From b358409248dcddbabf5086fc3dce2f35dedb6425 Mon Sep 17 00:00:00 2001
From: katarzyna_koltun <katarzyna.koltun@mendix.com>
Date: Thu, 20 Nov 2025 18:56:27 +0100
Subject: [PATCH] PMP Azure Key vault updates

---
 .../docs/private-platform/pmp-quickstart.md   | 37 +++++++++++++++----
 1 file changed, 29 insertions(+), 8 deletions(-)

diff --git a/content/en/docs/private-platform/pmp-quickstart.md b/content/en/docs/private-platform/pmp-quickstart.md
index db1b936c4f2..2f0e4905c56 100644
--- a/content/en/docs/private-platform/pmp-quickstart.md
+++ b/content/en/docs/private-platform/pmp-quickstart.md
@@ -264,11 +264,21 @@ Svix is required if you want to use webhooks. Install the Svix component by doin
 4. Select **Svix**, and then specify the following parameters:
 
     * **Image** - The Svix image path. The default path is `svix/svix-server:v1.25.0`. If you are using a self-signed TLS certificate, set this path to `{customer-private-image-registry-url}/svix/svix-server:v1.25.tls`.
-    * **Use Secret Provider** - Optional. Select this option to use the AWS Secret Manager. Selecting this option enables the following additional fields:
+    * **Use Secret Provider** - Optional. Select this option to use the AWS Secret Manager or the Azure Key Vault. Selecting this option enables the following additional fields:
 
-        * **Secret Provider** - Set to **AWS** by default.
-        * **AWS-Role-ARN** - An AWS role ARN which can access the specified Secret Manager.
-        * **AWS SecretManager Name** - The AWS Secret Manager name where the sensitive data is stored.
+        * For AWS Secret Manager:
+
+            * **Secret Provider** - Set to **AWS**.
+            * **AWS-Role-ARN** - An AWS role ARN which can access the specified Secret Manager.
+            * **AWS SecretManager Name** - The AWS Secret Manager name where the sensitive data is stored.
+
+        * For Azure Key Vault:
+
+            * **Secret Provider** - Set to **Azure**.
+            * **Client ID** - Enter a Client ID assigned to the Azure Managed Identity which enables Private Mendix Platform to access Azure resources.
+            * **Tenant ID** - Enter the Directory ID of the key vault.
+            * **Key Vault Name** - Enter the key vault name.
+            * **Use identity auth for Blob** - Set to **True** if you use the Azure Blob Storage with managed identity auth; the default value is **false**.
 
     * **POSTGRES_DSN** - Available only if you do not use the AWS Secret Manager. A Postgres DSN, for example, `postgresql://postgres:postgres@pgbouncer/postgres`.
     * **Use Redis** - Optional. Select this check box if you want to use Redis for message cache and queues.
@@ -309,10 +319,21 @@ Install the Private Mendix Platform by doing the following steps:
     * **MxAdminPassword** - Optional. The password for the admin user, required if you are not planning to use the AWS Secret Manager. It must have at least one number, one upper case letter, one lower case letter and one symbol, with a minimum length of 12 characters.
     * **dtapmode** - For production deployments, leave this value set to **P**. For the development of the app, for example acceptance testing, set the value to **D**.
     * **ApplicationRootUrl** - Optional. Manually specify the URL of your Private Mendix Platform, for example, for use with SSO or when sending emails. For more information about this functionality, see [ApplicationRootUrl Needs to be Set Manually](/developerportal/deploy/private-cloud-operator/#applicationrooturl-needs-to-be-set-manually).
-    * **Use Secret Provider** - Optional. Select this option to use the AWS Secret Manager. Selecting this option enables the following additional fields:
-        * **Secret Provider** - Set to **AWS** by default.
-        * **AWS-Role-ARN** - An [AWS role ARN](https://docs.mendix.com/developerportal/deploy/secret-store-credentials/#aws-secrets-manager) which can access the specified Secret Manager.
-        * **AWS SecretManager Name** - The AWS Secret Manager name where the sensitive data is stored.
+    * **Use Secret Provider** - Optional. Select this option to use the AWS Secret Manager or the Azure Key Vault. Selecting this option enables the following additional fields:
+
+        * For AWS Secret Manager:
+
+            * **Secret Provider** - Set to **AWS**.
+            * **AWS-Role-ARN** - An [AWS role ARN](https://docs.mendix.com/developerportal/deploy/secret-store-credentials/#aws-secrets-manager) which can access the specified Secret Manager.
+            * **AWS SecretManager Name** - The AWS Secret Manager name where the sensitive data is stored.
+
+        * For Azure Key Vault:
+
+            * **Secret Provider** - Set to **Azure**.
+            * **Client ID** - Enter a Client ID assigned to the Azure Managed Identity which enables Private Mendix Platform to access Azure resources.
+            * **Tenant ID** - Enter the Directory ID of the key vault.
+            * **Key Vault Name** - Enter the key vault name.
+            * **Use identity auth for Blob** - Set to **True** if you use the Azure Blob Storage with managed identity auth; the default value is **false**.
 
 5. In the **Enabled Functions** section, select or clear the functions that you want to enable or disable: