Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add support for storage and retrieval of password protected certificates

    Currently all password protections applied on a certificate are stripped when they are uploaded and saved into Azure Key Vault. We would like to have the option of storing both the certificate and the password via the "az keyvault certificate import/download" set of cli commands with a toggleable optional argument to choose to preserve the transmission of the private key into and out of the keyvault along with the base certificate data together.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add possibility to copy a secret value on the portal without making it visible

    When you open a particular secret tab you first need to make it visible and only then you are able to copy the value.
    Please add a button to copy the value without showing the value.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Create a Windows Key Storage Provider (KSP) that effectively allows usage of Azure Key Vault as a virtual hardware security module (HSM)

    If windows could use Azure Key Vault as a KSP, it would better secure the private keys of any certificates in Windows - effectively acting as a virtual hardware security module (HSM). I believe this would enable migration of workloads that require a HSM to Azure, and reduce cost for on-prem workloads that might otherwise require a HSM. It would also make it easier / more secure to setup a public key infrastructure (PKI) / certificate authority (CA) in Azure -- or even on-premises for that matter.

    36 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Per-secret/key/certificate access control

    Currently it's an all or nothing model. To grant a user account or app id access to one secret, you have to grant it access to the entire vault (as far as I can tell). This eliminates the possibility of least privilege access to secrets. In this model, the only way to create security boundaries for individual secrets is to create additional key vaults, which could get out of control fast if we need one key vault per application per environment. A better model would be to have independent access controls on both the vault and the individual secrets.

    For…

    400 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    46 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  5. Cert deployment - Allow regions to be different for keyvault and VM

    today, VM and keyvault needs to be in same region. This causes lot of pain for services that have deployments in all Azure regions. We need to copy and rollover all same cert in all regions..

    56 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure Key vault api's return a 401 when the resource is https://vault.azure.net/

    The Azure key vault data plane API does not work when the signing resource is https://vault.azure.net/ and works fine with https://vault.azure.net . This seems to be pretty lame as only a forward slash should not make that much of a difference.
    The other resource such as management.azure.com works pretty fine with the forward slash

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure Key Vault, Runtime error on create Key API-REST

    I have got a bug (I think).

    First of all, the normal input like label1, works ok. So I use the API fine.

    I have tested the possible names for a key, to know what type of inputs are compatible.
    The name of key is in URL:

    POST https://{vaultBaseUrl}/keys/{key-name}/create?api-version=2016-10-01

    So I wanted try with typical hacking inputs "'<

    I have encoded the inputs using URL Enconder, like this %22%27%3C

    The final url is:

    POST https://{vaultBaseUrl}/keys/%22%27%3C/create?api-version=2016-10-01

    And it produces a Runtime Error and sends internal information (show attached file), I think the correct answer should be 400 bad request.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Method for organising secrets in Key Vault (folders/sections)

    I'm using key vault as a central key/value configuration repository. I have a lot of configuration keys, so navigating the vault has become tricky.

    It would be really great if there was some form of cosmetic layer over the top, so that similar items could be grouped, to make navigation easier.

    50 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. download a vault credential without login to Azure portal

    My coworker sometimes set up Azure Agent Backup, though he does not have azure portal login accont.
    So when he set up Azure Agent Backup, I need to download the vault credential and pass it to him every time.
    Because of this, my coworker cannot set up Azure Agent Backup when I cannot pass him a vault credential.
    So I want to download a vault credential without login to Azure portal.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. [Azure Key Vault] Microsoft.Azure.KeyVault library should provide a *default* retry policy

    Microsoft.Azure.KeyVault library should provide a default retry policy, which consider the Key Vault SLAs and operational capabilities (e.g. failover).

    Just like the Azure Storage Client library.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Key vault key upload fails because the password cannot be set

    I've seen in documentation that the key upload for the key vault has a password input for keys that are password protected. However, when I try to upload a key using the UI, this input box is not shown. Tried in Edge and Chrome, latest.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Provide a search text box in keyvault to search for a key

    Currently portal supports a way to see the keyvault and keys + secrets stored in it. However the secrets section does not provide a search text box to search for a particular secret. The portal just lists the first 10 secrets in the vault and shows a 'Load more' button.

    If a keyvault has hundreds of keys in it getting to the desired key takes several mouse clicks in most cases. Simple ask is to provide a search text box to search for the desired key.

    I understand I can use powershell to get the secret directly. But sometimes remembering…

    127 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Key Vault creation fails in CSP subscription

    Using google chrome version 54.0.2840.99 m (64-bit) and portal.azure.com

    When creating a new Key Vault inside an CSP subscription the following Error occurs:
    see attached screenshot

    My logged in user (example.adminuserr1) is member of the parent CSP AzureAD Tenants' (@csp.onmicrosoft.com) group "AdminAgents". I am working inside a subscription attatched to an customer AzureAD Tenant (@customer.onmicrosoft.com) created through PartnerCenter CSP Dashboard.

    I can replicate this error with other Accounts in the "AdminAgents" group located in the parent CSP AzureAD Tenant (example.user2@csp.onmicrosoft.com).

    I can create the keyvault with an user from the customer AzureAD Tenant (example.user@customer.onmicrosoft.com) without issues.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Key Vault - Allow using AD Groups (RBAC) on Keys and Secret level

    I am an infrastructure admin, and i would like to use a single keyvault where i can maintain secrets and keys and use RBAC to allow users, Groups, Service Principals to insure they only have access to what they need. this would simplify my administration of this service, perhaps adding folders/group tags to secrets within the keyvault and setting permissions based on those would also be an option

    87 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. keyvault service within VNET scope

    Azure Keyvault is not available within the scope of VNET. Enterprise customers who are establishing private environments need Azure Keyvault within the scope of VNET. This also enables them to create DR sites including Keyvault service.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow a key vault access policy to be restricted to a certain key

    If a company has a single KeyVault which holds dev and production keys, as long as you access the keyvault through a valid access policy and key can be used (for the usages mentioned in the access policy).

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add download of SSL certificates from key vault

    Provide ability to download an SSL certificate from the key vault for use in other services (e.g. Azure API Management which only accepts uploaded certs).

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  18. Ensure Key Vault Access Policies publish Group name to displayname when delegated

    currently when delegating permissions to secrets and keys to groups the group name is not published into the "displayname" attribute of the vault key. only the object ID exists. nightmare for role segregation mgmt.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Key Vault Secret Backup / Restore Role

    You can currently backup / restore keys from Keyvault. it would be helpful to be able to provide backup/ restore functionality and roles for Secrets.
    the current design assumption is these would also be stored within an on-prem password vault or documentation or equivalent. however operational best practice varies across companies as such a catch all should allow the backup and restore of secrets as you can with KEYS.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Provide integration to push values from Portal to KeyVault

    While there are other posts about being able to manage KeyVault content from the Portal (which is needed, in fact), there should also be integration to do direct-push to KeyVault. In particular, Storage Keys would be the first item (click on button, select existing vault or new vault, select key name or new key name.) Same should extend to SQL Azure Connection Strings, Service Bus Connection Strings, etc.

    Use the current user's AAD to set the permission just as if they were using PowerShell and had typed "Login-AzureRmAccount". They're already staring at the value (in the case of Storage Keys.)…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base