • Subject and Body: Write the text for your email. Select JSON properties from the selector tool to include dynamic content based on event data. You can retrieve the data of the event using @{triggerBody()?['Data']}.

    Your email template may look like this example.

    Logic App Designer - email body

  8. Select Save as.

  9. Enter a name for new logic app and select Create.

    Logic App Designer - create

Test and verify

  1. Go to your key vault on the Azure portal and select Events > Event Subscriptions. Verify that a new subscription created

    Logic App Designer - test and verify

  2. Go to your key vault, select Secrets, and select + Generate/Import. Create a new secret for testing purposes name the key and keep the remaining parameters in their default settings.

    Key Vault - Create Secret

  3. On the Create a secret screen provide any name, any value, and select Create.

When the secret is created, an email will be received at the configured addresses.

Next steps