Create Azure Key Vault for wrap in Power Apps

In order to automatically, sign your Android or iOS mobile app package during Step 2 of the wrap wizard, it's necessary to have Azure Key Vault configured. Azure Key Vault is a cloud-based service designed to provide a secure storage solution for secrets, which can include certificates, passwords, keys, and other sensitive information. To learn more about Azure Key Vault, see Introduction to Azure Key Vault.

In this article, you will learn how to use an existing Azure Key Vault or create a new Azure portal.

Prerequisites

Create Azure Key Vault and configure Key Vault URI

  1. To create a new Azure service principal for the 1P Microsoft Entra application 4e1f8dc5-5a42-45ce-a096-700fa485ba20 (WrapKeyVaultAccessApp), sign in to your tenant as an admin. Then, run the following script in PowerShell:

    Connect-AzureAD -TenantId <your tenant ID>
    New-AzureADServicePrincipal -AppId 4e1f8dc5-5a42-45ce-a096-700fa485ba20 -DisplayName "Wrap KeyVault Access App"

  2. Follow these steps to ensure that the Service Principal representing your app, such as Wrap Key Vault Access App, has the necessary access permissions, add a Reader role assignment to it in the Access Control (IAM) of your default subscription. This should also be present in the IAM of both the subscription and the Key Vault.

    1. On the left select Access control (IAM) tab and then select Add > Add role assignment.

    2. Select the Members tab and then select Job function roles. Make sure the Reader role is selected.

      Select the Members tab.

    3. On Members tab, select Select member and in the text box on the right enter Wrap Key Vault Access App and search for it.

      Search for Wrap Key Vault Access App.

    4. Select Wrap Key Vault Access App and then select Review + assign to assign the Reader role.

      Assign Reader role to Wrap KeyVault Access App.

  3. Create or access existing Key Vault. Make sure this Key Vault is located in the default subscription for your tenant. More information: Create a key vault using the Azure portal.

  4. Add access policies for the Key Vault. For Secret permissions and Certificate permissions make sure that Get and List permissions are selected.

    Access Policies required: Get, List for secret and certificates permissions.

  5. Choose one of the following options based on your device:

    • Android

      Generate the .pfx file and then proceed to upload it to the certificate section of the Key Vault. More information: Generate keys

      Create a cert for Android.

      Note

      Ensure that the certificate name is included in the tag step and that the password matches the one entered for the store pass parameter used in creating the .pfx file during step 2.

    • iOS

      1. Select the .cer into Keychain Access app to install it. For more information, see Create the distribution certificate.
      2. Right-click your certificate file to export the file as a .p12 file, select Export, and then select the file format .p12.
      3. The iOS Certificate extension (.p12) should be renamed to .pfx as it is the accepted format by Key Vault

      Note

      When you upload to the Key Vault, you'll need to provide the password that you set in previous step for the .p12 file.

      1. Create the provisioning profile and run this command to encode it to base64:

        • Mac: base64 -i example.mobileprovision
        • Windows: certutil -encode data.txt tmp.b64
      2. Upload the base64 string obtained from the previous step to the Key Vault secret. Next, upload the .pfx file to Key Vault Certificate.

        Create a cert for iOS.

  6. Once iOS or Android certificates are created and uploaded, add three tags with the name as the bundle ID, and the value corresponding to the name of the uploaded certificate(s).

    Add tags.

Troubleshoot

For Troubleshooting issues, see Troubleshoot issues with the wrap feature in Power Apps.

See also