3708379 - LMS - Microsoft VLS integration Password encryption and Key management process in Learning Management Module

Within the Microsoft VLS integration, the password is encrypted after being entered and saved.

1. What encryption/protection protocol is used to encrypt the credentials?

2. What is the Key Management Process to encrypt this information (e.g. Protection Period, Key Creation and Key Rotation Process)

SAP SuccessFactors Learning 

1. Navigate to the Learning module configuration.
2. Within the Microsoft VLS integration, Enter a password in the designated field and save the configuration.
3. Observe that the password is encrypted after saving.

The Microsoft Teams configuration secret is stored in the Vault. Each application has its own Vault key, and only the respective application can access its secret. 

Individual users do not have access to the Vault key. This secret is not encrypted. When a customer updates or changes the secret, we update it in the Vault accordingly.

Below are the clarifications regarding Vault usage and secret handling:

Q: Can you better explain "Each application has its own Vault key, and only the respective application can access its secret. Individual users do not have access to the Vault key."?

A: The application (the Learning tenant) runs using a service account. This service account has the required credentials to authenticate to Vault and securely retrieve secrets.

These Vault credentials are never exposed to individual users (neither SF employees nor customers). The application retrieves secrets programmatically at runtime using its own identity.

Think of it this way: the application has a special “badge” to access its locker in Vault, but individual users do not have that badge — only the running application does.

Q: When does the configuration secret get stored in the Vault?

A: The secret is stored in Vault during the initial Microsoft Teams setup within the application. When a customer environment is provisioned, the VLS setup automatically injects configuration secrets (such as MS Teams settings) into Vault.

Q: Can anyone from SF view this secret and decipher it?

A: No. Regular SF employees cannot view or decipher customer secrets.

Only authorized personnel from Operations have controlled access to Vault, and even then, only for valid operational purposes.

Q: Explain the process for the customer to change this secret.

A: Customers enter the secret in plain text as part of the MS Teams configuration during VLS setup. When the configuration is saved:

• The application securely sends this information directly to Vault.
• The LMS database stores only a reference to the secret, not the secret itself.
• If the customer updates the configuration, the update flows through the application, which automatically updates Vault.

There is no manual intervention required from SuccessFactors teams for routine updates.

Customers never have direct access to Vault; all interactions go through application‑controlled processes to maintain security and auditability.

password encryption, key management process, vault key, LMS module, virtual learning system, MS Teams configuration, secret storage, key rotation, authentication, encryption protocol, secure configuration , KBA , LOD-SF-LMS-VLS , Virtual Learning System , Problem