Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Setting minimum TLS version

    KeyVaults should let users determine the minimum TLS version to use. This is inline with many other azure services (ex. Web Apps, Functions, SQL), increases security and is more future proof (TLS 1.0 and 1.1 is quite old).

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Within documentation or in the product overview pages include a list of other Azure services that are dependencies for Key Vault

    When large organizations adopt cloud services they may evaluate the cloud service in depth, along with all other cloud services that must or may be adopted as dependencies of the primary service being planned for use. An example is that when adopting Azure Key Vault a customer will be required to adopt Azure Active Directory if not already adopted, and therefore adopting Key Vault will necessitate an in-depth security assessment of Azure AD in addition to Key Vault.

    Currently Microsoft does not list dependencies of any kind on the product web pages of all the many Azure services. This obliges…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. Key Vault performance issue breaks Azure Functions

    When retrieving the Azure Functions host key, the service sometimes returns a GatewayTimeout error.

    The Azure Web App support team analyzed the issue and identified a Key Vault performance issue as the root cause.

    "More specific, the related KeyVault API call took longer than expected. As a result of this issue, the related function site failed to be started properly so “ListKey” threw out “Timeout” exception [...]"

    Please vote for implementing "Key Vault Reference Perf Improvements".

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. HMAC signing

    As an application developer, I have had a number of situations where HMAC signing has been a key part of application security, such as:


    • Signing “local” session tokens (JWT, cookies, etc)

    • Third-party integrations (API authentication)

    • Integrity of data at rest

    In many of these scenarios, ECC signing is either too heavy or not possible due to third-party dependencies. For scenarios where the same Key Vault can do the signing and verification, it would be ideal for us to be able to either generate or import a symmetric key in Key Vault for use with HMAC.

    This would allow us to…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  7. Remove option to toggle IP config from dynamic to static

    As per documentation: "When creating a private endpoint, a read-only network interface is also created for the lifecycle of the resource. The interface is assigned dynamically private IP addresses from the subnet that maps to the private link resource. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint."
    However now the system lets you go into the NIC, go into the IP cofig and toggle the IP settings from dynamic to static. This is not allowed by the system and results in an error when saving. Please remove this option from here…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. Multi-Region Key Vault

    Currently, Key Vault only supports one single region via collocation constraint, but there are usecases which having a multi-region Key Vault is necessary such as Encryption Scope.

    What I am suggesting is to implement a version of Key Vault which supports multiple regions instead of just one

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. Is there a way to programatically create a key vault?

    I need to be able to programmatically create a key vault in code. c#. But I don't see any documentation that will allow me to do that except for az.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. On Prem AKV

    Even with premium, AKV is placed in the Microsoft Datacenters. That is the main reason customers don't want to have both data and keys on the same cloud or with the provider, which is Microsoft.
    This is a much bigger problem in the EU.

    Why can't Microsoft create AKV as a device which customers can buy and put in their own data center? Add it as a registered device in Azure subscription, and then it provides the same interface and API.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. Configure key vault managed storage accounts via ARM template

    This link describes configuring Key Vault managed storage accounts with PowerShell.
    https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys-powershell

    If we could do the same in an ARM template, it would reduce deployment complexity and allow us to leverage the functionality in air-gapped environments.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Offer Logic App as a choice in the Event Endpoint dropdown

    When you are creating a new Event Subscription you should be able to choose Logic App as a possible option for the Event Handler / Endpoint Type.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Enable compound identity access using az cli

    Per https://github.com/MicrosoftDocs/azure-docs/issues/49362 - currently az cli does not allow setting compond identity access to a keyvault.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow "Microsoft.KeyVault/vaults/accessPolicies/write" permission to work without having to also assign "Microsoft.KeyVault/vaults/write"

    At present "Microsoft.KeyVault/vaults/accessPolicies/write" is insufficient to block or enable user for modifying the access policy of the key vault.

    To block or enable access policy you have to add "Microsoft.KeyVault/vaults/write" as well. This means that we cannot properly apply least privilege to users who we just want to block or allow to modify access policies only.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. API for create new version of key instead of using the same create key command to create key

    The command to create a new version of key is the same command as create key, It has been tested that the same key name but entered with different cases e.g. apple, APPLE, APPle does create a new version using the new key command.

    Can the command for new key and new version be separated for API calling? The new key command should checked for existing key before creation and create a new version is for creating of new version of the key.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. Missing "import" key operation

    Hello everyone,

    I trying to use BYOK for HSM, following the steps on the article: https://docs.microsoft.com/en-us/azure/key-vault/hsm-protected-keys-vendor-agnostic-byok

    But I can't find the "import" key operation as mentioned, even using powershell.

    any help?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. BYOK: Enable HSM and Key Vault traceability

    When using the BYOK procedure, after uploading your HSM-generated key to the Key Vault there is zero traceability to confirm that what was uploaded in the cloud is actually what you have originally generated with your nCipher HSM.
    The solution is very simple - nCipher HSMs already generate hashes for the generated keys in the security world metadata, AKV should store / display the hash after successful upload so you can verify your keys at any time.

    Otherwise the following attack scenario is possible (if unlikely):

    Prerequisites:
    * Knowledge of the attack target's subscription ID (not particularly confidential information at…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Key Vault replication & backup/restore secret update

    TLDR: I want the possibility to overwrite already existing secrets with the Restore-AzKeyVaultSecret/Key/Certificate to allow for replication in the customers control.

    According to the Key Vault documentation Azure Key Vault provides a 99.9% availability percentage and a replication to the pair region takes place to ensure customers can continue using their Key Vaults after a failover in read-only.

    However this is a situation a customer does not and can not control. This means that a customer has to wait until Microsoft declares a disaster and fails over the vaults to the pair region. I would like it if we would…

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow Azure services and resources to access this key vault

    It should be possible to select "Allow Azure services and resources to access this key vault" in Networking.

    As of today, you can only select:
    Option 1) ”Allow trusted Microsoft services to bypass this firewall”
    Option 2) "IPv4 address"
    Option 3) "Virtual networks"

    A scenario is, you have a “Azure WebApp”, and Identity is set to off.
    Then the WebApp is not a “trusted Microsoft services”, therefore option 1 is not useable.

    Option 2, the IP address solution, is not useable when you have many WebApps, and many key vaults, in our case we should then manually handle over 1000…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Microsoft Security World Information for Key Vault

    I would like to see the security worldpackage information for the Key Vault in the Kyeey Vault information so that it is easier to deduce the package to us. This must be made available in AzPs, CLI, SDK and via the REST APIs

    Get-AzureRmKeyVault -VaultName Bxxxxxxxp

    VaultUri : https://bxxxxxxxp.vault.azure.net/
    TenantId : 0b98xxxx-xxxx-xxxx-xxxx-xxxxxxxxf102
    TenantName : 0b98xxxx-xxxx-xxxx-xxxx-xxxxxxxxf102
    Sku : Premium
    EnabledForDeployment : False
    EnabledForTemplateDeployment : False
    EnabledForDiskEncryption : False
    EnableSoftDelete :
    OriginalVault : Microsoft.Azure.Management.KeyVault.Models.Vault
    ResourceId : /subscriptions/2ed3xxxx-xxxx-xxxx-xxxx-xxxxxxxxf1f7/resourceGroups/Bxxxxxxxp/providers/Microsoft.KeyVault/vaults/Bxxxxxxxp
    VaultName : Bxxxxxxxp
    ResourceGroupName : Bxxxxxxxp
    Location : westeurope
    Tags : {}
    TagsTable :
    SecurityWorldRegion : Europe | France | Germany etc.

    > Name of…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base