Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Configure key vault managed storage accounts via ARM template

    This link describes configuring Key Vault managed storage accounts with PowerShell.
    https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys-powershell

    If we could do the same in an ARM template, it would reduce deployment complexity and allow us to leverage the functionality in air-gapped environments.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. ARM Template support for Certificates and Issuers

    Hi,

    Currently KeyVault only supports adding new secrets using ARM templates.

    Certificates are common part of any service today, just like secrets, and I would like to be able to create them in my vault using my ARM templates.

    Due to this limitation, currently my provisioning scripts are split to 3 parts(!):
    1. ARM Template for preparation (create the KV)
    2. Powershell to create the certificates inside the KV
    3. ARM Template for the remaining provisioning, that in some parts rely on getting the certificate private part (by accessing the "secret" entity on the KV)

    This doesn't make sense.

    At…

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  3. Setting the Secret expiration date in UTC date format instead of in seconds

    It would be nice to have the ability to specify the secret expiration date in UTC format instead of in seconds since 1970. I known we can set in the UTC format using powershell but it would be nice to have this option in the ARM template as well.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  4. Private CA (Certificate Authority) certificate issuing capability

    Provide native Private CA (Certificate Authority) capability in Azure so that private certificates can be issued.

    AWS has this feature, why not Azure?
    https://aws.amazon.com/certificate-manager/private-certificate-authority/

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow Recover or Purge Soft Deleted Azure Key Vaults in Azure Portal

    Hi Azure team,

    We hope that you could add a feature in azure portal where we can recover or purge the soft deleted azure secret value. Right now it is kinda hassle to do CLI in the cloud powershell just to remove or recover specific soft deleted azure secret value. This will be a big help!

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Restore from another subscription

    Limitation - This provided key/secret/certificate backup file was from another subscription. Backups can only be restored into the same subscription.

    This is required for customer controlled backup/restore control of TDE keys across subscriptions as there is no alternative way to migrate. This limits HA design for certain resources to be contained within a single subscription.

    Allow feature via a flag or whitelist of subscriptions.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support for KMIP protocol

    KMIP is a standard protocol for interacting with vaults. It's supported by major vendors including NetApp. Keyvault should support this feature to allow centralized key management.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support (encrypted) files in Key Vault

    It would be great if Key Vault had support for (encrypted) files. Sometimes we need to share settings files, properties etc between members of our distributed team and end up using Key Vault secrets and pasting the file contents into the "secret value" field, but that messes with the formatting and makes the download harder.
    It would be great if we could upload the file in it's whole to Key Vault and then let users download it.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Custom applications  ·  Flag idea as inappropriate…  ·  Admin →
  9. On Prem AKV

    Even with premium, AKV is placed in the Microsoft Datacenters. That is the main reason customers don't want to have both data and keys on the same cloud or with the provider, which is Microsoft.
    This is a much bigger problem in the EU.

    Why can't Microsoft create AKV as a device which customers can buy and put in their own data center? Add it as a registered device in Azure subscription, and then it provides the same interface and API.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add namespaces to key name

    We are planning to use Azure key vault to maintain DB passwords used by microservices. As per standards, in Java Spring, the property name for DB password is "spring.datasource.password". We can store only one value with key corresponding to "spring.datasource.password" in an Azure vault. There might be 100s of microservices and maintaining each microservice with a key vault will be difficult.
    Here's the issue from our customer: https://github.com/microsoft/azure-spring-boot/issues/763

    Hashicorp vault solves this issue with namespaces: https://learn.hashicorp.com/vault/operations/namespaces

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  11. Offer Logic App as a choice in the Event Endpoint dropdown

    When you are creating a new Event Subscription you should be able to choose Logic App as a possible option for the Event Handler / Endpoint Type.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Enable the exposure of User Details of External (Guest) users to Azure Keyvault.

    At present reporting on access to secrets stored in keyvaults is only easily deploy-able on users that a members of the underlying AD tenant. For invited users the logs only record the object ID and not the username - meaning that in order to generate reports on secret access additional scripting is required within the code to perform a lookup to gain the details that are already in the Tenant AD and populate a variable to be used. As the information is already in Azure AD it would be more elegant for this heavy lifting to be done by the…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support requesting for multiple secret values in the same API call

    We request various secret values while initializing our service. The way we do it now is that we issue separate HTTP requests for each using the .NET SDK (GetSecretAsync). Ideally we should be able to request for multiple secrets using the same request.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  14. Multi-Region Key Vault

    Currently, Key Vault only supports one single region via collocation constraint, but there are usecases which having a multi-region Key Vault is necessary such as Encryption Scope.

    What I am suggesting is to implement a version of Key Vault which supports multiple regions instead of just one

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. enable support for LetsEncrypt with enrolment and renewal

    Currently, Azure Key Vault can request and manage the life cycle of Digicert certificates (at a rather high cost). Can similar functionality be implemented for Let's Encrypt?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  16. SSL Certificate expiry warning at keyvault level

    It would be nice once a cert is put into the keyvault that expiry warnings are automatically applied.

    Currently we configure the warnings at certificate level inside the keyvault, but this can be tedious and certificates can be missed.

    We would like expiry warnings to be automatically applied to a certificate once its placed into the keyvault.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  17. Enable compound identity access using az cli

    Per https://github.com/MicrosoftDocs/azure-docs/issues/49362 - currently az cli does not allow setting compond identity access to a keyvault.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Is there a way to programatically create a key vault?

    I need to be able to programmatically create a key vault in code. c#. But I don't see any documentation that will allow me to do that except for az.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow key vault references without version

    It was previously possible to reference key vault settings without specifying the secret version in the URL. i.e. https://myvault.vault.azure.net/secrets/mysecret/

    And would automatically reference the most current version of the secret.

    This functionality stopped working after a rollout on 9 August 2019.

    This is a very useful feature when you need to use secrets across different environments as it is cumbersome to update the references whenever a secret needs to be updated.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Key Vault replication & backup/restore secret update

    TLDR: I want the possibility to overwrite already existing secrets with the Restore-AzKeyVaultSecret/Key/Certificate to allow for replication in the customers control.

    According to the Key Vault documentation Azure Key Vault provides a 99.9% availability percentage and a replication to the pair region takes place to ensure customers can continue using their Key Vaults after a failover in read-only.

    However this is a situation a customer does not and can not control. This means that a customer has to wait until Microsoft declares a disaster and fails over the vaults to the pair region. I would like it if we would…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 8 9
  • Don't see your idea?

Feedback and Knowledge Base