Store passwords on Azure Key Vault and retrieve them with PowerShell

In this post I will show you how to store your passwords (like BIOS password) on Azure key vault, then retrieve them from PowerShell.

Context

- You have multiple enrolled devices

- All your BIOS devices have or must be protected with a password

- You want a secure way to store BIOS password

- You want for instace to store them on Azure

- You want to be able to retrieve them from a device

Our examples

In this post we will use two ways to connect to key vault from the device to get the password value:

- By typing credentials

- By using an Azure application (recommanded)

Create the Key Vault

1. Go to Azure Portal

2. Go to Key Vault

3. Click on Add

4. Choose your subscription, resource group (or create a new one)

5. Type a Key vault name like SDVault 

6. Choose your region

7. Click on Review + Create 

8. Click on Create

9. Wait for the below message

Add our password

1. Click on Go to resource

2. Go to Secrets

3. Click on Generate/Import

4. Type a name like NewBiosPassword

5. In Value, type password, like: P@$Sw0ord

6. Click on Create

7. Your password is now available

Retrieve password from PowerShell

1. Open PowerShell

2. Install the module Az.Accounts

3. Type command: Connect-AzAccount

4. Type your credentials

5. Type the below code to retrieve infos from key vault

6. See below the result:

7. Now we will get the password using SecretValue, as below:

8. See below the result:

Now we are able to get the password from the key vault.

However we have to type our credentials.

Now let's create a quick Azure app to authenticate without to type credentials.

We will connect to the app using a certificate

Generate a certificate

1. On your device, type the below code to generate the certificate:

2. See below the result:

3. Note the Thumbprint information

4. The certificate is now added to your device

Create the Azure app

1. Go to the Azure portal

2. Go to App registrations

3. Click on New registration

4. Type your app name, like BIOS_PWD_App

5. Click on Register

Import certificate

Now we will add our certificate to our new Azure app

1. Go to your Azure app

2. Go to Certificates & secrets

3. In the Certificates part, click on Upload certificate

4. Browse to your certificate, MyCert.cer

5. Click on Add

6. You will get the below notification:

Note: You need to import certificate on device that needs to use the azure app.

Retrieve password from PowerShell

1. In your Azure app go to Overview

2. Note both Application id and tenant id infos

3. Go to Certificate and note Thumbprint info

4. Open PowerShell

2. Type the below command to connect with our new Azure app

3. You will get the below info:

4. Type the below commad to get info from our key vault

5. You will get the below error:

6. This is normal because the application does not have access to key vault content

Add Access policies

In this part we will configure it to jet get info from our password, meaning secret.

You can of course change rights depending of your need.

1. Go to your key vault

2. Go to Access policies

3. Click on add access policies

4. In Configure template, we will choose Secret management

5. In Key permissions, unselect everything

6. In Secret permissions, we will just add Get

7. In Certificate permissions, unselect everything

8. In Select principal, click on None selected

9. Choose your app, here BIOS_PWD_App 

10. Click on select

11. Click on Add

12. Click on Save

13. Type again the command to the password:

14. Tadaa you can now get infos