Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

Do you have an idea or a suggestion for Azure Key Vault based on your experience?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Please support Let's Encrypt as a first class auto rolling cert provider in Key Vault

    It would be great to support a free SSL provider like Let's Encrypt that works with Key Vault auto roll.

    14 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)

      We’ll send you updates on this idea

      1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
    • Provide a search text box in keyvault to search for a key

      Currently portal supports a way to see the keyvault and keys + secrets stored in it. However the secrets section does not provide a search text box to search for a particular secret. The portal just lists the first 10 secrets in the vault and shows a 'Load more' button.

      If a keyvault has hundreds of keys in it getting to the desired key takes several mouse clicks in most cases. Simple ask is to provide a search text box to search for the desired key.

      I understand I can use powershell to get the secret directly. But sometimes remembering…

      11 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)

        We’ll send you updates on this idea

        3 comments  ·  Flag idea as inappropriate…  ·  Admin →
      • Key Vault - Allow using AD Groups (RBAC) on Keys and Secret level

        I am an infrastructure admin, and i would like to use a single keyvault where i can maintain secrets and keys and use RBAC to allow users, Groups, Service Principals to insure they only have access to what they need. this would simplify my administration of this service, perhaps adding folders/group tags to secrets within the keyvault and setting permissions based on those would also be an option

        8 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)

          We’ll send you updates on this idea

          1 comment  ·  Flag idea as inappropriate…  ·  Admin →
        • Per-secret/key/certificate access control

          Currently it's an all or nothing model. To grant a user account or app id access to one secret, you have to grant it access to the entire vault (as far as I can tell). This eliminates the possibility of least privilege access to secrets. In this model, the only way to create security boundaries for individual secrets is to create additional key vaults, which could get out of control fast if we need one key vault per application per environment. A better model would be to have independent access controls on both the vault and the individual secrets.

          For…

          5 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
          • Method for organising secrets in Key Vault (folders/sections)

            I'm using key vault as a central key/value configuration repository. I have a lot of configuration keys, so navigating the vault has become tricky.

            It would be really great if there was some form of cosmetic layer over the top, so that similar items could be grouped, to make navigation easier.

            4 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)

              We’ll send you updates on this idea

              2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
            • Cert deployment - Allow regions to be different for keyvault and VM

              today, VM and keyvault needs to be in same region. This causes lot of pain for services that have deployments in all Azure regions. We need to copy and rollover all same cert in all regions..

              4 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
              • Deny users with inherited permissions to Azure Key Vault Service from modifying Access Policies.

                It should be possible to provide role separation even from the highest Azure permissions (Global Administrators / Subscription Owners)

                As of today, anyone with permissions to modify the service, can change Access Policies and give themselves permissions to Keys and Secrets.

                Perhaps an extra level of Security linked to Azure Active Directory where only specified groups or users would have the ability to modify access policies.

                3 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                • creatin a keyvault secret and using it in the same template

                  Give a different method then the securestring parameter to point to a new secret. I would like to be able to deploy a keyvault, a new secret and then to reuse the created secret and keyvault in my next resource deployment. Currently this is not possible. It would have to be done via Pshell or separate ARM templates.

                  Regards,

                  Reinout Pennings

                  3 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
                  • download a vault credential without login to Azure portal

                    My coworker sometimes set up Azure Agent Backup, though he does not have azure portal login accont.
                    So when he set up Azure Agent Backup, I need to download the vault credential and pass it to him every time.
                    Because of this, my coworker cannot set up Azure Agent Backup when I cannot pass him a vault credential.
                    So I want to download a vault credential without login to Azure portal.

                    2 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                    • Allow configuration of a webhook to be called when KeyVault renews a certificate

                      When a certificate needs renewal there is often times additional work that needs to occur to configure consumers of the new certificate. Allow KeyVault to emit webhook calls on events such as certificate renewal so that a downstream service can consume this event and execute any needed configuration changes.

                      2 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
                      • Have better integration of Azure Key Vault and Crypteron

                        Crypteron offers great SDK to offer easy encryption for Azure SQL and Azure Blob storage. However, the API keys are not accessible through Azure Key Vault for great level of security. Please work with Crypteron on better integration of their SDK offerings with use with KeyVault services.

                        2 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                        • Add possibility to copy a secret value on the portal without making it visible

                          When you open a particular secret tab you first need to make it visible and only then you are able to copy the value.
                          Please add a button to copy the value without showing the value.

                          2 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                          • Make it possible with an ARM template to set an Access Policy for a Application Registration Principal

                            After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able…

                            2 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                            • Notify Users when secrets/keys are expiring

                              Currently certificates management supports email notification when certificates are expiring. Wouldn't it be great to have the same functionality for keys and secrets?

                              2 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                              • Allow key vault metrics to accessed via Metrics and via CLI

                                The individual key vault page shows several key metrics (total requests, average latency, success ratio) and even the "Metrics (preview)" (when accessed via the key vault page) shows the same metrics (albeit with a different name).

                                However, these metrics cannot be access via the Metrics (either current GA or preview) blade. Nor can they be accessed via the Azure CLI.

                                It would be useful to be able to correlate key vault metrics with other service metrics (such as app services), to do this it is necessary to have the data accessible via the metrics blade or the CLI.

                                1 vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                                • Add deployment slots

                                  Configuration secrets such as connection strings will change from one deployment slot to another. Adding the deployment slot concept to Key Vault would eliminate the need to hack that concept into the secret names and the code used to retrieve the secrets.

                                  1 vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
                                  • [Azure Key Vault] Microsoft.Azure.KeyVault library should provide a *default* retry policy

                                    Microsoft.Azure.KeyVault library should provide a *default* retry policy, which consider the Key Vault SLAs and operational capabilities (e.g. failover).

                                    Just like the Azure Storage Client library.

                                    1 vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Allow users to link azure resource credentials into key vault secrets

                                      So ideally a user could create a key in a vault then be allowed to navigate to a resources credentials and store the password or username as the key value. This avoids credentials going out if date if users have build an API that calls secrets via AAD tokens. I'd use it for storage accounts,SQL servers etc.

                                      1 vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                                      • manage permissions on an entry level

                                        We are creating a solution where multiple services (backend servers from different departments, ...), will use key vault to retreive their access keys. It would be great to be able to give a backend service access to only the relevant entry (e.g. only to secret1 and certificate2).
                                        The problem is, that a user that has access (to secrets for example), automatically has access to all secrets.

                                        In other words: Add access policies to secrets, keys and certificates

                                        1 vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Ensure Key Vault Access Policies publish Group name to displayname when delegated

                                          currently when delegating permissions to secrets and keys to groups the group name is not published into the "displayname" attribute of the vault key. only the object ID exists. nightmare for role segregation mgmt.

                                          1 vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1
                                          • Don't see your idea?

                                          Feedback and Knowledge Base