Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Notify Users when secrets/keys are expiring

    Currently certificates management supports email notification when certificates are expiring. Wouldn't it be great to have the same functionality for keys and secrets?

    157 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    28 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow more than 24 characters for key vault name length

    Please allow more than 24 characters for key vault name length. Using a standard naming convention across Azure resources that includes the resource type, region, and landscape doesn't leave many characters for the key vault name. Web Apps also utilize globally unique DNS names and support up to 60 characters. Supporting up to 60 character names would make it easier for us to use our standardized naming convention.

    100 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Please support Let's Encrypt as a first class auto rolling cert provider in Key Vault

    It would be great to support a free SSL provider like Let's Encrypt that works with Key Vault auto roll.

    78 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support to TripleDES and DUKPT on KeyVault

    In Payment Industry, cryptographic keys that are used to encrypt PIN from credit/debit cards are TripleDES (sometimes with DUKPT) based. Currently, KeyVault only support RSA keys.

    Please add support to it.

    72 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. ARM Template for KeyVault to have AccessPolicies non-mandatory

    Hi,
    It would be better for idempotency and the ability to create Keyvault first, with additional incrementally run ARM templates to have AccessPolicies as non-mandatory.

    It is already possible to incrementally add AccessPolicies once you have a KeyVault, but it is not possible to create or update a Keyvault via ARM without specifying the AccessPolicies... which is a problem for update - you need to know all the existing AccessPolicies before you do the update or it will get reverted to whatever you specify.

    63 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Include Azure Automation on Key Vault Firewall under "Trusted Microsoft Services"

    Currently, Azure Automation accesses Azure Key Vaults through public endpoints (Azure Data Center Public IPs). As such, Automation cannot function unless a firewall exclusion is in place in the key vault settings. Unfortunately, Azure has hundreds of public IP addresses, which could change at a moments notice. This, in effect, negates use of the Key Vault firewall altogether and requires you to allow incoming untrusted networks.

    There is a firewall setting "Allow Trusted Microsoft Services", which allows select services to bypass the firewall. Automation is *not* included in this list. It would be a great help to include it; immediately…

    35 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  5 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  7. Create Key Vault Keys via ARM Template

    Would be useful to have the ability to create Keys via an ARM template similar to Secrets
    https://github.com/Azure/azure-quickstart-templates/tree/master/201-key-vault-secret-create

    33 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. Method for organising secrets in Key Vault (folders/sections)

    I'm using key vault as a central key/value configuration repository. I have a lot of configuration keys, so navigating the vault has become tricky.

    It would be really great if there was some form of cosmetic layer over the top, so that similar items could be grouped, to make navigation easier.

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. Enable CORS for Key Vault

    Either allow CORS for all Key Vaults, or allow it to be set on a per-Key Vault basis.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. 18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. Deny users with inherited permissions to Azure Key Vault Service from modifying Access Policies.

    It should be possible to provide role separation even from the highest Azure permissions (Global Administrators / Subscription Owners)

    As of today, anyone with permissions to modify the service, can change Access Policies and give themselves permissions to Keys and Secrets.

    Perhaps an extra level of Security linked to Azure Active Directory where only specified groups or users would have the ability to modify access policies.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Make it possible with an ARM template to set an Access Policy for a Application Registration Principal

    After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able…

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support encryption/decryption for Elliptic Curve Cryptography, eg. for ECDH

    Currently only Sign and Verify action can be executed with elliptic curve (EC) keys. Add a possibility to use EC keys also for encryption and decryption (together with counterpart public key).
    For example, EC keys are used for encryption/decryption in steem blockchain.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow key vault references without version

    It was previously possible to reference key vault settings without specifying the secret version in the URL. i.e. https://myvault.vault.azure.net/secrets/mysecret/

    And would automatically reference the most current version of the secret.

    This functionality stopped working after a rollout on 9 August 2019.

    This is a very useful feature when you need to use secrets across different environments as it is cumbersome to update the references whenever a secret needs to be updated.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. Please make soft delete a default feature

    Currently soft delete is not a default feature. It would be great if this can be made a default feature to protect against loss of a complete keyvault or objects inside (keys,secrets,certs).

    We learned about this feature only after getting hit by an accidental keyvault deletion.
    We can save others who are not aware of this feature and may run into similar scenario.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow a key vault access policy to be restricted to a certain key

    If a company has a single KeyVault which holds dev and production keys, as long as you access the keyvault through a valid access policy and key can be used (for the usages mentioned in the access policy).

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. include functions as a trusted service in key vault firewall exceptions

    Include functions as a trusted service in key vault firewall exceptions. Why wouldn't you include all Azure services - unless we don't trust Azure PaaS anymore? ;-)

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to up-vote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

  18. Add possibility to copy a secret value on the portal without making it visible

    When you open a particular secret tab you first need to make it visible and only then you are able to copy the value.
    Please add a button to copy the value without showing the value.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Firewall IP Address description field

    To increase security management, add a description field to the Firewalls and Virtual Networks list (just like other services).

    Currently it is just a list of IP addresses and we need to remember which ones are valid and which ones we should delete or expire In SQL server firewall, you can add a description to the IP addresses. Great if you can do the same.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Accessing KeyVault from HDInsight cluster

    My team is starting a new project which involves running .NET app on HDI cluster. Accessing KeyVault from Windows machines require certificates, but this is not feasible from Linux VMs in HDI which doesn't have support for certificate store. Does anyone solved similar problem?
    During investigation, I came across this (https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-linux-virtual-machine). Didn't tried it myself, but my colleague said it didn't work for him. If it is possible to configure service identity on HDI worker nodes, I would love to hear. Thanks.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base