Keeping things like connection strings, API keys, and certificates in appsettings.json or directly in code is unsafe and no longer recommended. Azure Key Vault lets you store these secrets securely in one central place and works smoothly with modern .NET applications.
This quick guide explains how to connect Azure Key Vault to a .NET app using best practices
What is Azure Key Vault?
Azure Key Vault is an Azure service that safely stores important and sensitive information, such as:
Secrets – Passwords, API keys, and Connection Strings
Keys – used for encryption and digital signing
Certificates – SSL/TLS certificates
It keeps these values out of your code, lets apps access them securely using Azure Active Directory, and supports logging, access control, and automatic rotation.
Why use Azure Key Vault in .NET?
Azure Key Vault helps you:
Improve security by using Azure Active Directory for access
Manage secrets in one place for all environments
Keep passwords and keys out of code and config files
Easily connect Key Vault with .NET apps
If your app runs in Azure, Azure Key Vault is usually the best and safest option.
Prerequisites
You’ll need:
A .NET 6, 7, 8,9 or 10 applications
An Azure subscription
An Azure Key Vault with at least one secret
Granting Access
Azure Key Vault lets you authenticate in different ways. Pick the one that fits your app’s environment.
Option 1: Managed Identity (Best for Azure)
For apps running in Azure (like App Service, AKS, Virtual Machines, or Functions):
Turn on the System-Assigned Managed Identity for your resource.
In Key Vault → Access Control (IAM), assign the role: Key Vault Secrets User.
With this method, your app doesn’t store or manage any credentials—Azure takes care of it securely.
Option 2: Client ID and Client Secret (Service Principal)
This method works well for local development or apps running outside Azure.
Create an Azure AD App Registration.
Generate a Client Secret for the app.
Give the app access to Key Vault by assigning the Key Vault Secrets User role.
Set these environment variables in your system:
AZURE_CLIENT_ID=<client-id>
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_SECRET=<client-secret>
When your app runs, DefaultAzureCredential will automatically use these values.
Option 3: Certificate-Based Authentication
Certificate authentication is more secure than client secrets and ideal for enterprise or long-running services.
Steps:
Create an Azure AD App Registration
Upload a public certificate to the app registration
Store the private certificate securely (Windows cert store or file)
Grant the app access to Key Vault
Example configuration:
var credential = new ClientCertificateCredential(
tenantId,
clientId,
certificate);
builder.Configuration.AddAzureKeyVault(
new Uri("https://<your-key-vault-name>.vault.azure.net/"),
credential);
This avoids secrets entirely and supports certificate rotation.
Add Required NuGet Packages
Install:
Configure Key Vault in Program.cs
using Azure.Identity;
var builder = WebApplication.CreateBuilder(args);
builder.Configuration.AddAzureKeyVault(
new Uri("https://<your-key-vault-name>.vault.azure.net/"),
new DefaultAzureCredential());
var app = builder.Build();
app.Run();
DefaultAzureCredential automatically works for local development and Azure-hosted environments.
Using Secrets in the App
Once configured, secrets behave like normal configuration values:
var connectionString = builder.Configuration["SqlConnectionString"];
Secret names such as Database--ConnectionString map to Database:ConnectionString in .NET.
Production Best Practices
Prefer Managed Identity over client secrets
Give your app only the permissions it needs
Never log secret values
Cache secrets at startup if your app uses them often
Conclusion
Azure Key Vault makes it easy and safe to manage secrets in .NET apps. With just a little setup, you get better security, cleaner configuration, and a solution that works across all environments.
For production .NET apps running on Azure, using Key Vault should be a standard practice.
Happy Coding!