airbytehq · matteogp · Oct 10, 2025 · github-actions · Oct 10, 2025 · github-actions
diff --git a/docs/platform/enterprise-flex/data-plane.md b/docs/platform/enterprise-flex/data-plane.md
@@ -58,6 +58,15 @@ For a production-ready deployment of self-managed data planes, you require the f
 | External Secrets Manager | [Amazon Secrets Manager](/platform/operator-guides/configuring-airbyte#secrets) for storing connector secrets, using a dedicated Airbyte role using a [policy with all required permissions](/platform/enterprise-setup/implementation-guide#aws-secret-manager-policy). |
 | Object Storage (Optional)| Amazon S3 bucket with a directory for log storage.                                                                         |
 
+</TabItem>
+<TabItem value="Azure" label="Azure" default>
+
+| Component                | Recommendation                                                                                                                                                            |
+| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Kubernetes Cluster       | Azure Kubernetes Service cluster running in [2 or more availability zones](https://learn.microsoft.com/en-us/azure/aks/reliability-zone-resiliency-recommendations). |
+| External Secrets Manager | [Azure Key Vault](/platform/operator-guides/configuring-airbyte#secrets) for storing connector secrets, using a dedicated Airbyte role using a [policy with all required permissions](/platform/enterprise-setup/implementation-guide#azure-key-vault-policy). |
+| Object Storage (Optional)| Azure Blob Storage with a directory for log storage.                                                                         |
+
 </TabItem>
 </Tabs>
 
@@ -253,6 +262,38 @@ kubectl create secret generic airbyte-config-secrets \
 ```
 
 </TabItem>
+
+<TabItem value="Azure" label="Azure" default>
+
+```yaml title="values.yaml"
+airbyteUrl: https://cloud.airbyte.com # Base URL for the control plane so Airbyte knows where to authenticate
+
+dataPlane:
+  # Used to render the data plane creds secret into the Helm chart.
+  secretName: airbyte-config-secrets
+  id: "preview-data-plane"
+
+  # Describe secret name and key where each of the client ID and secret are stored
+  clientIdSecretName: airbyte-config-secrets
+  clientIdSecretKey: DATA_PLANE_CLIENT_ID
+  clientSecretSecretName: airbyte-config-secrets
+  clientSecretSecretKey: DATA_PLANE_CLIENT_SECRET
+
+# Secret manager secrets/config
+# Must be set to the same secrets manager as the control plane
+secretsManager:
+  secretName: airbyte-config-secrets
+  type: AZURE_KEY_VAULT
+  azureKeyVault:
+      vaultUrl: ## https://my-vault.vault.azure.net/
+      tenantId: ## 3fc863e9-4740-4871-bdd4-456903a04d4e
+      clientId: ""
+      clientIdSecretKey: ""
+      clientSecret: ""
+      clientSecretSecretKey: ""
+```
+</TabItem>
-</TabItem>
+
+</TabItem>
-</TabItem>
+
+</TabItem>
+
 </Tabs>
 </details>
 

diff --git a/docs/platform/enterprise-setup/implementation-guide.md b/docs/platform/enterprise-setup/implementation-guide.md
@@ -1245,3 +1245,43 @@ The [following policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/e
     ]
 }
 ```
+
+## Azure Policies Appendix
+
+### Azure Key Vault Policy
+
+Airbyte requires the ability to write and read secrets in an Azure Key Vault. The built-in role that supports this is the Key Vault Secrets Officer role, whose JSON configuration can be viewed below to understand the specific permissions needed. 
-Airbyte requires the ability to write and read secrets in an Azure Key Vault. The built-in role that supports this is the Key Vault Secrets Officer role, whose JSON configuration can be viewed below to understand the specific permissions needed. 
+Airbyte requires the ability to write and read secrets in an Azure Key Vault. The built-in role that supports this is the Key Vault Secrets Officer role, whose JSON configuration can be viewed below to understand the specific permissions needed.
-Airbyte requires the ability to write and read secrets in an Azure Key Vault. The built-in role that supports this is the Key Vault Secrets Officer role, whose JSON configuration can be viewed below to understand the specific permissions needed. 
+Airbyte requires the ability to write and read secrets in an Azure Key Vault. The built-in role that supports this is the Key Vault Secrets Officer role, whose JSON configuration can be viewed below to understand the specific permissions needed.
+
+```yaml
+{
+    "id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
+    "properties": {
+        "roleName": "Key Vault Secrets Officer",
+        "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
+        "assignableScopes": [
+            "/"
+        ],
+        "permissions": [
+            {
+                "actions": [
+                    "Microsoft.Authorization/*/read",
+                    "Microsoft.Insights/alertRules/*",
+                    "Microsoft.Resources/deployments/*",
+                    "Microsoft.Resources/subscriptions/resourceGroups/read",
+                    "Microsoft.Support/*",
+                    "Microsoft.KeyVault/checkNameAvailability/read",
+                    "Microsoft.KeyVault/deletedVaults/read",
+                    "Microsoft.KeyVault/locations/*/read",
+                    "Microsoft.KeyVault/vaults/*/read",
+                    "Microsoft.KeyVault/operations/read"
+                ],
+                "notActions": [],
+                "dataActions": [
+                    "Microsoft.KeyVault/vaults/secrets/*"
+                ],
+                "notDataActions": []
+            }
+        ]
+    }
+}
+```