Set up Azure Key Vault for wrap wizard code signing

2025-08-19

Azure Key Vault is a cloud service that securely stores secrets like certificates, passwords, encryption keys, and other sensitive data. Use Key Vault to manage certificates and secrets for automated code signing in wrap wizard. For more information, see Introduction to Azure Key Vault.

This guide explains how new users create and configure an Azure Key Vault.

Prerequisites

Before you begin, ensure you have the following:

A Microsoft Entra subscription to create a key vault.
Admin access to your Azure tenant.
An Apple Developer account enrolled in the Apple Developer Program or Apple Enterprise Developer Program.
An Apple distribution certificate and either an ad-hoc provisioning profile or an enterprise provisioning profile.

Step 1: Create an Azure Key Vault

If you do not already have a Key Vault, follow the steps in Create a vault using the Azure portal.

Step 2: Create a service principal for wrap Key Vault access

A service principal is required so wrap wizard can access your Key Vault.

Open PowerShell and run the following command:

Connect-AzureAD -TenantId <your tenant ID>
New-AzureADServicePrincipal -AppId 4e1f8dc5-5a42-45ce-a096-700fa485ba20 -DisplayName "Wrap KeyVault Access App"

Step 3: Assign Reader Role to the Service Principal

Give the service principal permission to read your Key Vault.

In the Azure portal, navigate to your Key Vault.
Select Access control (IAM).
Select Add > Add role assignment.
On the Members tab, select Job function roles, and then choose Reader.
Select Select member, search for "Wrap KeyVault Access App", and select it.
Select Review + assign.

Repeat these steps to add user access permissions to your account.

Step 4: Configure access policies for Key Vault

Go to Key Vault settings.
In Access configuration, select Vault access policies.
Add a policy for the service principal and your user account.
- For Secret permissions and Certificate permissions, select Get and List.

Step 5: Upload Certificates and Secrets

You need platform-specific certificates and secrets for Android and iOS apps.

For Android

Generate a .pfx certificate file.
Upload it to the Certificates section of your Key Vault.
For guidance, see Generate keys.

Note

Ensure the certificate name is included in the tag step, and its password matches the store pass parameter you set when creating the .pfx file.

For iOS

Install your .cer file using Keychain Access. For more information, see Create the distribution certificate.
Export the certificate as a .p12 file and rename its extension to .pfx (required by Key Vault).
Upload the .pfx file to your Key Vault and provide the password you set for the .p12 file.
Create a provisioning profile. For more information, see Create the provisioning profile.
Encode the provisioning profile to base64:
- On Mac, run: base64 -i example.mobileprovision
- On Windows, run: certutil -encode data.txt tmp.b64
Upload the base64 string as a secret in Key Vault and the .pfx file as a certificate.

Step 6: Add Certificate Tags

After uploading your iOS or Android certificates, add three tags:

Tag name: Use your app’s bundle ID.
Tag value: Use the name of the uploaded certificate.

Use the same bundle ID that you’ll use in the wrap wizard.

Reference Video

Watch a walkthrough video: How to configure access to key vault

Troubleshooting

If you run into issues, see Troubleshoot issues with the wrap feature in Power Apps.