Skip to main content

About Microsoft Azure Key Vault

The Microsoft Azure Key Vault source reads vault configuration and metadata for keys, secrets, and certificates through Azure Resource Manager. Iru does not read secret values, key material, or private keys; it collects only names, attributes, expiry, access configuration, and similar fields the management API exposes. Iru authenticates with delegated OAuth 2.0 (Microsoft Entra ID) as the user who completes the wizard. Anything that user cannot read in Azure will not appear in Iru.

How It Works

Iru uses Microsoft’s OAuth 2.0 authorization code flow against Azure Resource Manager. The requested scope is: https://management.azure.com/user_impersonation
DetailValue
CategoryDeveloper tools
AuthenticationOAuth 2.0 (Microsoft Entra ID, Azure Resource Manager)
Vendor planAny Azure subscription that has Key Vault resources

What Iru collects

Data typeNotes
Key vault configurationName, location, SKU (standard or premium), soft-delete, purge protection
Keys (metadata)Identifiers, permitted operations, enabled state, expiry (not key material)
Secrets (metadata)Names, content type, enabled state, expiry (not secret values)
Certificates (metadata)Identifiers, issuer, validity (not private keys)
Access policies / RBACWhich principals have which permissions on each vault
Iru does not modify vaults, objects, or access policies. Official references: Azure Key Vault documentation, Key Vault REST API, Key Vault RBAC guide, Built-in roles for security.

Prerequisites

  • Microsoft Entra ID sign-in to the Azure portal.
  • The built-in Key Vault Reader role (recommended) or Reader, assigned at subscription scope for the broadest coverage across vaults, or at individual vault scope if you intentionally limit visibility. Key Vault Reader includes vault read and metadata reads for keys, secrets, and certificates without secret or key material access.
  • Browser pop-ups allowed so the connector wizard can open when you enable the source.
Confirm access: Subscriptions → your subscription → Access control (IAM)View my access. Example role assignment (replace placeholders): 
az role assignment create \
  --assignee <your-user-principal-name> \
  --role "Key Vault Reader" \
  --scope /subscriptions/<subscription-id>

Connect Microsoft Azure Key Vault to Iru

Use Microsoft Azure first to confirm portal access and Key Vault Reader (or Reader) coverage, then complete OAuth in Iru Compliance. The wizard shows Step 1 of 1: Perform OAuth Authentication.
Complete this tab before you start OAuth in Iru Compliance.
1

Sign in to the Azure portal

Open portal.azure.com and sign in with the account you will use in the Iru wizard.
2

Open your target subscription

Search for Subscriptions, then open the subscription that contains (or parents) the Key Vaults Iru should read.
3

Verify Key Vault or Reader access

Open Access control (IAM)View my access. Confirm Key Vault Reader on specific vaults or Reader at subscription scope, per Prerequisites.
4

Allow pop-ups in your browser

Allow pop-ups for your Iru hostname so the Microsoft consent window can open.
5

Plan for the right Entra tenant

If you use multiple tenants, use a clean browser session so OAuth signs in to the work tenant that owns the vaults.
Continue on the Iru Compliance tab.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
The signed-in account may lack Key Vault Reader or Reader on the subscription or vaults. Verify IAM assignments (see Prerequisites).
Sign out of the Microsoft pop-up and sign in with the account for the correct tenant.
Turn Microsoft Azure Key Vault off and on in Sources, then complete OAuth again.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.

Iru Overview

How Endpoint, Compliance, and Identity fit together.

Artifacts Management

Upload, review, and organize evidence from sources and actions.