Quick notes on the use of securestring in Azure Blueprints

Azure Blueprint does support secureString and secureObject type when you create artifact and blueprint definition. So far there is not much of information about the use of secureString with Azure Blueprint.

This article would hopefully clarify somewhat about secureString.

First of all, Microsoft has something here to check out

Portal UI Discrepancy 

If you define a parameter as a secureString type like below

"g_vmLocalAdminPassword": {
    "type": "securestring",
    "minLength": 8,
    "metadata": {
        "displayName": "VM Local Admin Password",
        "description": "Local Admin password for virtual machine"

..and then assign your blueprint and artifact directly from Azure Portal you would be surprised on how Azure Blueprint may think.

This would be considered a default design when you use Azure Blueprint with Azure Portal UI.

secureString parameter As Code

Like Azure ARM template, you can supply Key Vault reference. Take a look at the parameter definition for secureString type in assignment parameter file that stores actual value.

"g_vmLocalAdminPassword": {
    "reference": {
        "keyVault": {
            "id": "/subscriptions/aa2201b1-a52a-1199-11ec-930c4deb35e8/resourceGroups/azsec-rg/providers/Microsoft.KeyVault/vaults/shared-kv"
        "secretName": "vmLocalAdminPassword"

You have your own choice to do it as code in order to avoid inconvenience way that Azure Portal may provide.

Here is example of using assignment parameter file for deploying Azure Blueprint as code https://github.com/azsec/azure-blueprints/tree/master/AzureSecurityCenter

This entry was posted in Governance & Compliance and tagged , . Bookmark the permalink.

1 Response to Quick notes on the use of securestring in Azure Blueprints

  1. Pingback: Essential tips for building a large Azure blueprint

Leave a Reply

Your email address will not be published.