Access Key Vault secret when deploying Azure Managed Applications

When you need to pass a secure value (like a password) as a parameter during deployment, you can retrieve the value from an Azure Key Vault. To access the Key Vault when deploying Managed Applications, you must grant access to the Appliance Resource Provider service principal. The Managed Applications service uses this identity to run operations. To successfully retrieve a value from a Key Vault during deployment, the service principal must be able to access the Key Vault.

This article describes how to configure the Key Vault to work with Managed Applications.

Enable template deployment

  1. In the portal, select your Key Vault.

  2. Select Access policies.

    Select access policies

  3. Select Click to show advanced access policies.

    Show advanced access policies

  4. Select Enable access to Azure Resource Manager for template deployment. Then, select Save.

    Enable template deployment

Add service as contributor

  1. Select Access control (IAM).

    Select access control

  2. Select Add role assignment.

    Select add

  3. Select Contributor for the role. Search for Appliance Resource Provider and select it from the available options.

    Search for provider

  4. Select Save.

Reference Key Vault secret

To pass a secret from a Key Vault to a template in your Managed Application, you must use a linked template and reference the Key Vault in the parameters for the linked template. Provide the resource ID of the Key Vault and the name of the secret.

"resources": [{
  "apiVersion": "2015-01-01",
  "name": "linkedTemplate",
  "type": "Microsoft.Resources/deployments",
  "properties": {
    "mode": "incremental",
    "templateLink": {
      "uri": "",
      "contentVersion": ""
    "parameters": {
      "adminPassword": {
        "reference": {
          "keyVault": {
            "id": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<key-vault-name>"
          "secretName": "<secret-name>"
      "adminLogin": { "value": "[parameters('adminLogin')]" },
      "sqlServerName": {"value": "[parameters('sqlServerName')]"}

Next steps

You've configured your Key Vault to be accessible during deployment of a Managed Application.