Make it possible with an ARM template to set an Access Policy for a Application Registration Principal
After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able to determine, the only way to obtain this 'hidden id', is using the -PassThru argument while running AzureRmKeyVaultAccessPolicy, which at this point the Key vault must already exist, and it creates the access policy so this is useless for use in an Arm template that you want to create the initial key vault with. If there is some other way to obtain this hidden id, that would be a start, ideally if it was visible from the portal. Ideally, some more intuitive way, such as the ApplicationId that exists in the Arm template (though what it is for I don't know), would of course be better.
I have attached some of the relevant information from the ticket.
After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able…11 votes
I'm using key vault as a central key/value configuration repository. I have a lot of configuration keys, so navigating the vault has become tricky.
It would be really great if there was some form of cosmetic layer over the top, so that similar items could be grouped, to make navigation easier.28 votes
In this document:
The step 3.2 suggests you should initialize your security world with:
new-world.exe --initialize --cipher-suite=DLf1024s160mRijndael --module=1 --acs-quorum=2/3
DLf1024s160mRijndael is the Thales nShield HSM legacy cipher suite, and should not be used in Production environments. The cipher suite should be DLf3072s256mRijndael so the command should be:
new-world.exe --initialize --cipher-suite=DLf3072s256mRijndael --module=1 --acs-quorum=2/3
I suggest updating the step to reflect the newer cipher suite.3 votes
When you open a particular secret tab you first need to make it visible and only then you are able to copy the value.
Please add a button to copy the value without showing the value.5 votes
So ideally a user could create a key in a vault then be allowed to navigate to a resources credentials and store the password or username as the key value. This avoids credentials going out if date if users have build an API that calls secrets via AAD tokens. I'd use it for storage accounts,SQL servers etc.2 votes
If a company has a single KeyVault which holds dev and production keys, as long as you access the keyvault through a valid access policy and key can be used (for the usages mentioned in the access policy).6 votes
In Payment Industry, cryptographic keys that are used to encrypt PIN from credit/debit cards are TripleDES (sometimes with DUKPT) based. Currently, KeyVault only support RSA keys.
Please add support to it.72 votes
currently when delegating permissions to secrets and keys to groups the group name is not published into the "displayname" attribute of the vault key. only the object ID exists. nightmare for role segregation mgmt.1 vote
Azure taught students how to defame my reputation and how to spend my money Edge is downloaded and running Apache My name is Lyda G Bonds
Azure taught a wonderful team called the 403b and the 401k team and now I am being controlled by them Great Job! What happened to your ethics as a company?1 vote
Microsoft should not be calling out a specific vendor and have them be a requirement. Instead, they should offer a standards based solution that allows the customer to use their existing HSM. Thales might not be the right choice for every enterprise.1 vote
How can I BYOK to Azure from Gemalto Luna SA?1 vote
Given that the Access Policies show only the user or service principal name in the portal, it would be very nice to be able to be able to determine the GUIDs that these names resolve to troubleshoot issues.
Having the same name listed multiple times with different GUIDs may prove confusing, so taking it one step further, the portal could also resolve the GUIDs (user, SP, Groups, Application IDs) into their objects for full information, perhaps by using something like Graph’s GetObjectsByObjectIds.2 votes
The individual key vault page shows several key metrics (total requests, average latency, success ratio) and even the "Metrics (preview)" (when accessed via the key vault page) shows the same metrics (albeit with a different name).
However, these metrics cannot be access via the Metrics (either current GA or preview) blade. Nor can they be accessed via the Azure CLI.
It would be useful to be able to correlate key vault metrics with other service metrics (such as app services), to do this it is necessary to have the data accessible via the metrics blade or the CLI.1 vote
My coworker sometimes set up Azure Agent Backup, though he does not have azure portal login accont.
So when he set up Azure Agent Backup, I need to download the vault credential and pass it to him every time.
Because of this, my coworker cannot set up Azure Agent Backup when I cannot pass him a vault credential.
So I want to download a vault credential without login to Azure portal.2 votes
You can currently backup / restore keys from Keyvault. it would be helpful to be able to provide backup/ restore functionality and roles for Secrets.
the current design assumption is these would also be stored within an on-prem password vault or documentation or equivalent. however operational best practice varies across companies as such a catch all should allow the backup and restore of secrets as you can with KEYS.2 votes
- Don't see your idea?