Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Configure key vault managed storage accounts via ARM template

    This link describes configuring Key Vault managed storage accounts with PowerShell.
    https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys-powershell

    If we could do the same in an ARM template, it would reduce deployment complexity and allow us to leverage the functionality in air-gapped environments.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow Recover or Purge Soft Deleted Azure Key Vaults in Azure Portal

    Hi Azure team,

    We hope that you could add a feature in azure portal where we can recover or purge the soft deleted azure secret value. Right now it is kinda hassle to do CLI in the cloud powershell just to remove or recover specific soft deleted azure secret value. This will be a big help!

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support for KMIP protocol

    KMIP is a standard protocol for interacting with vaults. It's supported by major vendors including NetApp. Keyvault should support this feature to allow centralized key management.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. On Prem AKV

    Even with premium, AKV is placed in the Microsoft Datacenters. That is the main reason customers don't want to have both data and keys on the same cloud or with the provider, which is Microsoft.
    This is a much bigger problem in the EU.

    Why can't Microsoft create AKV as a device which customers can buy and put in their own data center? Add it as a registered device in Azure subscription, and then it provides the same interface and API.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. Offer Logic App as a choice in the Event Endpoint dropdown

    When you are creating a new Event Subscription you should be able to choose Logic App as a possible option for the Event Handler / Endpoint Type.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Multi-Region Key Vault

    Currently, Key Vault only supports one single region via collocation constraint, but there are usecases which having a multi-region Key Vault is necessary such as Encryption Scope.

    What I am suggesting is to implement a version of Key Vault which supports multiple regions instead of just one

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  7. Enable compound identity access using az cli

    Per https://github.com/MicrosoftDocs/azure-docs/issues/49362 - currently az cli does not allow setting compond identity access to a keyvault.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. Is there a way to programatically create a key vault?

    I need to be able to programmatically create a key vault in code. c#. But I don't see any documentation that will allow me to do that except for az.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow key vault references without version

    It was previously possible to reference key vault settings without specifying the secret version in the URL. i.e. https://myvault.vault.azure.net/secrets/mysecret/

    And would automatically reference the most current version of the secret.

    This functionality stopped working after a rollout on 9 August 2019.

    This is a very useful feature when you need to use secrets across different environments as it is cumbersome to update the references whenever a secret needs to be updated.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. Include Azure Automation on Key Vault Firewall under "Trusted Microsoft Services"

    Currently, Azure Automation accesses Azure Key Vaults through public endpoints (Azure Data Center Public IPs). As such, Automation cannot function unless a firewall exclusion is in place in the key vault settings. Unfortunately, Azure has hundreds of public IP addresses, which could change at a moments notice. This, in effect, negates use of the Key Vault firewall altogether and requires you to allow incoming untrusted networks.

    There is a firewall setting "Allow Trusted Microsoft Services", which allows select services to bypass the firewall. Automation is not included in this list. It would be a great help to include it; immediately…

    55 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  8 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow "Microsoft.KeyVault/vaults/accessPolicies/write" permission to work without having to also assign "Microsoft.KeyVault/vaults/write"

    At present "Microsoft.KeyVault/vaults/accessPolicies/write" is insufficient to block or enable user for modifying the access policy of the key vault.

    To block or enable access policy you have to add "Microsoft.KeyVault/vaults/write" as well. This means that we cannot properly apply least privilege to users who we just want to block or allow to modify access policies only.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Key Vault replication & backup/restore secret update

    TLDR: I want the possibility to overwrite already existing secrets with the Restore-AzKeyVaultSecret/Key/Certificate to allow for replication in the customers control.

    According to the Key Vault documentation Azure Key Vault provides a 99.9% availability percentage and a replication to the pair region takes place to ensure customers can continue using their Key Vaults after a failover in read-only.

    However this is a situation a customer does not and can not control. This means that a customer has to wait until Microsoft declares a disaster and fails over the vaults to the pair region. I would like it if we would…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow Azure services and resources to access this key vault

    It should be possible to select "Allow Azure services and resources to access this key vault" in Networking.

    As of today, you can only select:
    Option 1) ”Allow trusted Microsoft services to bypass this firewall”
    Option 2) "IPv4 address"
    Option 3) "Virtual networks"

    A scenario is, you have a “Azure WebApp”, and Identity is set to off.
    Then the WebApp is not a “trusted Microsoft services”, therefore option 1 is not useable.

    Option 2, the IP address solution, is not useable when you have many WebApps, and many key vaults, in our case we should then manually handle over 1000…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add Notes Field

    Our team was evaluating AKV to replace KeePass as a department credential storage medium, one of the most useful features missing is the ability to add notes or comments to a credential. Context is for Kings, sometimes a credential needs descriptions or even instructions, pairing those with the credential is valuable.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. include functions as a trusted service in key vault firewall exceptions

    Include functions as a trusted service in key vault firewall exceptions. Why wouldn't you include all Azure services - unless we don't trust Azure PaaS anymore? ;-)

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to up-vote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

  16. Allow Keyvault purge when 'purge protection' is enabled

    Purge protection is a required setting for our InfoSec team. Unfortunately we cannot move a keyvault from one region to another one, and we cannot completely get it purged (https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete / https://docs.microsoft.com/en-us/rest/api/keyvault/vaults/purgedeleted).
    There should be a mechanism/procedure to force a keyvault purge (even by raising an INC to MS)

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. API for create new version of key instead of using the same create key command to create key

    The command to create a new version of key is the same command as create key, It has been tested that the same key name but entered with different cases e.g. apple, APPLE, APPle does create a new version using the new key command.

    Can the command for new key and new version be separated for API calling? The new key command should checked for existing key before creation and create a new version is for creating of new version of the key.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Missing "import" key operation

    Hello everyone,

    I trying to use BYOK for HSM, following the steps on the article: https://docs.microsoft.com/en-us/azure/key-vault/hsm-protected-keys-vendor-agnostic-byok

    But I can't find the "import" key operation as mentioned, even using powershell.

    any help?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow more than 24 characters for key vault name length

    Please allow more than 24 characters for key vault name length. Using a standard naming convention across Azure resources that includes the resource type, region, and landscape doesn't leave many characters for the key vault name. Web Apps also utilize globally unique DNS names and support up to 60 characters. Supporting up to 60 character names would make it easier for us to use our standardized naming convention.

    167 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. BYOK: Enable HSM and Key Vault traceability

    When using the BYOK procedure, after uploading your HSM-generated key to the Key Vault there is zero traceability to confirm that what was uploaded in the cloud is actually what you have originally generated with your nCipher HSM.
    The solution is very simple - nCipher HSMs already generate hashes for the generated keys in the security world metadata, AKV should store / display the hash after successful upload so you can verify your keys at any time.

    Otherwise the following attack scenario is possible (if unlikely):

    Prerequisites:
    * Knowledge of the attack target's subscription ID (not particularly confidential information at…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base