To move sensitive connection information out of the mdrivenserver admin-database and/or the turnkeysettings.xml file you can now do the following:

Put the desired string value in an environment variable (you can use azure key vault ) to put values in environment variables only seen by the desired applications).

Using the name of the environment variable padded with % ; ie %SomeEnvVar% - and put this padded value into the MDrivenServer-UI or the/any TurnkeySettings.xml file.

The padded %SomeEnvVar% value will be resolved when seen into the value of the SomeEnvVar.

This works for:

• All values in TurnkeySettings.xml (and its different overrides)
• MDrivenServerOverride.xml file: The MDrivenServerPWD parameter
• MDrivenServer UI: EmailHost, EmailHostPWD, EmailFrom, EmailFromPresentation, A0-ConnectionString

If Azure WebApp:

• Grant Access: In your Key Vault, go to Access Control (IAM) and assign the Key Vault Secrets User role to your App Service's identity.
• Create the Reference: In your App Service, go to Settings > Environment variables. Add a new setting:
  • Name: MY_SECRET_KEY
  • Value: @Microsoft.KeyVault(SecretUri=https://your-vault.vault.azure.net/secrets/your-secret-name/)
• Usage: Your app can now call Environment.GetEnvironmentVariable("MY_SECRET_KEY") as if it were a local string.

If IIS on VM:

# Run this on the server to set a variable for a specific App Pool

$secret = (Get-AzKeyVaultSecret -VaultName "YourVault" -Name "YourSecret").SecretValueText

$appPool = "YourAppPoolName" # Sets the environment variable specifically for the IIS App Pool identity

Set-WebConfigurationProperty -filter /system.applicationHost/applicationPools/add[@name='$appPool']/environmentVariables -name "." -value @{name='MY_SECRET';value=$secret}