Each AKV is has redundancy as a region pair. ie, West and North Europe. If both these regions are down then any applications using this are down. My case is SQL server TDE.
Add a way to copy the keys and secret to another/multiple Region pair (already exists) but with a load balancer/failover group above.
Therefore SQL will reference the failover group, which will route the request to what ever vault is working.

The default region for hosting a resource should be defaulted from the resource group, currently we have a azure subscription in southeastasia and when creating a new resource the default region is "East-US", this could inadvertently lead to errors. Ideally the resource's region should default from the resource group

As of today, all the access roles applicable for Subscription get applied to Resource Group and Key Vault level. What if i don't want at any cost to have my secrets stored in Azure Key Vault to be revealed to anyone else in group

In azure portal, the list of secrets is by default capped to 9 entries. If you want to see more, you can press 'Load more'.
There is room for much more than 9, so it would be good to make it the same as other lists in the azure portal are working

Add the possibility to use EC keys also for key derivation like in this example: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.ecdiffiehellmancng?view=dotnet-plat-ext-5.0#examples

It seems that other Cloud HSM are able to do this: https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-mechanisms.html#pkcs11-mech-annotations-5

Log analytic

KeyVaults should let users determine the minimum TLS version to use. This is inline with many other azure services (ex. Web Apps, Functions, SQL), increases security and is more future proof (TLS 1.0 and 1.1 is quite old).

When retrieving the Azure Functions host key, the service sometimes returns a GatewayTimeout error.

The Azure Web App support team analyzed the issue and identified a Key Vault performance issue as the root cause.

"More specific, the related KeyVault API call took longer than expected. As a result of this issue, the related function site failed to be started properly so “ListKey” threw out “Timeout” exception [...]"

Please vote for implementing "Key Vault Reference Perf Improvements".

Currently, Key Vault only supports one single region via collocation constraint, but there are usecases which having a multi-region Key Vault is necessary such as Encryption Scope.

What I am suggesting is to implement a version of Key Vault which supports multiple regions instead of just one

I need to be able to programmatically create a key vault in code. c#. But I don't see any documentation that will allow me to do that except for az.

Even with premium, AKV is placed in the Microsoft Datacenters. That is the main reason customers don't want to have both data and keys on the same cloud or with the provider, which is Microsoft.
This is a much bigger problem in the EU.

Why can't Microsoft create AKV as a device which customers can buy and put in their own data center? Add it as a registered device in Azure subscription, and then it provides the same interface and API.

This link describes configuring Key Vault managed storage accounts with PowerShell.
https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys-powershell

If we could do the same in an ARM template, it would reduce deployment complexity and allow us to leverage the functionality in air-gapped environments.

When you are creating a new Event Subscription you should be able to choose Logic App as a possible option for the Event Handler / Endpoint Type.

Per https://github.com/MicrosoftDocs/azure-docs/issues/49362 - currently az cli does not allow setting compond identity access to a keyvault.

At present "Microsoft.KeyVault/vaults/accessPolicies/write" is insufficient to block or enable user for modifying the access policy of the key vault.

To block or enable access policy you have to add "Microsoft.KeyVault/vaults/write" as well. This means that we cannot properly apply least privilege to users who we just want to block or allow to modify access policies only.