Adding a Cloud Service Provider Account for Azure

You must have created a service account in Azure before you can add a Cloud Service Provider account. For more information see Configuring Azure for Cryptographic Security Platform Vault BYOK.

  1. Log into the Cryptographic Security Platform Vault for Cloud Keys webGUI using an account with Cloud Admin privileges.
  2. In the top menu bar, click CloudKeys.
  3. Click the CSP Accounts tab and select Actions > Add Cloud Service Provider Account.

  4. On the Details tab of the Add CSP dialog box, enter the account details.

    Field Description
    Name The name you want to use for the Cloud Service Provider Account.
    Description An optional description of the Cloud Service Provider Account.

    Admin Group

    Select the Admin Group that you want to use for the account.

    Type

    Select AZURE.

    Microsoft Entra Tenant ID

    Enter the Microsoft Entra tenant ID.

    You can find this in Azure under Azure > Azure Active Directory.

    Subscription ID

    The Azure subscription ID.

    You can find this in Azure under Azure > Subscriptions.

    Application (Client) ID

    The Service Principal client ID. Click the link to update the Client ID and Client Secret.

    You can find this in Azure under Azure > Azure Active Directory > App Registrations > <your BYOK application>.

    Application Object ID

    The Object ID of your BYOK application. This is required if you do not have the Microsoft Graph permission.

    You can find this in Azure under Azure > Azure Active Directory > App Registrations > <your BYOK application>.

    Authentication Method

    Select one of the following options: 

    • Client Secret—Uses the Azure Service Principal secret that you created for authentication.

    • Certificate—Uses certificate-based authentication.

    Certificate

    To use certificate-based authentication, you will need to choose one of the following:  

    • Generate a self-signed certificate. You can accept the certificate expiration that is generated, or choose your own expiration date.

    • Choose an externally signed certificate. A Certificate Signing Request will be generated that you will need to sign and upload to both the Azure App Service and the Cryptographic Security Platform Vault for Cloud Keys webGUI.

    Note: If you are using a client secret, then this field is hidden.

    Client Secret

    The Azure Service Principal secret that you created.

    Note: If you are using certificate-based authentication, then this field is hidden.

  5. Click Continue.

  6. On the Schedule tab, determine the rotation schedule for the client secret or certificate. This can be one of the following: 

    • Never—The client secrets/certificates will never be rotated.

      Note: If you did not grant the required permissions for credential rotation to the app, you must leave this set to Never. For more information, see Creating a Service Principal.

    • Every x days—The client secrets/certificates will be rotated on a daily basis. The minimum is 1 day and the maximum is 540 days.
    • Every x weeks—The client secrets/certificates will be rotated on a weekly basis. The minimum is 1 week and the maximum is 72 weeks.
    • Every x months—The client secrets/certificates will be rotated on a monthly basis. The minimum is 1 month and the maximum is 18 months.
    • Every x years—The client secrets/certificates will be rotated on a yearly basis. The minimum is 1 year and the maximum is 1 year.

    Important:  

    • For Client Secrets—When the Azure client secret is rotated, the Cryptographic Security Platform Vault for Cloud Keys creates a new secret and replaces the secret that was used when you registered the Cloud Service Provider account. Please do not delete this secret from Azure portal.

    • For Certificates—You can only use the rotation schedule if you choose to use self-signed certificates. If you are using externally signed certificates, please use manual rotation.

  7. Click Add.