Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow backup and restore of individual key/secret versions

    Allow backup and restore of individual key versions or allow auto Sync of the key versions between a pair of key vaults in region pairs. the backup and restore of key versions should work with purge protection enabled.

    Below is the use case for this feature:
    1. customer managed key (BYOK) for TDE for Azure SQL Server Databases and Azure Managed Instance Databases can be enabled with an Azure Key Vault Key only.
    2. Azure key vault is highly available between region pairs with automatic failover. But the failover could take up to 20 min as per the azure documentation. …

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  2. Keyvault secret expiry should accept an ISO 8601 timestamp

    The built in utcNow and dateTimeAdd functions currently can only format to date/time strings using dotnet format strings so can't output seconds since the epoch. This is a problem because the KeyVault secret expiry only accepts seconds since the epoch (https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/secrets) so there's no way to set this value from a template.

    The Key Vault resource provider should be updated to accept the ISO 8601 timestamp that dateTimeAdd uses (the output of utcNow('u')). The resource provider could convert the property to an int to keep the api backwards compatible either by allowing 'exp' to be a string or…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow write operations to a failed over Key Vault instance

    The documentation states that when a regional disaster happens, Azure Key Vault instances are failed over to a paired region as read-only

    https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance

    While I understand that regional disasters are very unlikely, the odds of having to modify secrets such as connections strings after a regional disaster can be high.

    Being able to update a Key Vault after a disaster would increases the changes of meeting business' RTO.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  4. Setting the Secret expiration date in UTC date format instead of in seconds

    It would be nice to have the ability to specify the secret expiration date in UTC format instead of in seconds since 1970. I known we can set in the UTC format using powershell but it would be nice to have this option in the ARM template as well.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add ability to store any arbitrary string in Key Vault

    At the moment you can only add certificates, but there are many instances you may want to setup arbitrary pieces of 'secret' text like a password, connection string or other configuration information that can be retrieved securely from somewhere.

    I would like to suggest this ability is added to Key Vault (I believe AWS has something similar called AWS Parameter Store)

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add namespaces to key name

    We are planning to use Azure key vault to maintain DB passwords used by microservices. As per standards, in Java Spring, the property name for DB password is "spring.datasource.password". We can store only one value with key corresponding to "spring.datasource.password" in an Azure vault. There might be 100s of microservices and maintaining each microservice with a key vault will be difficult.
    Here's the issue from our customer: https://github.com/microsoft/azure-spring-boot/issues/763

    Hashicorp vault solves this issue with namespaces: https://learn.hashicorp.com/vault/operations/namespaces

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  7. Not require "Key Vault contributor" role for devops app user

    For Azure Devops to access a Key Vault during deployment there is a process to create a custom role and assign it to key vault: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-powershell#grant-access-to-the-secrets

    We discovered that is is also necessary to have Azure Key Vault Contributor role as well to the devops app-user, which gives it more permissions than required. This has been verified with MS support.

    Please change so that deployment user only needs a read-only role to access the Vault during deployment.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support requesting for multiple secret values in the same API call

    We request various secret values while initializing our service. The way we do it now is that we issue separate HTTP requests for each using the .NET SDK (GetSecretAsync). Ideally we should be able to request for multiple secrets using the same request.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  9. generate random password api

    I want to call an AKV API to generate a random password so that I could use that to update the applications credentials and then call the API to set the current secret value to that new password.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  10. Restore from another subscription

    Limitation - This provided key/secret/certificate backup file was from another subscription. Backups can only be restored into the same subscription.

    This is required for customer controlled backup/restore control of TDE keys across subscriptions as there is no alternative way to migrate. This limits HA design for certain resources to be contained within a single subscription.

    Allow feature via a flag or whitelist of subscriptions.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  11. KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop

    KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop

    Fix exception after changing timezone on laptop. Or warn developers not to change timezones on business trip.

    Went on business trip where I changed the timezone.
    Everything worked fine.
    Returned home and restored timezone.
    .Net Core application stops working due to exception.

    Microsoft.Azure.KeyVault.Models.KeyVaultErrorException Error validating token: IDX10223
    HResult=0x80131500
    Message=Error validating token: IDX10223
    Source=Microsoft.Azure.KeyVault

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow creation of "living" secrets that are linked to a resource and always returns an active key

    As an alternative to rotating keys, it would be cool if you could create a key vault secret that was linked to a resource such as blob storage or cosmos db that uses keys for authentication, so that when you call the GET operation on that secret it can proxy the request to that resource's listkeys operation and automatically choose one. In this way, it would guarantee that any time you reach out to key vault for that secret, you would be sure to get an active key. For this to work, I expect Azure would need to associate a…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  13. Ability to reference a secret without having to specify the secret version explicitly

    Hi! Currently the only way to specify a KeyVault reference is to specify the version as well. Could this perhaps be changed to be able to reference a particular version by default (perhaps the newest one). This would really help in the case that a secret needs to be updated and a particular version is no longer valid. Currently I have to go back and change my secret, fetch the new secret version and update all the references accordingly. This gets really tedious when you have a lot of secrets to keep track of.

    To make this clear:

    Currently my…

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add the Secret version GUID in the diagnostic logging output when a secret is created (SecretSet)

    The diagnostic logging output for Key Vaults do not include the version GUID when new secret or new version of an existing secret is created (SecretSet operation).

    Current data in properties_id field:

    https://<KeyVaultName>.vault.azure.net/secrets/test1234

    Requested data in properties_id field:

    https://<KeyVaultName>.vault.azure.net/secrets/test1234/38b6d47049704298affe8d0b1d3f47fb

    We would like to use this functionality to correlate diagnostic log outputs for SecretUpdate operations to SecretSet operations without requiring access to the Key Vault objects themselves, we use this data for tracing security events.

    The above method of including the version guid in the properties_id field is already used in a similar way when creating key versions (KeyCreate),…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  15. Auto Rotate Secrets on connected Resources

    Microsoft docs highly recommends the keys/secrets/certificates to be rotated on regular interval for better security posture.

    The rotation is only possible by writing powershell code and dont have luxury to write and maintain for every resource.

    It would be great to have a feature in Key Vault to do that for us when a resource is connected. Resource could be PaaS SQL, Storage account, Azure Ad APP etc.

    KeyVault talks about writing powershell code to recycle keys on storage account.
    https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  16. The Key vault should not allow it to be deleted

    The Key vault should not allow it to be deleted, as long as it has associations with other resources. In Azure the vast majority of resources have this restriction, for a resource as important as the Key Vault should also have this validation before allowing its elimination.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  17. Secure export options and access to KeyVault secrets from login screens

    Would be great to have following options in Key Vault – structured security permissions for all cryptographic resources. Possibility to deliver KeyVault secrets to users in secure way – direct export to encrypted archive + password, without use of system clipboard. One more option – direct access to KeyVault secret from mstsc or Windows Hello login screen, without copying of the sensitive information via system clipboard. Together with MFA security option KeyVault secret assigned to appropriate user can work as primary or backup login option.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  18. Provide the ability to insert multiple secrets via JSON dictionary or similar method via command line

    Today, secrets are able to be added manually and via file, which from my knowledge only accepts one key value pair for the secret. It would be nice to have the ability to insert multiple secrets at once.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  19. I facing issue while settng / getting secret keys using Key Voult API. I am getting 501 response from these API's

    I facing issue while settng / getting secret keys using Key Voult API. I am getting 501 response from these API's

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  20. Don't show Key Vault secrete values in the Azure Portal

    Today when secrets are added to Key Vault, the value of secret is visible in Azure Portal (initially secrets are masked out, but clicking on secret allows to see its value secret).

    There should be an option NOT to see secret's value once it’s added to the vault.

    This way if Azure Portal is compromised, secretes are still secure.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base