Using App Key Vaults with Business Central Extensions

APPLIES TO: Business Central 2020 release wave 2 and later

Some Business Central extensions make web service calls to non-Business Central services. For example, one extension might call Azure Storage to read/write blobs. Another extension might call the extension publisher's web service to do an operation.

These web service calls are typically authenticated, which means the extension must provide a credential in the call. The credentials enable the other service to accept or reject the call. You can consider the credentials as a kind of secret to the extension. A secret shouldn't be leaked to customers, partners, or anybody else. So where can the extension get the secret from? Here is where Azure Key Vault is used. Azure Key Vault is a cloud service that works as a secure secrets store. It provides centralized storage for secrets, enabling you to control access and distribution of the secrets.


For Business Central online, the app key vault feature is only supported for AppSource extensions.

Getting started

Getting extensions to use secrets from Azure Key Vault involves two areas of work: setting up and configuring Azure Key Vaults and developing the extensions to use secrets from Azure Key Vault.

Setting up and configuring Azure Key Vaults

An extension can retrieve secrets from one or two different Azure Key Vaults. These key vaults must be created in Azure, and the Business Central service configured to access key vaults. The setup process is different for online and on-premises. For more information, see:

Developing the extensions to use secrets from Azure Key Vault

Once you have an Azure Key Vault, you can develop Business Central extensions to retrieve secrets from the key vault. In short, this work involves specifying the key vault's URL and adding code to retrieve a secret from the key vault.

For more information, see Using App Key Vault Secrets in Extensions.

Monitoring the usage of and errors in Azure Key Vault with telemetry

App key vault telemetry gathers information about the acquisition of secrets in Azure Key Vaults by extensions at runtime.

The app key vault secret process has two operations: initialization and retrieval. The telemetry data provides information about the success or failure for each of these operations. There are various conditions that cause a failure. The failure messages provide insight into the cause of the failure, helping you identify, troubleshoot, and resolve issues.

For more information, see App Key Vault Telemetry.

See Also

Security Considerations With App Key Vaults
Monitoring and Troubleshooting App Key Vaults
App Key Vault Telemetry
Configuring Business Central Server - Azure Key Vault Extensions