ADF integration with Azure Key Vault: eliminate hardcoded credentials

By default, Azure Data Factory stores Linked Service passwords encrypted internally. But the best practice is to reference secrets from Azure Key Vault — credentials never live in ADF and password rotation does not require changing Linked Services.

Configure ADF access to the Key Vault

// 1. Enable Managed Identity on the ADF (automatic)
// 2. Grant permission on the Key Vault:
az role assignment create \
  --role "Key Vault Secrets User" \
  --assignee "$(az datafactory show -n adf-bconcepts -g rg-data --query identity.principalId -o tsv)" \
  --scope "/subscriptions/.../vaults/kv-bconcepts-prod"

Linked Service with a Key Vault reference

// In ADF Studio: Linked Service → Azure SQL Database
Authentication: SQL Authentication
User name:    svc_adf_reader
Password:
  [✓] Azure Key Vault
  Key Vault Linked Service: LS_KeyVault
  Secret name: SqlServer-ADF-Password
  Secret version: (leave blank → always the latest version)

Key Vault Linked Service

// First create the Key Vault LS itself
Type: Azure Key Vault
Base URL: https://kv-bconcepts-prod.vault.azure.net/
Authentication: Managed Identity
// ADF uses its own Managed Identity to access the vault

Verify and test

// After configuration:
// ADF Studio → Linked Service → Test Connection
// If the Managed Identity has permission and the secret exists → Connection successful

// Audit trail in the Key Vault:
az monitor activity-log list --resource-id /subscriptions/.../vaults/kv-bconcepts-prod \
  --query "[?operationName.value == 'Microsoft.KeyVault/vaults/secrets/getSecret/action']"

Conclusion

Never store passwords directly in production Linked Services. The ADF + Key Vault + Managed Identity integration is the minimum security standard for enterprise pipelines — no passwords, no manual rotation, with automatic auditing of every access.