Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Improve PowerShell error messages

    Hello,

    I found an issue that when calling get-AzKeyVaultSecret from PS, it returns useless error "forbidden". When instead I call az keyvault secret show from Bash, i get error that "IP address *** not allowed".

    PS Azure:> Get-AzKeyVaultSecret -vaultname tbtest3-kv
    Get-AzKeyVaultSecret : Operation returned an invalid status code 'Forbidden'
    At line:1 char:1
    + Get-AzKeyVaultSecret -vaultname tbtest3-kv
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [Get-AzKeyVaultSecret], KeyVaultErrorException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret

    tomas@Azure:~$ az keyvault secret show --name "AppSecret" --vault-name "tbtest3-kv"
    Client address (137.117.226.47) is not authorized and caller is not a trusted service

    The IP restriction is intentional, but it appears so…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. nCipher Security has only one product, general purpose HSM

    LOL, this happen if somebody is not doing his work properly and only rename vendor.
    nCipher Security has only general purpose HSM and has no activities in NATO or with payment solution. The text is about Thales company.

    nCipher Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology, manufacturing, government, and technology sectors. With a 40-year track record of protecting corporate and government information, nCipher Security cryptographic solutions are used by four of the five largest energy and aerospace companies. Their solutions are also used by 22 NATO countries/regions, and…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Provide a description field for Azure Key Vault secrets

    When creating a 'secret' in Azure Key Vault you mainly got Name, Value and Content type fields to populate. It would be great to have a Description field as well to provide some verbose description/notes about the particular secret.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. I facing issue while settng / getting secret keys using Key Voult API. I am getting 501 response from these API's

    I facing issue while settng / getting secret keys using Key Voult API. I am getting 501 response from these API's

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. Firewall IP Address description field

    To increase security management, add a description field to the Firewalls and Virtual Networks list (just like other services).

    Currently it is just a list of IP addresses and we need to remember which ones are valid and which ones we should delete or expire In SQL server firewall, you can add a description to the IP addresses. Great if you can do the same.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Key Vault Service Limits

    The Key Vault limits are at a 10 second granularity but the granularity of its metrics are 1 minute. Please consider adjusting the limits to be in line with the granularity of the metrics available.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  7. Semicolon bug in Microsoft.Azure.Services.AppAuthentication

    Hi

    I have found a bug in Microsoft.Azure.Services.AppAuthentication package.

    When a {ClientSecret} is generated with a semicolon eg. )}/}I;:}=&GG8U{Zt;4+[Jd{
    you can reproduce the bug.

    I wanted to use AzureServiceTokenProvider to obtain token for keyvault as mentioned in article --

    https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#running-the-application-using-managed-identity

    Running the application using a Service Principal

    To sign in using an Azure AD shared secret credential:

    RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={ClientSecret}

    When the {ClientSecret} is generated without any semicolon, this approach works well.

    Request you to please fix the issue.

    Regards
    Sekhar Shrivastava

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →

    This is fixed in the preview in the following preview…please try it out and let us know if you have any feedback

    nuget.org/packages/Microsoft.Azure.Services..
    Release Notes
    Documentation can be found at go.microsoft.com/fwlink/p/?linkid=862452.

    Improvements for local development token request times
    Support for CancellationTokens
    Support for specifying user-assigned identity in SQL connection string with SqlAppAuthenticationProvider
    Adding retry logic for MsiAccessTokenProvider
    Removing TenantId as required connection string parameter when using KeyVaultCertificateSecretIdentifier parameter
    Adding quote escaping for connection string parameter values
    Other minor fixes and test updates

  8. Soft-Deleting KeyVault should release the Resource name

    If I delete a KeyVault with "SoftDelete", it should be possible to create a new KeyVault with the same name.

    An internal versioning logic should be able to distinguish between the versions.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow access to the public part of KEYS in KeyVault from ARM templates

    It would be very useful to be able to generate a key and then get the public portion to pass to the appSettings for another App.

    This is needed for secure deployments where some apps may be in different security 'zones' where they cannot have access to a shared key-vault.

    Generating a key would be useful, especially if we could request that one be generated only if it does not already exist.

    At the very least having access to the public portion of the key in the same way we have access to a secret would be very helpful:

                    "publicJsonKey"
    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add support for STORING the Storage Account Key in addition to rotating it.

    Add support for STORING the Storage Account Key in addition to rotating it. Rotating the key is only part of the issue for us, the other half is making it available to application teams in a manner that doesn't require us to give them direct access to each and every storage account at the azure resource level. We prefer to give the team a key vault and store the keys in the kv, which makes it simple for the application team to reference it. When it is updated, we update the kv and that's that.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. when remove blue print, please also remove policies it created

    We found that the policies we had created using blueprint were not cleared out when we removed the blueprint. We had to manually remove the policy from policies.

    We should automatically remove those blueprint created policies when delete a blueprint.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. allowing special characters in vault name

    Is it possible to allow special characters in vault names, such as "QaKeyVault.CompanyName" ?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Arm template to get the reference of Azure Search admin and query keys

    I wanted to add Azure Search admin and query keys as a secret to key vault using ARM template. Is there a way to do it?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. KeyVault's secrets improved usability with a Portal

    Adding secret with aplain text (not hashed like now).
    Easier getting secret value like icon on secrets list

    Currently you have to expose secret trying to get it value with a portal and it's secured / hashed when you try to add/change it

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. Key upload to vault from centos machine

    I need to upload public keys present in my centos machine to azure vault using azure cli .I used az keyvault key import --vault-name 'ContosoKeyVault' --name 'ContosoFirstKey' --pem-file 'path of the key' --pem-password 'Pa$$w0rd' --protection software this command . But i am not able to do this.Can anyone suggest me a solution.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support for adding a policy for an MSI without removing all other access policies

    When I create a web app with a Managed Service Identity and want to grant it access to an EXISTING vault, the ARM template for that - even when in incremental mode - removes the other existing access policies from the vault. Only the one for the newly added MSI will be there afterwards.

    This effectively disables any scenario where you want to use an existing key vault for a new web app.

    Similar to what has been reported here:
    https://stackoverflow.com/questions/47667050/azure-keyvault-add-function-msi-via-arm

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. Make it possible with an ARM template to set an Access Policy for a Application Registration Principal

    After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able…

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Method for organising secrets in Key Vault (folders/sections)

    I'm using key vault as a central key/value configuration repository. I have a lot of configuration keys, so navigating the vault has become tricky.

    It would be really great if there was some form of cosmetic layer over the top, so that similar items could be grouped, to make navigation easier.

    47 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Azure Key Vault Step 3.2 for Thales HSM security world initialization uses deprecated cipher suite

    In this document:

    https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/key-vault/key-vault-hsm-protected-keys.md

    The step 3.2 suggests you should initialize your security world with:

    new-world.exe --initialize --cipher-suite=DLf1024s160mRijndael --module=1 --acs-quorum=2/3

    DLf1024s160mRijndael is the Thales nShield HSM legacy cipher suite, and should not be used in Production environments. The cipher suite should be DLf3072s256mRijndael so the command should be:

    new-world.exe --initialize --cipher-suite=DLf3072s256mRijndael --module=1 --acs-quorum=2/3

    I suggest updating the step to reflect the newer cipher suite.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add possibility to copy a secret value on the portal without making it visible

    When you open a particular secret tab you first need to make it visible and only then you are able to copy the value.
    Please add a button to copy the value without showing the value.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base