Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  1. Use Key Vault Certificates Officer (Not Key Vault Secrets Officer) for App Service PFX Import

    In order to allow an App Service to import a PFX from a Key Vault which is under the preview RBAC roles, you have to grant the Microsoft Azure WebSites application the Key Vault Secrets Officer RBAC role.

    This is misleading. The certificate in question is in the certificates "folder" of the Key Vault, not the "secrets" folder.

    It would seem more appropriate to grant the application the Key Vault Certificates Officer RBAC role.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  2. List of secrets can be larger than 9 entries

    In azure portal, the list of secrets is by default capped to 9 entries. If you want to see more, you can press 'Load more'.
    There is room for much more than 9, so it would be good to make it the same as other lists in the azure portal are working

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Keyvault secret expiry should accept an ISO 8601 timestamp

    The built in utcNow and dateTimeAdd functions currently can only format to date/time strings using dotnet format strings so can't output seconds since the epoch. This is a problem because the KeyVault secret expiry only accepts seconds since the epoch (https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/secrets) so there's no way to set this value from a template.

    The Key Vault resource provider should be updated to accept the ISO 8601 timestamp that dateTimeAdd uses (the output of utcNow('u')). The resource provider could convert the property to an int to keep the api backwards compatible either by allowing 'exp' to be a string or…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  4. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. KeyVault should interface with an organization's private CA

    For: organizations that have a private certificate authority.
    Goal: avoid certificates in email and manual uploads.
    New feature: configure private CA endpoint in KeyVault, then have the KeyVault arrange a csr and have it signed by the connected private CA and stored back in the KeyVault.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  7. Setting minimum TLS version

    KeyVaults should let users determine the minimum TLS version to use. This is inline with many other azure services (ex. Web Apps, Functions, SQL), increases security and is more future proof (TLS 1.0 and 1.1 is quite old).

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. Data Encryption of Key Storage Vault

    15KB of storage or lockers for Azure Defender in which to put the encryption coded keys that can be purged from storage using the Biometric information or feedback information to retrieve data.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Encryption at rest  ·  Flag idea as inappropriate…  ·  Admin →
  9. Full PKI infrastructure in KeyVault for Users/computer certificate

    It could be nice to have a real PKI management in KeyVault. For cloud environnement it's something missing.
    It would be a plus that it could interract with intune for user's certificate.
    Like a PaaS PKI.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  10. Within documentation or in the product overview pages include a list of other Azure services that are dependencies for Key Vault

    When large organizations adopt cloud services they may evaluate the cloud service in depth, along with all other cloud services that must or may be adopted as dependencies of the primary service being planned for use. An example is that when adopting Azure Key Vault a customer will be required to adopt Azure Active Directory if not already adopted, and therefore adopting Key Vault will necessitate an in-depth security assessment of Azure AD in addition to Key Vault.

    Currently Microsoft does not list dependencies of any kind on the product web pages of all the many Azure services. This obliges…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. Key Vault performance issue breaks Azure Functions

    When retrieving the Azure Functions host key, the service sometimes returns a GatewayTimeout error.

    The Azure Web App support team analyzed the issue and identified a Key Vault performance issue as the root cause.

    "More specific, the related KeyVault API call took longer than expected. As a result of this issue, the related function site failed to be started properly so “ListKey” threw out “Timeout” exception [...]"

    Please vote for implementing "Key Vault Reference Perf Improvements".

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. HMAC signing

    As an application developer, I have had a number of situations where HMAC signing has been a key part of application security, such as:


    • Signing “local” session tokens (JWT, cookies, etc)

    • Third-party integrations (API authentication)

    • Integrity of data at rest

    In many of these scenarios, ECC signing is either too heavy or not possible due to third-party dependencies. For scenarios where the same Key Vault can do the signing and verification, it would be ideal for us to be able to either generate or import a symmetric key in Key Vault for use with HMAC.

    This would allow us to…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Remove option to toggle IP config from dynamic to static

    As per documentation: "When creating a private endpoint, a read-only network interface is also created for the lifecycle of the resource. The interface is assigned dynamically private IP addresses from the subnet that maps to the private link resource. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint."
    However now the system lets you go into the NIC, go into the IP cofig and toggle the IP settings from dynamic to static. This is not allowed by the system and results in an error when saving. Please remove this option from here…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Showing Azure Key Vault Regional Replication

    Presently in Azure portal, you cannot see the information regarding the regional replication or the location. As of now, it is not possible to view the data that are replicated to the secondary region.

    This information is needed for SOC audits and would be helpful to have in the Portal.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  15. Fix your DigiCert Automation Integration

    Fix your DigiCert integration. They've changed their SSL products and it's impossible to use KV to Order Basic Wildcard SSL (OV-Basic). You're api will not support any of their new product keywords. I literally spent two days figuring this out on my own. If you are going to tout integrated CA's and automation then make sure it works!

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow write operations to a failed over Key Vault instance

    The documentation states that when a regional disaster happens, Azure Key Vault instances are failed over to a paired region as read-only

    https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance

    While I understand that regional disasters are very unlikely, the odds of having to modify secrets such as connections strings after a regional disaster can be high.

    Being able to update a Key Vault after a disaster would increases the changes of meeting business' RTO.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  17. Private CA (Certificate Authority) certificate issuing capability

    Provide native Private CA (Certificate Authority) capability in Azure so that private certificates can be issued.

    AWS has this feature, why not Azure?
    https://aws.amazon.com/certificate-manager/private-certificate-authority/

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  18. Multi-Region Key Vault

    Currently, Key Vault only supports one single region via collocation constraint, but there are usecases which having a multi-region Key Vault is necessary such as Encryption Scope.

    What I am suggesting is to implement a version of Key Vault which supports multiple regions instead of just one

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. enable support for LetsEncrypt with enrolment and renewal

    Currently, Azure Key Vault can request and manage the life cycle of Digicert certificates (at a rather high cost). Can similar functionality be implemented for Let's Encrypt?

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  20. Is there a way to programatically create a key vault?

    I need to be able to programmatically create a key vault in code. c#. But I don't see any documentation that will allow me to do that except for az.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 8 9
  • Don't see your idea?

Feedback and Knowledge Base