Vault Url — full URL of the Key Vault (e.g., https://my-vault.vault.azure.net/).
Authentication methods
Polysync Service Principal ⭐ (recommended) — no extra attributes;
grant the Polysync Enterprise Application Key Vault Secrets User on the
vault. This is the standard method for all Polysync tenants.
Service Principal — Tenant Id, Client Id, Client Secret. Use when
you need a dedicated SPN per vault. Rotate the secret regularly; store it
in another vault if possible.
Certificate — Tenant Id, Client Id, Certificate (base64 or path),
optional Certificate Password and Thumbprint.
Permissions checklist
The chosen identity must have the Key Vault Secrets User RBAC role
(or an equivalent access policy entry granting Get and List).
For private-endpoint vaults, ensure the Polysync host can reach the
vault's private DNS.