Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

Do you have an idea or a suggestion for Azure Key Vault based on your experience?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Per-secret/key/certificate access control

    Currently it's an all or nothing model. To grant a user account or app id access to one secret, you have to grant it access to the entire vault (as far as I can tell). This eliminates the possibility of least privilege access to secrets. In this model, the only way to create security boundaries for individual secrets is to create additional key vaults, which could get out of control fast if we need one key vault per application per environment. A better model would be to have independent access controls on both the vault and the individual secrets.

    For…

    26 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      2 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
    • Please support Let's Encrypt as a first class auto rolling cert provider in Key Vault

      It would be great to support a free SSL provider like Let's Encrypt that works with Key Vault auto roll.

      20 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
      • Key Vault - Allow using AD Groups (RBAC) on Keys and Secret level

        I am an infrastructure admin, and i would like to use a single keyvault where i can maintain secrets and keys and use RBAC to allow users, Groups, Service Principals to insure they only have access to what they need. this would simplify my administration of this service, perhaps adding folders/group tags to secrets within the keyvault and setting permissions based on those would also be an option

        13 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          1 comment  ·  Flag idea as inappropriate…  ·  Admin →
        • Provide a search text box in keyvault to search for a key

          Currently portal supports a way to see the keyvault and keys + secrets stored in it. However the secrets section does not provide a search text box to search for a particular secret. The portal just lists the first 10 secrets in the vault and shows a 'Load more' button.

          If a keyvault has hundreds of keys in it getting to the desired key takes several mouse clicks in most cases. Simple ask is to provide a search text box to search for the desired key.

          I understand I can use powershell to get the secret directly. But sometimes remembering…

          12 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            4 comments  ·  Flag idea as inappropriate…  ·  Admin →
          • Cert deployment - Allow regions to be different for keyvault and VM

            today, VM and keyvault needs to be in same region. This causes lot of pain for services that have deployments in all Azure regions. We need to copy and rollover all same cert in all regions..

            7 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
            • Secret Names do not support special characters

              In order for our organization to fully adopt Azure Key Vault for managing passwords and secrets we need to be able to support at a minimum allowing _ (underscrores) and other special characters in the naming convention as we have hundreds of names that contain underscores in them such as account_test, account_prd, etc..

              Reading through the documentation online I can't find any technical reason as to why special characters aren't supported but this is a show stopper at this point for us until this is added/supported.

              5 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
              • Notify Users when secrets/keys are expiring

                Currently certificates management supports email notification when certificates are expiring. Wouldn't it be great to have the same functionality for keys and secrets?

                5 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                • Allow configuration of a webhook to be called when KeyVault renews a certificate

                  When a certificate needs renewal there is often times additional work that needs to occur to configure consumers of the new certificate. Allow KeyVault to emit webhook calls on events such as certificate renewal so that a downstream service can consume this event and execute any needed configuration changes.

                  5 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
                  • Method for organising secrets in Key Vault (folders/sections)

                    I'm using key vault as a central key/value configuration repository. I have a lot of configuration keys, so navigating the vault has become tricky.

                    It would be really great if there was some form of cosmetic layer over the top, so that similar items could be grouped, to make navigation easier.

                    5 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                    • Deny users with inherited permissions to Azure Key Vault Service from modifying Access Policies.

                      It should be possible to provide role separation even from the highest Azure permissions (Global Administrators / Subscription Owners)

                      As of today, anyone with permissions to modify the service, can change Access Policies and give themselves permissions to Keys and Secrets.

                      Perhaps an extra level of Security linked to Azure Active Directory where only specified groups or users would have the ability to modify access policies.

                      4 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                      • Make it possible with an ARM template to set an Access Policy for a Application Registration Principal

                        After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able…

                        3 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                        • creatin a keyvault secret and using it in the same template

                          Give a different method then the securestring parameter to point to a new secret. I would like to be able to deploy a keyvault, a new secret and then to reuse the created secret and keyvault in my next resource deployment. Currently this is not possible. It would have to be done via Pshell or separate ARM templates.

                          Regards,

                          Reinout Pennings

                          3 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
                          • Please make soft delete a default feature

                            Currently soft delete is not a default feature. It would be great if this can be made a default feature to protect against loss of a complete keyvault or objects inside (keys,secrets,certs).

                            We learned about this feature only after getting hit by an accidental keyvault deletion.
                            We can save others who are not aware of this feature and may run into similar scenario.

                            2 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                            • Add support for storage and retrieval of password protected certificates

                              Currently all password protections applied on a certificate are stripped when they are uploaded and saved into Azure Key Vault. We would like to have the option of storing both the certificate and the password via the "az keyvault certificate import/download" set of cli commands with a toggleable optional argument to choose to preserve the transmission of the private key into and out of the keyvault along with the base certificate data together.

                              2 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
                              • Add possibility to copy a secret value on the portal without making it visible

                                When you open a particular secret tab you first need to make it visible and only then you are able to copy the value.
                                Please add a button to copy the value without showing the value.

                                2 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                                • download a vault credential without login to Azure portal

                                  My coworker sometimes set up Azure Agent Backup, though he does not have azure portal login accont.
                                  So when he set up Azure Agent Backup, I need to download the vault credential and pass it to him every time.
                                  Because of this, my coworker cannot set up Azure Agent Backup when I cannot pass him a vault credential.
                                  So I want to download a vault credential without login to Azure portal.

                                  2 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Key Vault Secret Backup / Restore Role

                                    You can currently backup / restore keys from Keyvault. it would be helpful to be able to provide backup/ restore functionality and roles for Secrets.
                                    the current design assumption is these would also be stored within an on-prem password vault or documentation or equivalent. however operational best practice varies across companies as such a catch all should allow the backup and restore of secrets as you can with KEYS.

                                    2 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Have better integration of Azure Key Vault and Crypteron

                                      Crypteron offers great SDK to offer easy encryption for Azure SQL and Azure Blob storage. However, the API keys are not accessible through Azure Key Vault for great level of security. Please work with Crypteron on better integration of their SDK offerings with use with KeyVault services.

                                      2 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Azure Key Vault Step 3.2 for Thales HSM security world initialization uses deprecated cipher suite

                                        In this document:

                                        https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/key-vault/key-vault-hsm-protected-keys.md

                                        The step 3.2 suggests you should initialize your security world with:

                                        new-world.exe --initialize --cipher-suite=DLf1024s160mRijndael --module=1 --acs-quorum=2/3

                                        DLf1024s160mRijndael is the Thales nShield HSM legacy cipher suite, and should not be used in Production environments. The cipher suite should be DLf3072s256mRijndael so the command should be:

                                        new-world.exe --initialize --cipher-suite=DLf3072s256mRijndael --module=1 --acs-quorum=2/3

                                        I suggest updating the step to reflect the newer cipher suite.

                                        1 vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Key vault document is really messy

                                          The current key vault document is really messy, it's really hard to know the whole e2e workflow to setup a keyvault for a web app.
                                          For example, where to get the client id and client password, how to connect the key vault with application, why there are so many old portal screenshots, why so many powershell scripts if we can just click some button via portal

                                          1 vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1
                                          • Don't see your idea?

                                          Feedback and Knowledge Base