Integrate Azure Key Vault with your Teams app
Azure Key Vault is a secure storage solution to manage secrets, keys and certificates. It can be used to centralize application secrets, securely store secrets and keys, monitor access and use as well as simplify administration of application secrets.
Teams Toolkit orchestrates cloud service provision and configuration with an infrastructure as code approach using a Domain Specific Language called Bicep.
Follow these steps to provision a new Azure Key Vault service with Teams Toolkit:
- Step 1: Create a new bicep file
- Step 2: Update existing bicep file
- Step 3: Execute provision command
Create a bicep file called keyVault.bicep
under infra
folder with below content for provisioning Aszure Key Vault service.
param keyVaultName string
param secretName string
@secure()
param secret string
param identityObjectId string
var tenantId = subscription().tenantId
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
name: keyVaultName
location: resourceGroup().location
properties: {
tenantId: tenantId
accessPolicies: []
sku: {
name: 'standard'
family: 'A'
}
}
}
resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
name: '${keyVaultName}/add'
properties: {
accessPolicies: [
{
tenantId: tenantId
objectId: identityObjectId
permissions: {
secrets: [
'get'
]
}
}
]
}
dependsOn: [
keyVault
]
}
resource secretKv 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
parent: keyVault
name: secretName
properties: {
value: secret
}
}
Update existing azure.bicep
file under infra
folder.
-
Add below content for provisioning user-assigned managed identity and Azure Key Vault, and update
<The secret to be stored in Key Vault>
:var keyVaultName = resourceBaseName var secretName = 'secret' var secretReference = '@Microsoft.KeyVault(VaultName=${keyVaultName};SecretName=${secretName})' resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { name: resourceBaseName location: resourceGroup().location } module keyVaultProvision './keyVault.bicep' = { name: 'keyVaultProvision' params: { keyVaultName: keyVaultName secretName: secretName secret: <The secret to be stored in Key Vault> identityObjectId: managedIdentity.properties.principalId } }
-
Update the existing resource for accessing Azure Key Vault.
E.g. If it is a Bot or Function project hosted on Azure Web App, you need to update the bicep content of
webApp
:-
Add below content under
resource webApp
:identity: { type: 'UserAssigned' userAssignedIdentities: { '${managedIdentity.id}': {} } } dependsOn: [ keyVaultProvision ]
-
Add below content under
properties
ofresource webApp
:keyVaultReferenceIdentity: managedIdentity.id
-
-
Update the secret value to Key Vault secret reference. E.g. If it is a Bot project, update for the value of
BOT_PASSWORD
underappSettings
ofresource webApp
:{ name: 'BOT_PASSWORD' value: secretReference }
Follow this document to provision cloud resources.
Scenario-based Tutorials
- Send notifications to Teams
- Respond to chat commands in Teams
- Respond to card actions in Teams
- Embed a dashboard canvas in Teams
Extend Teams app across Microsoft 365
- Create and test a personal tab across Microsoft 365
- Create and test a search-based message extension across Microsoft 365
Documentation
- Manage Application settings with Teams Toolkit
- Manage Microsoft Entra Application Registration with Teams Toolkit
How To Guides
- How to use an existing Microsoft Entra app
- How to use a multi-tenant Microsoft Entra app
- How to customize debug tasks
- How to connect to existing APIs
- How to add single sign on in Teams Toolkit for Visual Studio Code
- How to enable Single Sign-on in Teams Toolkit for Visual Studio
- How to configure Tab capability within your Teams app
- How to configure Bot capability within your Teams app
- How to configure an Outlook Add-in capability within your Teams app
- How to configure Message Extension capability within your Teams app
- How to automate ci/cd pipelines
- How to integrate Azure Functions with your Teams app
- How to integrate Azure API Management