Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Setting minimum TLS version

    KeyVaults should let users determine the minimum TLS version to use. This is inline with many other azure services (ex. Web Apps, Functions, SQL), increases security and is more future proof (TLS 1.0 and 1.1 is quite old).

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. Key Vault performance issue breaks Azure Functions

    When retrieving the Azure Functions host key, the service sometimes returns a GatewayTimeout error.

    The Azure Web App support team analyzed the issue and identified a Key Vault performance issue as the root cause.

    "More specific, the related KeyVault API call took longer than expected. As a result of this issue, the related function site failed to be started properly so “ListKey” threw out “Timeout” exception [...]"

    Please vote for implementing "Key Vault Reference Perf Improvements".

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Configure key vault managed storage accounts via ARM template

    This link describes configuring Key Vault managed storage accounts with PowerShell.
    https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys-powershell

    If we could do the same in an ARM template, it would reduce deployment complexity and allow us to leverage the functionality in air-gapped environments.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Within documentation or in the product overview pages include a list of other Azure services that are dependencies for Key Vault

    When large organizations adopt cloud services they may evaluate the cloud service in depth, along with all other cloud services that must or may be adopted as dependencies of the primary service being planned for use. An example is that when adopting Azure Key Vault a customer will be required to adopt Azure Active Directory if not already adopted, and therefore adopting Key Vault will necessitate an in-depth security assessment of Azure AD in addition to Key Vault.

    Currently Microsoft does not list dependencies of any kind on the product web pages of all the many Azure services. This obliges…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  7. HMAC signing

    As an application developer, I have had a number of situations where HMAC signing has been a key part of application security, such as:


    • Signing “local” session tokens (JWT, cookies, etc)

    • Third-party integrations (API authentication)

    • Integrity of data at rest

    In many of these scenarios, ECC signing is either too heavy or not possible due to third-party dependencies. For scenarios where the same Key Vault can do the signing and verification, it would be ideal for us to be able to either generate or import a symmetric key in Key Vault for use with HMAC.

    This would allow us to…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support for KMIP protocol

    KMIP is a standard protocol for interacting with vaults. It's supported by major vendors including NetApp. Keyvault should support this feature to allow centralized key management.

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. Remove option to toggle IP config from dynamic to static

    As per documentation: "When creating a private endpoint, a read-only network interface is also created for the lifecycle of the resource. The interface is assigned dynamically private IP addresses from the subnet that maps to the private link resource. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint."
    However now the system lets you go into the NIC, go into the IP cofig and toggle the IP settings from dynamic to static. This is not allowed by the system and results in an error when saving. Please remove this option from here…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. Key Vault replication & backup/restore secret update

    TLDR: I want the possibility to overwrite already existing secrets with the Restore-AzKeyVaultSecret/Key/Certificate to allow for replication in the customers control.

    According to the Key Vault documentation Azure Key Vault provides a 99.9% availability percentage and a replication to the pair region takes place to ensure customers can continue using their Key Vaults after a failover in read-only.

    However this is a situation a customer does not and can not control. This means that a customer has to wait until Microsoft declares a disaster and fails over the vaults to the pair region. I would like it if we would…

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. On Prem AKV

    Even with premium, AKV is placed in the Microsoft Datacenters. That is the main reason customers don't want to have both data and keys on the same cloud or with the provider, which is Microsoft.
    This is a much bigger problem in the EU.

    Why can't Microsoft create AKV as a device which customers can buy and put in their own data center? Add it as a registered device in Azure subscription, and then it provides the same interface and API.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Offer Logic App as a choice in the Event Endpoint dropdown

    When you are creating a new Event Subscription you should be able to choose Logic App as a possible option for the Event Handler / Endpoint Type.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Enable compound identity access using az cli

    Per https://github.com/MicrosoftDocs/azure-docs/issues/49362 - currently az cli does not allow setting compond identity access to a keyvault.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Include Azure Automation on Key Vault Firewall under "Trusted Microsoft Services"

    Currently, Azure Automation accesses Azure Key Vaults through public endpoints (Azure Data Center Public IPs). As such, Automation cannot function unless a firewall exclusion is in place in the key vault settings. Unfortunately, Azure has hundreds of public IP addresses, which could change at a moments notice. This, in effect, negates use of the Key Vault firewall altogether and requires you to allow incoming untrusted networks.

    There is a firewall setting "Allow Trusted Microsoft Services", which allows select services to bypass the firewall. Automation is not included in this list. It would be a great help to include it; immediately…

    73 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  9 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. Multi-Region Key Vault

    Currently, Key Vault only supports one single region via collocation constraint, but there are usecases which having a multi-region Key Vault is necessary such as Encryption Scope.

    What I am suggesting is to implement a version of Key Vault which supports multiple regions instead of just one

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow "Microsoft.KeyVault/vaults/accessPolicies/write" permission to work without having to also assign "Microsoft.KeyVault/vaults/write"

    At present "Microsoft.KeyVault/vaults/accessPolicies/write" is insufficient to block or enable user for modifying the access policy of the key vault.

    To block or enable access policy you have to add "Microsoft.KeyVault/vaults/write" as well. This means that we cannot properly apply least privilege to users who we just want to block or allow to modify access policies only.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow key vault references without version

    It was previously possible to reference key vault settings without specifying the secret version in the URL. i.e. https://myvault.vault.azure.net/secrets/mysecret/

    And would automatically reference the most current version of the secret.

    This functionality stopped working after a rollout on 9 August 2019.

    This is a very useful feature when you need to use secrets across different environments as it is cumbersome to update the references whenever a secret needs to be updated.

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Is there a way to programatically create a key vault?

    I need to be able to programmatically create a key vault in code. c#. But I don't see any documentation that will allow me to do that except for az.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow Azure services and resources to access this key vault

    It should be possible to select "Allow Azure services and resources to access this key vault" in Networking.

    As of today, you can only select:
    Option 1) ”Allow trusted Microsoft services to bypass this firewall”
    Option 2) "IPv4 address"
    Option 3) "Virtual networks"

    A scenario is, you have a “Azure WebApp”, and Identity is set to off.
    Then the WebApp is not a “trusted Microsoft services”, therefore option 1 is not useable.

    Option 2, the IP address solution, is not useable when you have many WebApps, and many key vaults, in our case we should then manually handle over 1000…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add Notes Field

    Our team was evaluating AKV to replace KeePass as a department credential storage medium, one of the most useful features missing is the ability to add notes or comments to a credential. Context is for Kings, sometimes a credential needs descriptions or even instructions, pairing those with the credential is valuable.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base