In order for our organization to fully adopt Azure Key Vault for managing passwords and secrets we need to be able to support at a minimum allowing _ (underscrores) and other special characters in the naming convention as we have hundreds of names that contain underscores in them such as accounttest, accountprd, etc..

Reading through the documentation online I can't find any technical reason as to why special characters aren't supported but this is a show stopper at this point for us until this is added/supported.

Many of our vendors require us to send them files via SFTP using their public encryption keys most of which are PGP keys. As we start to migrate our Managed File Transfer service to Azure we'd like to leverage storing these keys in Azure Key Vault

When I generate a manual type secret, it's impossible to save the multiple lines' secret(SSH private key) value, in fact, I think the input box should take text area as an option.

Microsoft docs highly recommends the keys/secrets/certificates to be rotated on regular interval for better security posture.

The rotation is only possible by writing powershell code and dont have luxury to write and maintain for every resource.

It would be great to have a feature in Key Vault to do that for us when a resource is connected. Resource could be PaaS SQL, Storage account, Azure Ad APP etc.

KeyVault talks about writing powershell code to recycle keys on storage account.
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring

It’s important to know if keys / Secrets are updated in key vault so that necessary actions with consuming application can be taken when this occurs...

Currently, you can only back up each secret one at a time. I would like the ability to back all the secrets up and obviously, store them in an encrypted storage account or vault.

Limitation - This provided key/secret/certificate backup file was from another subscription. Backups can only be restored into the same subscription.

This is required for customer controlled backup/restore control of TDE keys across subscriptions as there is no alternative way to migrate. This limits HA design for certain resources to be contained within a single subscription.

Allow feature via a flag or whitelist of subscriptions.

Portal experience for creating a Key Vault Managed Storage Account and/or for 'On-Boarding' a Storage Account into being managed by a given Key Vault Key

This is possible with PowerShell and AzureCLI (as described here: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-key) but there is not portal experience for doing this.

Originally mentioned in this Github Issue:
https://github.com/MicrosoftDocs/azure-docs/issues/10555

You can create multiple versions for a given secret, however the api only allows a delete to be performed at the secret level and not for an individual version.

We are creating a solution where multiple services (backend servers from different departments, ...), will use key vault to retreive their access keys. It would be great to be able to give a backend service access to only the relevant entry (e.g. only to secret1 and certificate2).
The problem is, that a user that has access (to secrets for example), automatically has access to all secrets.

In other words: Add access policies to secrets, keys and certificates

I want to call an AKV API to generate a random password so that I could use that to update the applications credentials and then call the API to set the current secret value to that new password.

KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop

Fix exception after changing timezone on laptop. Or warn developers not to change timezones on business trip.

Went on business trip where I changed the timezone.
Everything worked fine.
Returned home and restored timezone.
.Net Core application stops working due to exception.

Microsoft.Azure.KeyVault.Models.KeyVaultErrorException Error validating token: IDX10223
HResult=0x80131500
Message=Error validating token: IDX10223
Source=Microsoft.Azure.KeyVault

The Key vault should not allow it to be deleted, as long as it has associations with other resources. In Azure the vast majority of resources have this restriction, for a resource as important as the Key Vault should also have this validation before allowing its elimination.

Would be great to have following options in Key Vault – structured security permissions for all cryptographic resources. Possibility to deliver KeyVault secrets to users in secure way – direct export to encrypted archive + password, without use of system clipboard. One more option – direct access to KeyVault secret from mstsc or Windows Hello login screen, without copying of the sensitive information via system clipboard. Together with MFA security option KeyVault secret assigned to appropriate user can work as primary or backup login option.

Today, secrets are able to be added manually and via file, which from my knowledge only accepts one key value pair for the secret. It would be nice to have the ability to insert multiple secrets at once.