diff --git a/secretstores/azure/keyvault/metadata.yaml b/secretstores/azure/keyvault/metadata.yaml
new file mode 100644
index 000000000..c63a621e7
--- /dev/null
+++ b/secretstores/azure/keyvault/metadata.yaml
@@ -0,0 +1,91 @@
+# yaml-language-server: $schema=../../../component-metadata-schema.json
+schemaVersion: v1
+type: secretstores
+name: azure.keyvault
+version: v1
+status: stable
+title: "Azure Key Vault"
+urls:
+  - title: Reference
+    url: https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/
+authenticationProfiles:
+  - title: "Azure AD: Managed identity"
+    description: |
+      Authenticate using Azure AD and a managed identity.
+    metadata:
+      - name: azureClientId
+        required: false
+        description: |
+          Client ID (application ID). Required if the service has multiple identities assigned.
+        example: '"c7dd251f-811f-4ba2-a905-acd4d3f8f08b"'
+  - title: "Azure AD: Client credentials"
+    description: |
+      Authenticate using Azure AD with client credentials, also known as "service principals".
+    metadata:
+      - name: azureTenantId
+        required: true
+        description: |
+          ID of the Azure AD tenant
+        example: '"cd4b2887-304c-47e1-b4d5-65447fdd542b"'
+      - name: azureClientId
+        required: true
+        description: |
+          Client ID (application ID)
+        example: '"c7dd251f-811f-4ba2-a905-acd4d3f8f08b"'
+      - name: azureClientSecret
+        required: true
+        sensitive: true
+        description: |
+          Client secret (application password)
+        example: '"Ecy3XG7zVZK3/vl/a2NSB+a1zXLa8RnMum/IgD0E"'
+  - title: "Azure AD: Client certificate"
+    description: |
+      Authenticate using Azure AD with a client certificate (in PFX/PKCS#12 format). One of `azureCertificate` and `azureCertificateFile` is required.
+    metadata:
+      - name: azureTenantId
+        required: true
+        description: |
+          ID of the Azure AD tenant.
+        example: '"cd4b2887-304c-47e1-b4d5-65447fdd542b"'
+      - name: azureClientId
+        required: true
+        description: |
+          Client ID (application ID).
+        example: '"c7dd251f-811f-4ba2-a905-acd4d3f8f08b"'
+      - name: azureCertificate
+        required: false
+        sensitive: true
+        description: |
+          Certificate and private key (in PFX/PKCS#12 format).
+        example: |
+          -----BEGIN PRIVATE KEY-----
+          MIIEvgI...
+          -----END PRIVATE KEY-----
+          -----BEGIN CERTIFICATE-----
+          MIICoTC...
+          -----END CERTIFICATE-----
+      - name: azureCertificateFile
+        required: false
+        sensitive: true
+        description: |
+          Path to PFX/PKCS#12 file on disk, containing the certificate and private key.
+        example: "/path/to/file.pem"
+      - name: azureCertificatePassword
+        required: false
+        sensitive: true
+        description: |
+          Password for the certificate if encrypted.
+        example: "password"
+metadata:
+  - name: vaultName
+    required: true
+    description: |
+      The Azure Key Vault name.
+    example: '"mykeyvault"'
+    type: string
+  - name: azureEnvironment
+    required: false
+    description: |
+      Name of the Azure Environment if using a different Azure cloud.
+    example: '"AZUREPUBLICCLOUD"'
+    type: string