Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow write operations to a failed over Key Vault instance

    The documentation states that when a regional disaster happens, Azure Key Vault instances are failed over to a paired region as read-only

    https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance

    While I understand that regional disasters are very unlikely, the odds of having to modify secrets such as connections strings after a regional disaster can be high.

    Being able to update a Key Vault after a disaster would increases the changes of meeting business' RTO.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add ability to store any arbitrary string in Key Vault

    At the moment you can only add certificates, but there are many instances you may want to setup arbitrary pieces of 'secret' text like a password, connection string or other configuration information that can be retrieved securely from somewhere.

    I would like to suggest this ability is added to Key Vault (I believe AWS has something similar called AWS Parameter Store)

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  3. Not require "Key Vault contributor" role for devops app user

    For Azure Devops to access a Key Vault during deployment there is a process to create a custom role and assign it to key vault: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-powershell#grant-access-to-the-secrets

    We discovered that is is also necessary to have Azure Key Vault Contributor role as well to the devops app-user, which gives it more permissions than required. This has been verified with MS support.

    Please change so that deployment user only needs a read-only role to access the Vault during deployment.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  4. KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop

    KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop

    Fix exception after changing timezone on laptop. Or warn developers not to change timezones on business trip.

    Went on business trip where I changed the timezone.
    Everything worked fine.
    Returned home and restored timezone.
    .Net Core application stops working due to exception.

    Microsoft.Azure.KeyVault.Models.KeyVaultErrorException Error validating token: IDX10223
    HResult=0x80131500
    Message=Error validating token: IDX10223
    Source=Microsoft.Azure.KeyVault

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow creation of "living" secrets that are linked to a resource and always returns an active key

    As an alternative to rotating keys, it would be cool if you could create a key vault secret that was linked to a resource such as blob storage or cosmos db that uses keys for authentication, so that when you call the GET operation on that secret it can proxy the request to that resource's listkeys operation and automatically choose one. In this way, it would guarantee that any time you reach out to key vault for that secret, you would be sure to get an active key. For this to work, I expect Azure would need to associate a…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add the Secret version GUID in the diagnostic logging output when a secret is created (SecretSet)

    The diagnostic logging output for Key Vaults do not include the version GUID when new secret or new version of an existing secret is created (SecretSet operation).

    Current data in properties_id field:

    https://<KeyVaultName>.vault.azure.net/secrets/test1234

    Requested data in properties_id field:

    https://<KeyVaultName>.vault.azure.net/secrets/test1234/38b6d47049704298affe8d0b1d3f47fb

    We would like to use this functionality to correlate diagnostic log outputs for SecretUpdate operations to SecretSet operations without requiring access to the Key Vault objects themselves, we use this data for tracing security events.

    The above method of including the version guid in the properties_id field is already used in a similar way when creating key versions (KeyCreate),…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  7. The Key vault should not allow it to be deleted

    The Key vault should not allow it to be deleted, as long as it has associations with other resources. In Azure the vast majority of resources have this restriction, for a resource as important as the Key Vault should also have this validation before allowing its elimination.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  8. Secure export options and access to KeyVault secrets from login screens

    Would be great to have following options in Key Vault – structured security permissions for all cryptographic resources. Possibility to deliver KeyVault secrets to users in secure way – direct export to encrypted archive + password, without use of system clipboard. One more option – direct access to KeyVault secret from mstsc or Windows Hello login screen, without copying of the sensitive information via system clipboard. Together with MFA security option KeyVault secret assigned to appropriate user can work as primary or backup login option.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  9. I facing issue while settng / getting secret keys using Key Voult API. I am getting 501 response from these API's

    I facing issue while settng / getting secret keys using Key Voult API. I am getting 501 response from these API's

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  10. Don't show Key Vault secrete values in the Azure Portal

    Today when secrets are added to Key Vault, the value of secret is visible in Azure Portal (initially secrets are masked out, but clicking on secret allows to see its value secret).

    There should be an option NOT to see secret's value once it’s added to the vault.

    This way if Azure Portal is compromised, secretes are still secure.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  11. Manually add (or re-add) App Service Key to Key Vault?

    Is there a way that I can re-add my App Service Certificate to my Key Vault?
    The reason I'm asking is that I accidentally deleted the certificate from the Key Vault. The App Service Certificate resource is still there, but the certificate no longer shows up in my Key Vault (obviously).

    https://stackoverflow.com/questions/53202773/azure-manually-add-app-service-certificate-to-key-vault

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  12. Rotate secrets when they are uploaded in bulk to vault

    As a compliance activity we remove secrets (app secrets, connection strings, etc) from code and upload them to Azure Key Vault. That provides an opportunity to roll them and have fresh secrets at the moment they are put into the vault.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  13. Key vault document is really messy

    The current key vault document is really messy, it's really hard to know the whole e2e workflow to setup a keyvault for a web app.

    For example, where to get the client id and client password, how to connect the key vault with application, why there are so many old portal screenshots, why so many powershell scripts if we can just click some button via portal

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add deployment slots

    Configuration secrets such as connection strings will change from one deployment slot to another. Adding the deployment slot concept to Key Vault would eliminate the need to hack that concept into the secret names and the code used to retrieve the secrets.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
2 Next →
  • Don't see your idea?

Feedback and Knowledge Base