Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  1. Allow certificate upload from Azure Storage

    Currently, the only way to upload a certificate to a Key Vault is to have the file stored locally on the computer that is doing the upload.
    Having the possibility to upload the cert from a Blob would be ideal, as that would mean our certificates could be safely hosted being encrypted Azure Storage, and retrieved with a SAS and directly uploaded to Azure Key Vault without needing to download it locally, and then upload it.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  2. Portal experience for 'On-Boarding' a Storage Account Key / SAS Rotation

    Portal experience for creating a Key Vault Managed Storage Account and/or for 'On-Boarding' a Storage Account into being managed by a given Key Vault Key

    This is possible with PowerShell and AzureCLI (as described here: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-key) but there is not portal experience for doing this.

    Originally mentioned in this Github Issue:
    https://github.com/MicrosoftDocs/azure-docs/issues/10555

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add EV Code Signing certificate support with Azure Pipeline.

    Permit EV code signing of Azure Pipeline builds from certs stored and even created in Key Vault. E.g. Key Valut/DigiCert/other integration to issue the cert.

    Then allow CI builds with no EV and EV for final builds. May need an optional 2FA approval mechanism for a final build 'job'. E.g. Authentication app prompt. But make it optional please.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  4. Microsoft should be using standards based key exchanges

    Microsoft should not be calling out a specific vendor and have them be a requirement. Instead, they should offer a standards based solution that allows the customer to use their existing HSM. Thales might not be the right choice for every enterprise.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure taught students how to defame my reputation and how to spend my money Edge is downloaded and running Apache My name is Lyda G Bonds

    Azure taught a wonderful team called the 403b and the 401k team and now I am being controlled by them Great Job! What happened to your ethics as a company?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add sanity check before disabling or deleting keys if they are in use by a storage account

    I experienced issues regarding accidental key disabling and deletion.
    There is no check if the keys are use by any storage account which leads to not being able to switch/access keys and storage errors on the vms which use those storage account also it block from deleting vms.

    If this happens on production a simple mistake could take down a whole environment by accidentally disable or delete a key which was used to encrypt os disks of the vms.

    A simple check if the key is still actively in use by a storage account which throws an "KeyStillInUseError" would prevent…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Encryption at rest  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide the ability to create multiple lines' secret(SSH private key) in azure portal

    When I generate a manual type secret, it's impossible to save the multiple lines' secret(SSH private key) value, in fact, I think the input box should take text area as an option.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  8. Full Backup and Restore

    Currently, you can only back up each secret one at a time. I would like the ability to back all the secrets up and obviously, store them in an encrypted storage account or vault.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow more than 24 characters for key vault name length

    Please allow more than 24 characters for key vault name length. Using a standard naming convention across Azure resources that includes the resource type, region, and landscape doesn't leave many characters for the key vault name. Web Apps also utilize globally unique DNS names and support up to 60 characters. Supporting up to 60 character names would make it easier for us to use our standardized naming convention.

    113 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. Enable CORS for Key Vault

    Either allow CORS for all Key Vaults, or allow it to be set on a per-Key Vault basis.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support certificate revocation

    Key vault supports obtaining certificates from number of CAs and this works great.

    However, Key Vault does not currently provide interface to revoke such certificates, leaving a gap in certificate lifecycle management.

    Please extend integration between Key Vault and supported CAs to support revocation in addition to issuance.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  12. BYOK for Gemalto Luna

    How can I BYOK to Azure from Gemalto Luna SA?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support for adding a policy for an MSI without removing all other access policies

    When I create a web app with a Managed Service Identity and want to grant it access to an EXISTING vault, the ARM template for that - even when in incremental mode - removes the other existing access policies from the vault. Only the one for the newly added MSI will be there afterwards.

    This effectively disables any scenario where you want to use an existing key vault for a new web app.

    Similar to what has been reported here:
    https://stackoverflow.com/questions/47667050/azure-keyvault-add-function-msi-via-arm

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. ARM Template for KeyVault to have AccessPolicies non-mandatory

    Hi,
    It would be better for idempotency and the ability to create Keyvault first, with additional incrementally run ARM templates to have AccessPolicies as non-mandatory.

    It is already possible to incrementally add AccessPolicies once you have a KeyVault, but it is not possible to create or update a Keyvault via ARM without specifying the AccessPolicies... which is a problem for update - you need to know all the existing AccessPolicies before you do the update or it will get reverted to whatever you specify.

    77 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. excellent

    know better the security of rotation of applicable keys and passwords , with HSMs

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Encryption at rest  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow self-signed certificates to have a custom-set password

    Currently, self-signed certs created in the portal do not have a way to allow passwords to be set. This causes a problem when the PFX is needed to be uploaded to other Azure services, as they require passwords. Please allow a way for a password to be set on any self-signed certificate created in the Azure Key Vault portal.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  17. Create Key Vault Keys via ARM Template

    Would be useful to have the ability to create Keys via an ARM template similar to Secrets
    https://github.com/Azure/azure-quickstart-templates/tree/master/201-key-vault-secret-create

    40 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure Key Vault Step 3.2 for Thales HSM security world initialization uses deprecated cipher suite

    In this document:

    https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/key-vault/key-vault-hsm-protected-keys.md

    The step 3.2 suggests you should initialize your security world with:

    new-world.exe --initialize --cipher-suite=DLf1024s160mRijndael --module=1 --acs-quorum=2/3

    DLf1024s160mRijndael is the Thales nShield HSM legacy cipher suite, and should not be used in Production environments. The cipher suite should be DLf3072s256mRijndael so the command should be:

    new-world.exe --initialize --cipher-suite=DLf3072s256mRijndael --module=1 --acs-quorum=2/3

    I suggest updating the step to reflect the newer cipher suite.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Secret Names do not support special characters

    In order for our organization to fully adopt Azure Key Vault for managing passwords and secrets we need to be able to support at a minimum allowing _ (underscrores) and other special characters in the naming convention as we have hundreds of names that contain underscores in them such as accounttest, accountprd, etc..

    Reading through the documentation online I can't find any technical reason as to why special characters aren't supported but this is a show stopper at this point for us until this is added/supported.

    96 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  20. Please make soft delete a default feature

    Currently soft delete is not a default feature. It would be great if this can be made a default feature to protect against loss of a complete keyvault or objects inside (keys,secrets,certs).

    We learned about this feature only after getting hit by an accidental keyvault deletion.
    We can save others who are not aware of this feature and may run into similar scenario.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base