AppSource apps can store their secrets in Azure Key Vault

Important

This content is archived and is not being updated. For the latest documentation, see Microsoft Dynamics 365 product documentation. For the latest release plans, see Dynamics 365 and Microsoft Power Platform release plans.

Enabled for Public preview General availability
Admins, makers, marketers, or analysts, automatically - Oct 1, 2020

Feature details

In the world of software as a service (SaaS), the apps typically do not run in isolation—they often interact with other services.

Some Business Central extensions make web service calls to non-Business Central services. For example, one extension might call Azure Storage to read or write blobs. Another extension might call the extension publisher's web service to do an operation.

These web service calls are typically authenticated, which means the extension must provide a credential in the call. The credentials enable the other service to accept or reject the call. You can consider the credentials as a kind of secret to the extension. A secret shouldn't be leaked to customers, partners, or anybody else. So where can the extension get the secret from? Here is where Azure Key Vault is used. Azure Key Vault is a cloud service that works as a secure secrets store. It provides centralized storage for secrets, enabling you to control access and distribution of the secrets.

With this release, we are introducing an option for app developers to create their secrets in the Azure Key Vault account created in their own subscription. The Azure Key Vault account can then be specified in the app.json file of the app. With the key vault specified, the Business Central online service now allows app code to read the secrets from the vault during code execution. The secrets will not be accessible to other apps installed on the same environment.

This capability will be available in Business Central online for all apps registered on AppSource (additional onboarding steps will be required). It will not be available for per-tenant extensions and developer extensions (that is, extensions that are published directly from Visual Studio Code to a sandbox environment).

The feature will also be supported for on-premises deployments of Business Central.

Thank you for your idea

Thank you for submitting this idea. We listened to your idea, along with comments and votes, to help us decide what to add to our product roadmap.

See also

Using App Key Vaults with Business Central Extensions (docs)