Configure an Azure key vault in the Azure portal
All the secrets and certificates that are used in the Electronic Invoicing service must be stored in a Microsoft Azure key vault. This approach helps ensure that you don't work directly with the secrets, and that the secrets are securely stored. When you must use digital signing or secure a connection to external web services, set the reference to the Key Vault secrets and certificates instead of using the secrets and certificates directly.
Create a key vault in the tenant that is used for the Dynamics 365 Finance environment. For more information, see Create a key vault using the Azure portal.
Next, you must set up the access policy to grant the Electronic Invoicing service the correct level of secure access to the secret that you created.
Go to Settings > Access policies, and select Add Access Policy.
In the Secret permissions field, select the Get and List operations.
In the Certificate permissions field, select the Get and List operations.
In the Select principal field, select None selected.
In the Principal dialog box, select the principal by adding e-Invoicing Service.
Note
If e-Invoicing Service isn't in the list of principals in your tenant, run the following command in the Azure portal.
New-AzureADServicePrincipal -AppId "ecd93392-c922-4f48-9ddf-10741e4a9b65"
Select Add, and then select Save.
On the Overview page, copy the value of the Domain Name System (DNS) name for the key vault. This value will be used during the setup of Electronic invoicing parameters in Finance and will be referred to as the Key Vault URI value. For more information about how to set up Electronic invoicing parameters, see Configure Electronic invoicing parameters.