Integrations

Application Integrations

AZExecute seamlessly integrates with various Azure and third-party services to automatically deploy rotated secrets and certificates. These integrations eliminate manual credential updates and ensure your applications always have current authentication credentials.

Available Integrations

Each integration serves a specific purpose in the credential deployment workflow:

Azure Key Vault - Centralized secret storage for Azure workloads

Azure DevOps - Service connection credential updates

Vercel - Serverless application environment variables

Logic App API Connections - Connector credential updates

Automation Tasks - Custom deployment workflows

Integrations can be combined - for example, deploying secrets to both Key Vault and Vercel, or updating DevOps and triggering custom automation tasks.

Azure Key Vault Integration

Azure Key Vault provides secure, centralized storage for both secrets and certificates. This is the recommended integration for most Azure workloads.

Configuration

Key Vault integration is configured separately for secrets and certificates:

For Secrets:

1. Navigate to the Secrets tab

2. Enable Key Vault Integration

3. Select the target Key Vault from your accessible vaults

4. Specify the secret name (defaults to application name)

5. System automatically configures access permissions

For Certificates:

1. Navigate to the Certificates tab

2. Enable Key Vault Integration

3. Select the target Key Vault

4. Certificate name defaults to application name

5. System configures certificate permissions automatically

Access Control

AZExecute automatically configures access based on your Key Vault's authorization model:

RBAC-Enabled Key Vaults:

� Assigns Key Vault Secrets Officer role for secret operations

� Assigns Key Vault Certificates Officer role for certificate operations

� Grants permissions to both AZExecute and the application service principal

Access Policy-Based Key Vaults:

� Creates access policy with Get, List, Set permissions for secrets

� Grants Get, List, Import permissions for certificates

� Configures policies for both system and application identities

Automatic Detection: AZExecute automatically detects your Key Vault's authorization model and configures the appropriate access method.

How It Works

1

Credential Rotation

When a secret or certificate is rotated, new credential is generated

2

Key Vault Upload

New credential is uploaded to Key Vault as latest version

3

Application Access

Applications retrieve the credential using Key Vault SDK or references

4

Version Management

Old versions remain accessible during transition, then expire naturally

Recommended Pattern: Configure applications to use versionless Key Vault references (e.g., https://vault.azure.net/secrets/MySecret) to automatically get the latest version without code changes.

Azure DevOps Integration

Automatically update Azure DevOps service connection credentials when secrets rotate, ensuring pipelines continue working without manual intervention.

Configuration

1. Navigate to the Secrets tab

2. Enable DevOps Integration

3. Select your Azure DevOps Organization

4. Choose the target Project

5. Select the Service Connection to update

6. System validates access and saves configuration

Prerequisites

Azure DevOps organization linked to your Entra ID tenant

Service connection using the application registration for authentication

Project Administrator or Service Connection Administrator permissions

How It Works

1

Secret Rotation

New client secret is generated in Entra ID

2

Service Connection Update

AZExecute updates the service connection with new secret

3

Automatic Pipeline Updates

All pipelines using the service connection automatically use new credential on next run

4

No Downtime

Old secret remains valid during transition period

Zero Configuration Required: Pipelines don't need any changes - they automatically receive the updated credentials through the service connection.

Vercel Integration

Automatically update environment variables in Vercel projects when secrets rotate, with optional automatic redeployment to apply changes immediately.

Prerequisites

Application must be a member of a Group with Vercel configuration

Group must have valid Vercel access token configured

Vercel project must exist and be accessible with the configured token

Important: Vercel integration is group-based. The application must belong to an active group that has Vercel configuration before you can enable this integration.

Configuration

1. Ensure application is member of a Vercel-enabled group

2. Navigate to the Secrets tab

3. Enable Vercel Integration

4. Select the Vercel Team (from group configuration)

5. Choose the target Vercel Project

6. Specify the Environment Variable Name to update

7. Select Target Environments (Production, Preview, Development)

8. Optionally enable Automatic Redeployment

Target Environments

Choose which Vercel environments should receive the updated secret:

Production

Your live production deployments (e.g., yourapp.com)

Preview

All preview deployments from pull requests and branches

Development

Local development environment variables

Automatic Redeployment

When enabled, Vercel automatically redeploys your application after environment variables are updated:

When to Enable: Use for applications where environment variables must be loaded at build time

When to Disable: Applications that read environment variables at runtime don't need redeployment

Deployment Target Selection:

Choose which environments to redeploy:

� Production - Triggers production deployment (30-60 seconds downtime)

� Preview - Redeploys all preview environments

Production Impact: Redeployment causes brief downtime (typically 30-60 seconds). Schedule secret rotations during maintenance windows if this is problematic.

How It Works

1

Secret Rotation

New client secret is generated

2

Vercel API Update

System updates or creates the environment variable via Vercel API

3

Deployment Trigger (Optional)

If enabled, triggers Vercel deployment for selected environments

4

Application Restart

Newly deployed application uses updated credentials

Best Practice: Update all three environments (production, preview, development) to ensure consistency across your entire deployment pipeline.

Logic App API Connections

Automatically update Azure Logic App API Connection credentials when secrets rotate, ensuring Logic Apps continue functioning without reauthorization.

Configuration

1. Navigate to the Secrets tab

2. Enable API Connection Integration

3. Select the target API Connection resource

4. System validates the connection uses this application

5. Click Save Changes to activate

Prerequisites

API Connection must use OAuth with the application's service principal

Permissions to modify the API Connection resource

Logic Apps using the connection should be in same subscription

Supported Connectors

This integration works with OAuth-based API connections including:

� Office 365 Outlook

� SharePoint

� Microsoft Teams

�Entra IDD

� Microsoft Graph

� Custom connectors using OAuth

How It Works

1

Secret Rotation

New client secret is generated for the application

2

Connection Update

API Connection resource is updated with new credential via Azure Resource Manager

3

Automatic Propagation

All Logic Apps using the connection automatically use new credential

4

No Reauthorization

Logic Apps continue running without manual reauthorization

Seamless Updates: Logic Apps typically pick up the new credentials within minutes without requiring any action or restart.

Custom Automation Tasks

Trigger custom automation workflows when secrets or certificates rotate, enabling deployment to any system or custom processing logic.

Configuration

1. Create an automation task with appropriate steps (PowerShell, Run Command, Runbook)

2. Navigate to application's Secrets or Certificates tab

3. Enable Execute Task integration

4. Select the automation task to trigger

5. Task receives new credential as a parameter

Use Cases

Update Configuration Files

Deploy secrets to application configuration files or web.config

Restart Services

Restart application services to pick up new credentials

Custom Notifications

Send notifications to Slack, Teams, or ticketing systems

Third-Party Systems

Update credentials in CRM, ERP, or other external systems

Custom Processing

Encrypt, transform, or validate credentials before deployment

Example Automation Task

Simple PowerShell script to deploy a secret to a configuration file:

param(
    [Parameter(Mandatory=$true)]
    [string]$NewSecret,
    
    [Parameter(Mandatory=$true)]
    [string]$ConfigPath
)

# Update configuration file with new secret
$config = Get-Content $ConfigPath | ConvertFrom-Json
$config.AzureAD.ClientSecret = $NewSecret
$config | ConvertTo-Json -Depth 10 | Set-Content $ConfigPath

Write-Host "Configuration updated successfully"

# Restart application to pick up new secret
Restart-Service -Name "MyApplicationService" -Force
Write-Host "Application service restarted"

Unlimited Flexibility: Automation tasks can execute any PowerShell script, Azure runbook, or Run Command, giving you complete control over credential deployment.

Best Practices

Use multiple integrations when needed

Example: Deploy to both Key Vault (for cloud apps) and run automation task (for on-premises systems)

Test integration before enabling in production

Use manual secret rotation to verify integration works correctly

Monitor integration logs regularly

Check application logs for integration failures after rotations

Keep integration configurations up to date

Verify Key Vault, DevOps project, or Vercel project still exists

Use consistent naming conventions

Name secrets/certificates consistently across Key Vault, Vercel, etc.

Document integration dependencies

Maintain documentation of which applications depend on which integrations

If you encounter any issues or need further assistance, please contact us at

info@azexecute.com

. Our support team is here to help you.