🛡 Security & Automation KB-SEC-0041 Active

API Key Vault Console

A centralized, Azure Key Vault-backed console for storing, rotating, distributing, and auditing API credentials across the full MSP vendor stack. Covers setup, daily use, rotation policy, technician access control, and troubleshooting.

📅 Created: March 2026 ✏️ Author: Michael Krawczyk 🔄 Review cycle: 90 days 🏷 Tags: Azure, Key Vault, Entra ID, API, Security, Automation

📋
Overview

The API Key Vault Console is a single-page HTML dashboard that manages API credentials for every vendor in the MSP stack. All secrets are stored encrypted in Azure Key Vault — nothing is held in the browser or on disk. The console authenticates to the vault using a Microsoft Entra ID app registration and provides a unified interface for adding, rotating, distributing, and auditing keys across 32 pre-loaded vendor integrations.

ℹ️

What problem does this solve?

API keys for MSP tools are typically scattered — stored in password managers, technician notes, shared spreadsheets, or inside individual scripts. When a key rotates or a technician leaves, there's no central record of what was updated or who had access. This console makes key management a defined, auditable process rather than tribal knowledge.

Key capabilities

Capability	Description
🗄 Vault	Store and view all vendor API keys with expiry tracking, key preview, and status indicators per vendor.
🔄 Rotation	Track rotation schedules per vendor, see overdue and upcoming rotations, and rotate keys individually or in bulk.
📤 Distribute	Role-based access toggles per technician. Grant or revoke access to specific vendor keys per role (Admin, L2, L1, NOC).
📋 Audit Log	Tamper-evident log of every action — add, retrieve, rotate, distribute, delete — with timestamp, user, vendor, and notes. CSV export included.
⚙️ Setup Guide	In-console step-by-step guide for wiring up Entra ID and Azure Key Vault.
🖨 Print / PDF	One-click print-optimized report of all vendor key statuses, expiry dates, and rotation schedule. Save as PDF from the print dialog.

🏗
Architecture

Microsoft Entra ID and Azure Key Vault are two separate Azure services that work together. Entra handles identity — it verifies who is allowed to access the vault. Key Vault handles the secrets — it stores them encrypted and only hands them over after a valid Entra token is presented.

🌐

Browser Console

HTML + JS

Client ID

+ Secret

🪪

Microsoft Entra ID

OAuth2 Token

Bearer

Token

🔑

Azure Key Vault

Encrypted Secrets

Secret

Value

🔌

Vendor API

NinjaRMM, S1, etc.

The three values entered in the Connect Azure modal correspond directly to this flow:

Modal Field	What It Is	Where to Find It
Tenant ID	Your Azure AD / Entra directory ID	Entra ID → Overview → Directory (Tenant) ID
Client ID	The app registration identity	App Registrations → your app → Application (client) ID
Client Secret	The app's password for Entra	App Registrations → your app → Certificates & Secrets → Value
Key Vault Name	Just the vault name, not the full URI	Key Vault → Overview → Vault name

⚙️
Setup Guide

Complete these four phases in order. Total time is approximately 15-20 minutes for a net-new deployment.

⚠️

Prerequisites

You need a Global Administrator or Owner role on the Azure subscription to create a Key Vault and assign RBAC roles. If you only have Contributor, you can create the vault but cannot assign roles — escalate to an Owner for that step.

Phase 1 — Create the Azure Key Vault

Navigate to Key Vaults in the Azure Portal

Sign into portal.azure.com. Search Key Vaults in the top bar. Click Create.

Configure basics

Set Vault Name to msp-api-keyvault (or your naming convention), select your region, and use the Standard pricing tier. Enable Soft Delete with 90-day retention.

Set Permission Model to Azure RBAC

On the Access Configuration tab, select Azure role-based access control. This is preferred over Vault Access Policies for MSP environments — it integrates cleanly with Entra PIM and Conditional Access.

Note the Vault URI

After creation, go to the vault Overview and copy the Vault URI. Only the name portion goes in the connect modal — e.g. msp-api-keyvault, not the full URL.

Phase 2 — Entra ID App Registration

Open Microsoft Entra ID → App Registrations → New Registration

Name the app msp-api-vault-console. Set Supported Account Types to Single tenant. Leave Redirect URI blank — this console uses the client credentials flow, not user-delegated auth.

Copy Tenant ID and Client ID from the Overview

Both GUIDs are visible on the app's Overview page immediately after registration. Save them — these go directly into the Connect modal.

Create a Client Secret

Go to Certificates & Secrets → Client Secrets → New Client Secret. Set a description (e.g. vault-console-secret) and an expiry of 12 months. Copy the Value immediately — it is only shown once. Add this credential as a vendor entry in the console with a 90-day rotation reminder.

🔴

If you navigate away before copying the secret Value, you must delete the secret and create a new one. There is no way to retrieve it after initial creation.

Phase 3 — Grant Key Vault Access via RBAC

Open the Key Vault → Access Control (IAM) → Add Role Assignment

This step grants your app registration the ability to read and write secrets in the vault.

Assign the correct role

For the console (admin use): assign Key Vault Secrets Officer — allows get, list, set, and delete on secrets.

For read-only technician identities: assign Key Vault Secrets User — get and list only.

Assign to your app registration

On the Members tab, choose User, group, or service principal. Search for msp-api-vault-console. Select it, then Review + Assign. Allow 1-2 minutes for RBAC propagation before connecting.

Phase 4 — Connect the Console

Click ⚡ Connect Azure in the topbar

The Connect modal accepts your Tenant ID, Client ID, Client Secret, and Vault Name. All four fields are required.

Verify the connection badge turns green

On success, the topbar badge changes from NOT CONNECTED to VAULT: MSP-API-KEYVAULT and the vault URI appears in each vendor's detail panel.

🖥
Using the Console

Adding a Key

Click + Add Key in the topbar or sidebar. Select the vendor from the dropdown — all 32 vendors are pre-loaded with their correct API endpoint and key format hint. Paste the API key, set an expiry date, choose a rotation interval, and optionally add a note. Click Save to Vault. The key is stored immediately in Azure Key Vault under the vendor's secret name.

ℹ️

The console only stores a masked preview of the key (e.g. ninja_••••••••••••5f2a) in its local state. The actual value lives exclusively in Azure Key Vault and is retrieved via the authenticated token when needed.

Rotating a Key

There are three ways to rotate:

Method	How	Use Case
Row-level	Click Rotate button on the vendor row in the Vault tab	Single vendor, ad-hoc rotation
Detail panel	Open vendor detail → click 🔄 Rotate Key	When you want to review before rotating
Bulk rotation	Click 🔄 Rotate All Due in the Rotation tab or sidebar	Scheduled maintenance window — rotates all keys due within 14 days

⚠️

Before rotating any vendor key

Generate the new key in the vendor's portal first. Then paste it into the console. Rotating in the console does not automatically generate a new key at the vendor — it updates the stored value and resets the rotation clock.

Distributing Keys to Technicians

The Distribute tab shows a card per technician role. Each card lists all vendors with a stored key, with a toggle to grant or revoke access. Access changes are logged to the Audit Log immediately. Current roles are:

Role	Default Access	Intended For
Admin	All vendors	Senior engineers, security leads
L2	RMM, PSA, EDR, Network, Backup	Level 2 technicians
L1	RMM, PSA only	Level 1 / helpdesk
NOC	RMM, EDR, Email Security	NOC analysts (monitoring only)

Audit Log

Every action taken in the console — add, retrieve, rotate, distribute, delete — is written to the Audit Log with a timestamp, action type, vendor name, user, and notes field. The log is sorted newest-first and exportable to CSV via the Export Log button. For Azure Monitor integration, see Security Hardening.

🔄
Rotation Schedule by Category

Default rotation intervals are pre-set per vendor category based on risk profile and common vendor recommendations. These can be overridden per vendor when adding a key.

Category	Default Interval	Rationale
RMM 90d	90 days	High privilege — full device access. Treat like admin credentials.
PSA 90d	90 days	Ticket and billing data access. Moderate-high risk.
Security / EDR 90d	90 days	Threat response tools. Compromise of these keys is a critical incident.
Network 180d	180 days	Read-heavy operations. Lower risk than EDR but still sensitive.
Backup 90d	90 days	Recovery data access. Ransomware vector if compromised.
Identity 180d	180 days	Graph API / Entra tokens. Usually tied to app registration lifecycle.
Comms 180d	180 days	Lower sensitivity. Voice/SMS API data.
Distribution 365d	365 days	Ordering and procurement — typically stable, lower risk.
Hardware 180d	180 days	Asset lifecycle data. Not a primary attack surface.

✅

The Rotation tab surfaces all keys due within 14 days highlighted in yellow and overdue keys in red. Run Rotate All Due during a scheduled maintenance window to batch-rotate everything at once.

🛡
Security Hardening

Enable Key Vault Diagnostic Logs

Send every vault access event to Azure Monitor / Log Analytics for a full external audit trail. This is separate from the console's local audit log and is recommended for CMMC, SOC 2, or HIPAA environments.

Azure CLI

az monitor diagnostic-settings create \ --name "kv-audit-logs" \ --resource "/subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/msp-api-keyvault" \ --logs '[{"category":"AuditEvent","enabled":true}]' \ --workspace "{log-analytics-workspace-id}"

Enable Purge Protection

Prevents permanent deletion of secrets during the soft-delete retention window. Required for some compliance frameworks.

Azure CLI

az keyvault update \ --name msp-api-keyvault \ --enable-soft-delete true \ --enable-purge-protection true

Restrict Access via Conditional Access

In Entra ID → Security → Conditional Access, create a policy scoped to the msp-api-vault-console app registration. Add a Named Location condition to restrict access to your office or VPN IP range. This prevents the Client ID + Secret from being usable outside your known network, even if the credentials are stolen.

Rotate the Entra Client Secret on a Schedule

The Client Secret used to authenticate this console is itself a credential that expires and needs rotation. Add it as a vendor entry in the console using vendor name Entra App Secret with a 90-day rotation interval. When it expires, generate a new secret in App Registrations, update it in the console's Connect modal, and log the rotation in the Audit Log.

🔴

If the Client Secret expires

The console loses access to the vault immediately. You will not receive an automatic warning from the console itself — the connection will silently fail. Set an Azure Monitor alert on the app registration's secret expiry, or use this console's rotation tracking for the secret itself.

🔧
Troubleshooting

Connection badge stays red / "NOT CONNECTED" after entering credentials ▼

Check the following in order:

1. Tenant ID and Client ID — confirm they are copied from the correct app registration, not a different one. Both should be GUIDs in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

2. Client Secret — if the secret has expired or was regenerated, the old value will fail silently. Create a new secret in App Registrations and paste the new Value.

3. RBAC not propagated — if you just assigned the Key Vault Secrets Officer role, wait 2-3 minutes and retry. Azure RBAC propagation is eventually consistent.

4. Vault name — enter just the name portion, not the full URI. msp-api-keyvault not https://msp-api-keyvault.vault.azure.net/.

Keys saved in demo mode are gone after refreshing ▼

This is expected behavior. When Azure Key Vault is not connected, key data is held in JavaScript memory only — it does not persist between sessions. This is by design to avoid storing credentials in browser storage (localStorage, IndexedDB, etc.).

Connect the console to Azure Key Vault and all saves will persist in the vault across sessions.

Vendor API test returns failure even though the key looks correct ▼

The test ping fires a lightweight request to the vendor's documented base endpoint. Common causes of failure:

1. Key scope — some vendors issue keys tied to specific permissions or scopes. A key without the required scope may authenticate but return 403 on the test endpoint. Check the vendor portal for scope/permission settings.

2. IP allowlisting — some vendors (SentinelOne, certain ConnectWise configurations) restrict API access by IP. If you are behind a VPN or a new IP, you may need to add it to the vendor's allowlist.

3. Endpoint format — for vendors with tenant-specific subdomains (SentinelOne, ConnectWise Automate, FortiGate), the pre-loaded endpoint contains a placeholder like {tenant} or {server}. Update the endpoint with your actual subdomain in the vendor's detail panel.

"Key Vault Secrets Officer" role was assigned but vault still returns 403 ▼

This almost always means the vault's Permission Model is set to Vault Access Policies rather than Azure RBAC. RBAC role assignments only apply when the vault is configured for RBAC mode.

To check: Key Vault → Settings → Access Configuration → verify Azure role-based access control is selected. If it shows Vault access policy, you either need to switch the model (which requires Owner rights and affects all existing assignments) or add the app registration directly in the Access Policies blade using the legacy method.

Print / PDF report cuts off some vendor rows ▼

The print stylesheet targets landscape letter size. If rows are still being clipped, try the following in the Chrome print dialog:

1. Set Layout to Landscape.

2. Under More Settings, enable Background graphics so category color pills render correctly.

3. If the table is still too wide, reduce the Scale to 85-90%.

4. As a fallback, export the CSV from the Vault view — it contains all the same data in a format that can be opened in Excel and printed from there.

KB-SEC-0041 · v1.0 · March 2026 · Author: Michael Krawczyk · Review cycle: 90 days