Sometimes you would like to create an empty secret in Azure Key Vault, just so you would be able to optimize your ARM/Bicep files to support multiple authentication types, for example.
However, since the Azure Portal does not allow you to create a Key Vault secret without specifying any value, this seems to be quite impossible. Or is it?

Steps

• Getting Started
• Creating the secret
• Conclusion

Getting Started

Before you can use any of the PowerShell commands mentioned below, you will have to make sure you are connected to the correct Azure Tenant/Subscription.
This can be done by using the following:

Connect-AzAccount

Set-AzContext -Subscription $subscriptionId -Tenant $tenantId

Creating the secret

To create a new secret within an existing Azure Key Vault instance, you need to provide a SecureString-object containing the actual secret value.
Using PowerShell, you would be able to generate this SecureString by using the ConvertTo-SecureString-command. Unfortunately, this does not accept providing an empty string either.

A workaround to this approach is to simply initialize a new SecureString-object which will - since the constructor does not require you to provide any actual value - generate a blank secret for you.

$emptySecret = (new-object System.Security.SecureString)

Once this new object has been instantiated, it is just a matter of passing it along to the proper Az-command to create the empty secret within any given Azure Key Vault.

Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $secretName -SecretValue $emptySecret

Conclusion

As long as the constructor of this SecureString-object does not get updated to require you to provide the secret value, you will always be able to use this little workaround to create a blank secret in Azure Key Vault.