Azure Client Secrets Connection

Using the Azure Client Secrets connection on a self-hosted instance of Hanzo KMS requires configuring an application in Azure and registering your instance with it.

Prerequisites:

• Set up Azure.

Navigate to Azure Active Directory > App registrations to create a new application.

Azure Active Directory is now Microsoft Entra ID.

Create the application. As part of the form, set the Redirect URI to https://your-domain.com/organization/app-connections/azure/oauth/callback.

The domain you defined in the Redirect URI should be equivalent to the SITE_URL configured in your Hanzo KMS instance.

For the Azure Connection to work with Client Secrets, you need to assign the following permission to the application.

Azure Client Secrets permissions

Set the API permissions of the Azure application to include the following permissions:

• Microsoft Graph
  • Application.ReadWrite.All
  • Application.ReadWrite.OwnedBy
  • Application.ReadWrite.All (Delegated)
  • Directory.ReadWrite.All (Delegated)
  • User.Read (Delegated)

Obtain the Application (Client) ID and Directory (Tenant) ID (this will be used later in the Hanzo KMS connection) in Overview and generate a Client Secret in Certificate & secrets for your Azure application.

Back in your Hanzo KMS instance, add two new environment variables for the credentials of your Azure application.

• INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID: The Application (Client) ID of your Azure application.
• INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET: The Client Secret of your Azure application.

Once added, restart your Hanzo KMS instance and use the Azure Client Secrets connection.

Ensure your Azure application has the required permissions that Hanzo KMS needs for the Azure Client Secrets connection to work.

Prerequisites:

• An active Azure setup.

For the Azure Client Secrets connection to work, assign the following permissions to your Azure application:

Required API Permissions

Microsoft Graph

• Application.ReadWrite.All
• Application.ReadWrite.OwnedBy
• Application.ReadWrite.All (Delegated)
• Directory.ReadWrite.All (Delegated)
• User.Read (Delegated)

Ensure your Azure application has the required permissions that Hanzo KMS needs for the Azure Client Secrets connection to work.

Prerequisites:

• An active Azure setup.

For the Azure Client Secrets connection to work, assign the following permissions to your Azure application:

Required API Permissions

Microsoft Graph

• Application.ReadWrite.All
• Application.ReadWrite.OwnedBy
• Application.ReadWrite.All (Delegated)
• Directory.ReadWrite.All (Delegated)
• User.Read (Delegated)

Navigate to the Certificates & secrets section of your Azure App Registration, and press the Upload certificate button.

Select the Upload button and upload your certificate.

Keep in mind that both the certificate and its private key are required to configure the Azure Client Secrets connection in Hanzo KMS.

Setup Azure Connection in Hanzo KMS

Navigate to the Integrations tab in the desired project, then select App Connections.

Select the Azure Connection option from the connection options modal.

Fill in the Tenant ID field with the Directory (Tenant) ID you obtained in the previous step.

Now select the OAuth method and click Connect to Azure.

You will then be redirected to Azure to grant Hanzo KMS access to your Azure account. Once granted, you will be redirected back to Hanzo KMS's App Connections page.

Fill in the Tenant ID, Client ID and Client Secret fields with the Directory (Tenant) ID, Application (Client) ID and Client Secret you obtained in the previous step.

Fill in the Tenant ID, Client ID, Certificate (PEM format), and Private Key fields with the Directory (Tenant) ID, Application (Client) ID, Certificate and Private Key you obtained in the previous step.

The private key is never transmitted to Azure, and it is only used to sign the client assertion used to authenticate with Azure.

Your Azure Client Secrets Connection is now available for use.