Akumina Key Vault
Akumina uses the Azure Key Vault to protect sensitive information such as connection string to Azure services.
Configuring Key Vault Using the Akumina Template
Akumina does not require a plain text connection string or configuration keys, instead these values can be stored in a Key Vault value and the Key Vault URI is then placed in the interchange.settings.config file for AppManager and in the config.json for People sync. Please note if running on a VM or WebApp you must enable System Identity and add required permissions on the Key Vault for the objectId.
Create a JSON in this format, please note only the following fields are supported at this time through Key Vault:
{
"RemoteStorageConnection": "",
"SecondaryRemoteStorageConnection": "",
"EnableWriteToSecondaryStorage": "false",
"ForceReadFromPrimaryStorage": "false",
"ExternalConnection": {
"EndpointUrl": "",
"Database": "akcontainers",
"Region": "akcontainers"
},
"AzureSearchServiceName": "",
"AzureSearchServiceApiKey": "",
"InstrumentationKey":"",
"AppInsightAppId":"",
"AppInsightApiKey":"",
"FuncAppInsightAppId":"",
"FuncAppInsightApiKey":"",
"PrimaryRedisConnection": "",
"SecondaryRedisConnection": "",
"TokenStoreEntityName":"",
"BlobStoreContainerName":"",
"StoreInSingleContainer": "true",
"AadAppId": "",
"AadAppSecret": "",
"SpClientId": "",
"SpClientSecret": "",
"SpAppOnlyClientId": "",
"SpAppOnlyClientSecret": "",
"AkAppClientId": "",
"AkAppTenantId": "",
"PortalFunctionAppUri": "",
"ControlDomain": "",
"TenantsDirectoryName": "tenants",
"MinWorkerThreads": "125"
"Custom": {
"StorageConnection": ""
}
}
Where to acquire values for the Key Vault keys:
| Key | Description | Required | Version |
| RemoteStorageConnection | From Azure Portal – This is the Storage Account > Access Keys>ConnectionString | Yes | All |
| SecondRemoteStorageConnection | Secondary Azure Storage Connection String. This may be required on Geo based computes to optimize the read latency. | No | 5.0 |
| EnableWriteToSecondaryStorage | Enable this to true if you have configured Secondary Azure Storage Connection String. This may be required on Geo based computes to optimize the read latency. | No | 5.0 |
| ForceReadFromPrimaryStorage | Enable this to true if you have configured Secondary Azure Storage Connection String and only if you want to provide secondary as remote storage. This is also the best option if you have only two Geo in your cluster. This may be required on Geo based computes to optimize the read latency. | No | 5.0 |
| External Connection – “EndpointUrl” | The EndpointUrl – Comes from Cosmos DB “Settings” > Keys > value of the “PRIMARY CONNECTION STRING” | No | 5.0 |
| External Connection – “Database” | The “Database” value comes from the container name for this database. This should always be set to “akcontainers” | No | 5.0 |
| AzureSearchServiceName | This will be the “Name” of the Azure Search Service configured in the Azure Portal to support this people sync. | No | 4.8, 5.0 |
| AzureSearchServiceApiKey | This is the “Primary admin key” for the Azure Search Service configured to support this people sync. | No | 4.8, 5.0 |
| InstrumentationKey | On the Supported AppInsights, click on Overview, copy and paste the “Instrumentation key”. Created for supporting AppManager logging and Dashboard | No | 5.0 |
| AppInsightAppId | On the Supported AppInsights, click on “API Access”, copy and paste the “Application ID”. Created for supporting AppManager logging and Dashboard | No | 5.0 |
| AppInsightApiKey | On the Supported AppInsights, click on “API Access”, click on “Create API Key”, copy and paste the key.Created for supporting AppManager logging and Dashboard | No | 5.0 |
| FuncAppInsightAppId | On the Supported AppInsights created to support the function apps, click on “API Access”, copy and paste the “Application ID”. | No | 5.0 |
| FuncAppInsightApiKey | On the Supported AppInsights, created to support the function apps, click on “API Access”, click on “Create API Key”, copy and paste the key | No | 5.0 |
| PrimaryRedisConnection | Azure Cache for Redis, click on Settings, Access keys, this is the Primary connection string (StackExchange.Redis). | No | 4.8, 5.0 |
| SecondaryRedisConnection | Optional – Azure Cache for Redis, click on Settings, Access keys, this is the Secondary connection string (StackExchange.Redis). | No | 4.8, 5.0 |
| TokenStoreEntityName | The storage containers table name where a user GraphToken and SharePointToken will be stored. | No | 5.0 |
| BlobStoreContainerName | The storage container blob container name where the AppManager configuration data is stored. | No | 5.0 |
| StoreInSingleContainer | PeopleSync values stored in single entity or multiple entity. Default value = “true” | No | 5.0 |
| AadAppId | The Aad Application Id to synchronize AAD Graph user/group data | No | 4.8, 5.0 |
| AadAppSecret | The Aad Application Secret to synchronize AAD Graph user/group data | No | 4.8, 5.0 |
| SpClientId | The key vault values of AppSettings key “akumina:SpClientIdSecretKeyValutUri” from ClientId used here. The key itself is deprecated. | No | 5.0 |
| SpClientSecret | The key vault values of AppSettings key “akumina:SpClientIdSecretKeyValutUri” from ClientSecret used here. The key itself is deprecated. | No | 5.0 |
| SpAppOnlyClientId | The key vault values of AppSettings key “akumina:SpClientIdSecretKeyValutUri” from AppOnlyClientId used here. The key itself is deprecated. | No | 5.0 |
| SpAppOnlyClientSecret | The key vault values of AppSettings key “akumina:SpClientIdSecretKeyValutUri” from AppOnlyClientSecret used here. The key itself is deprecated. | No | 5.0 |
| AkAppClientId | The key vault values of AppSettings key “akumina:BackgroundProcessorKey”. Please note the legacy AppSettings stored key is still valid for on-premise installs. | Yes | 5.0 |
| AkAppTenantId | The key vault values of AppSettings key “akumina:BackgroundTenantId”. Please note the legacy AppSettings stored key is still valid for on-premise installs. | Yes | 5.0 |
| PortalFunctionAppUri | Not applicable to self-hosted customers. Within the cloud, it is used to call the configured service to purge the domain-specific front-door CDN caching. | No | 5.0 |
| ControlDomain | Not applicable to self-hosted customers. Within the cloud, it is used to access global settings. | No | 5.0 |
| TenantsDirectoryName | Default path to write all tenant config. It is used within the cloud, but may not be applicable for self-hosted customers. | No | 5.0 |
| MinWorkerThreads | In .NET, a minworker thread is the guaranteed minimum number of threads actively waiting for work in the thread pool, ensuring responsiveness even during bursts of activity. Default value of 125 is recommended. | Yes | 5.0 |
- Create a Key Vault secret then set the value to above JSON.
- Set the Access Policy on the Key Vault (using Configure from template = Key, Secret, & Certificate Management) and grant the permission to the appropriate VM or webapp where people sync is to run.
- Open PeopleSync config.json and update the AzureStorageConntetionString with the appropriate URI.
- On the AppManager website root, open the interchange.settings.config file on the update the RemoteStorageConnection value with the appropriate URI.