Edit

Share via

Manage Azure Key Vault with Azure MCP Server

Manage keys, secrets, and certificates using natural language conversations with AI assistants through the Azure MCP Server.

Azure Key Vault is a cloud service for securely storing and accessing secrets, keys, and certificates. It helps solve problems related to secrets management, key management, and certificate management. While the Azure portal, Azure CLI, and Azure PowerShell are powerful, the Azure MCP Server provides a more intuitive way to interact with your key vaults through conversational AI.

What is the Azure MCP Server?

The Azure MCP Server enables AI agents and assistants to interact with Azure resources through natural language commands using the Model Context Protocol (MCP). Instead of manually navigating portals or writing scripts, you can describe what you want to accomplish, and the AI assistant uses the Azure MCP Server tools to perform the actions.

For Azure Key Vault administrators and developers, this means you can:

  • Create, retrieve, and list keys, secrets, and certificates without navigating the portal
  • Review cryptographic key properties and certificate expiration dates
  • Import certificates into your vaults
  • Query Managed HSM settings for high-security deployments

Prerequisites

To use the Azure MCP Server with Azure Key Vault, you need:

Azure requirements

MCP client requirements

You need an AI assistant or development environment that supports the Model Context Protocol. Choose one:

AI-powered code editors:

Programmatic integration:

For complete setup instructions, see Get started with Azure MCP Server.

Where can you use Azure MCP Server?

The Azure MCP Server works in three primary contexts:

In AI-powered chat and code editors

Use the Azure MCP Server directly within AI assistants and code editors. As you chat about your Azure resources, the AI assistant automatically invokes Azure MCP Server tools to retrieve information, make changes, or answer questions. This is the most common usage pattern.

Get started with:

In programmatic applications

Integrate the Azure MCP Server into your applications using the MCP SDK. Your app acts as an MCP client and invokes Azure MCP Server tools programmatically. This approach is useful for building custom automation, chatbots, or intelligent applications that need Azure integration.

Get started with:

In self-hosted scenarios

Deploy the Azure MCP Server in your own environment for advanced control, security requirements, or custom modifications. You can run it locally, in containers, or integrate it into existing infrastructure. This pattern suits enterprise scenarios requiring air-gapped environments or custom authentication flows.

Learn how to:

Available tools for Azure Key Vault

The Azure MCP Server provides multiple tools for Azure Key Vault operations, enabling you to manage keys, secrets, and certificates through natural language conversations.

Manage keys

Create and retrieve cryptographic keys stored in your vault. Supported key types include RSA, RSA-HSM, EC, EC-HSM, oct, and oct-HSM.

Common scenarios:

  • Create new RSA or EC keys for encryption or signing operations
  • Retrieve key properties and metadata
  • List all keys in a vault to audit key inventory

Manage secrets

Create, retrieve, and list sensitive information like API keys, passwords, and connection strings.

Common scenarios:

  • Securely store API keys and database passwords
  • Retrieve connection strings for application configuration
  • Audit secret inventory to identify unused credentials

Manage certificates

Create, import, retrieve, and list SSL/TLS certificates and other certificate-based credentials.

Common scenarios:

  • Generate or import SSL/TLS certificates for web applications
  • Track certificate expiration dates to plan for renewal
  • Retrieve certificate properties for compliance verification

Manage Managed HSM settings

Retrieve Azure Key Vault Managed HSM account settings for high-security deployments that require FIPS 140-3 Level 3 validated HSMs. This tool only applies to Managed HSM vaults, not standard Key Vault vaults.

Common scenarios:

  • Review purge protection and soft-delete retention settings for Managed HSM
  • Query HSM-specific configurations

For detailed information about each tool, including parameters and examples, see Azure Key Vault tools for Azure MCP Server.

Get started

Ready to use Azure MCP Server with your Azure Key Vault resources?

  1. Set up your environment: Choose an AI assistant or development tool that supports MCP. For setup and authentication instructions, see the links in the Where can you use Azure MCP Server? section above.

  2. Start exploring: Ask your AI assistant questions about your key vaults or request operations. Try prompts like:

    • "List all secrets in my key vault 'my-vault'"
    • "Get the certificate 'web-ssl-cert' from key vault 'prod-vault'"
    • "Create a new RSA key named 'app-key' in key vault 'crypto-vault'"

  3. Learn more: Review the Azure Key Vault tools reference for all available capabilities and detailed parameter information.

Best practices

When using Azure MCP Server with Azure Key Vault:

  • Specify vault name clearly: Always include the exact key vault name when querying to avoid ambiguity, especially in subscriptions with many vaults.
  • Check certificate expiration: Ask about certificate properties regularly to identify expiring certificates before they cause issues.
  • Audit your inventory: Use list operations to review your keys, secrets, and certificates inventory for compliance and security audits.
  • Combine with other tools: Use Azure MCP Server for quick queries and inventory checks. Use Azure CLI or PowerShell for vault configuration changes, access control management, and sensitive operations like secret rotation.

For general Azure Key Vault security guidance beyond the Azure MCP Server, see Secure your Azure Key Vault.

Related content

  • Last updated on