Azure AD Dynamic Secrets

You can define an Azure AD dynamic secret to dynamically generate access credentials in one of two modes:

  1. Programmatic: Access Azure AD using a secret for a specific application.

  2. Portal: Access Azure AD using a username and password.

Prerequisites

  • Azure AD Service Account:

To provide access to Akeyless Vault from Azure AD, create a Registration for Application within your Microsoft Identity Platform. This registration will serve as a service account to enable API calls from Akeyless Vault Platform.

To create a Service Account in your Azure AD, follow the guide on how to create an Application Registration in Azure Active Directory. Or follow the step-by-step guide.

The following permissions are required:

Action

Permissions

Create/Delete user

User.ReadWrite.All, Directory.ReadWrite.All

Add user to group

GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All

Add user role

RoleManagement.ReadWrite.Directory

Create\Delete Application secret

Application.ReadWrite.OwnedBy, Application.ReadWrite.All

Create a Dynamic Azure AD Secret from the CLI

👍

Tip

To set up a dynamic secret, you can either configure a connection to the target server first or provide all parameters of the target server in the secret creation command.

We recommend using dynamic secrets together with targets. It allows saving time on the secrets' configuration. To enable this flow, you must ensure that the user responsible for creating dynamic secrets has permission to access or create targets.

To create a dynamic Azure AD secret from the CLI using the existing target, run the following command:

akeyless gateway-create-producer-azure \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--azure-user-portal-access <true|false> \
--azure-user-programmatic-access <true|false> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <true|false> \
--fixed-user-claim-keyname <Key name of the IdP claim>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the Azure AD server. The name can include the path to the virtual folder where this target resides.

  • gateway-url: API Gateway URL.

  • azure-user-portal-access: Enable Azure AD user portal access.

  • azure-user-programmatic-access: Enable Azure AD user programmatic access.

  • azure-app-obj-id: Azure App Object ID (required if programmatic access is enabled).

  • azure-user-principal-name: Azure User Principal Name (required if portal access is enabled).

  • fixed-user-only: Allow access using the externally provided username.

  • fixed-user-claim-keyname: For externally provided users, denotes the key name of the IdP claim to extract the username from.

If you don't have a configured Azure AD target yet, you can use the command with your Azure AD target server connection parameters:

akeyless gateway-create-producer-azure \
--name <Dynamic Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--azure-user-portal-access <true|false> \
--azure-user-programmatic-access <true|false> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <true|false> \
--fixed-user-claim-keyname <Key name of the IdP claim> \
--azure-tenant-id <Azure Tenant ID> \
--azure-client-id <Azure Client ID> \
--azure-client-secret <Azure AD Client Secret>

Where:

  • azure-tenant-id: Azure Tenant ID.

  • azure-client-id: Azure Client ID (Application ID).

  • azure-client-secret: Azure AD Client Secret.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Producers section.

Fetch a Dynamic Azure AD Secret value from the CLI

To fetch a dynamic Azure AD secret value from the CLI, run the following command:

akeyless get-dynamic-secret-value --name <Path to your dynamic secret>

Create a Dynamic Azure AD Secret in the Akeyless Console

👍

Tip

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

  1. Log in to the Akeyless Console, and go to Secrets & Keys > New > Dynamic Secret.

  2. Select the Azure AD secret type and click Next.

  3. Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  4. Define the remaining parameters as follows:

  • Delete Protection: When enabled, protects the secret from accidental deletion.

  • Target mode: In this section, you can either select an existing Azure AD Target or specify details of the target Azure AD server explicitly (e.g., if you are not authorized to create and access Targets in the Akeyless Console).

    • Use the Choose an existing target drop-down list to select the existing Azure AD Target.

    • Check the Explicitly specify target properties radio button to provide details of the target Azure AD server on the next step of the wizard.

👍

Tip

We recommend using dynamic secrets together with targets. It allows saving time on the secrets' configuration. To enable this flow, you must ensure that the user responsible for creating dynamic secrets has permission to access or create targets.

  • Programmatic Access: Select this radio button to create a new secret to access a specific App.

  • Portal Access: Select this radio button to create a new user and password.

  • App Object ID: Provide the ID of the App Object to access using a dynamic secret. (If Programmatic Access is selected.)

  • User Principal Name: Provide your Account Principal Name. (If Portal Access is selected.)

  • User Groups Object ID: Provide the ID of the Group Object to add the new user to this group. Multiple values should be separated by a comma. (If Portal Access is selected.)

  • User Roles Template ID: Provide the ID of the Role Template to add this role to the new user. Multiple values should be separated by a comma. (If Portal Access is selected.)

  • Externally Provided Username: Select this checkbox to allow the dynamic secret engine add and remove the assigned groups and roles for an existing user (instead of creating a new temporary user). (If Portal Access is selected.)

  • Extract username from the following claim (Key name): Provide the name of the claim in the authentication token from which the "externally provided username" will be taken. The value should be either the full principle user name or the user display name.

  • User TTL: Provide a time-to-live value for a dynamic secret (i.e., a token). When TTL expires, the token becomes obsolete.

  • Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.

  • Gateway: Select the Gateway through which the dynamic secret will create users.

  • Protection key: To enable zero-Knowledge, select a key with a Customer Fragment. For more information about zero-Knowledge, see Implement Zero Knowledge

  1. If you checked the Explicitly specify target properties radio button, click Next.

  2. Provide details of the target Azure AD server:

  • Client ID (Application ID): The Application ID.

  • Tenant ID: Your Azure Tenant ID.

  • Client Secret: Your Azure Client Secret.

  1. Click Finish.

Fetch a Dynamic Azure AD Secret Value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Secrets & Keys.

  2. Browse to the folder where you created a dynamic secret.

  3. Select the secret and click Get Dynamic Secret button.


Did this page help you?