Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow a key vault access policy to be restricted to a certain key

    If a company has a single KeyVault which holds dev and production keys, as long as you access the keyvault through a valid access policy and key can be used (for the usages mentioned in the access policy).

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. Snapshot Entire Vault for Backup and Restore

    The current backup/restore solution for Keyvault keys, secrets and certs takes a lot of time to perform.
    It would be great if you could snapshot a whole Keyvault and save the backup. This would allow restore to use that backup snapshot.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. function on consumption plan can be added "trusted services azure service" key vault behind firewall

    would like to keep Azure key vault secure, at the same time that the Azure function on consumption plan can access the Key vault.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add possibility to copy a secret value on the portal without making it visible

    When you open a particular secret tab you first need to make it visible and only then you are able to copy the value.
    Please add a button to copy the value without showing the value.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. Configure key vault managed storage accounts via ARM template

    This link describes configuring Key Vault managed storage accounts with PowerShell.
    https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys-powershell

    If we could do the same in an ARM template, it would reduce deployment complexity and allow us to leverage the functionality in air-gapped environments.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow ALL PaaS services to be trusted by KeyVault. Without this, firewall rules are unmanageable

    Allow all PaaS services to be trusted by KeyVault. Without this, firewall rules are unmanageable. Data factory has dynamic IPs, MIcrosoft solution to me was to add the 220 IP ranges for West US 2. Sadly, KeyVault only allows 127 entries. - Solution? Use the self hosted runtimes (higher cost). My solution if you want Key Vault to be enterprise ready, in the firewall screen, make it as simple as explicitly selecting an Azure service and saying - allow access - why do I have to figure out IP ranges? (too many anyway).Lets help the Azure Key Vault product team…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  7. Accessing KeyVault from HDInsight cluster

    My team is starting a new project which involves running .NET app on HDI cluster. Accessing KeyVault from Windows machines require certificates, but this is not feasible from Linux VMs in HDI which doesn't have support for certificate store. Does anyone solved similar problem?
    During investigation, I came across this (https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-linux-virtual-machine). Didn't tried it myself, but my colleague said it didn't work for him. If it is possible to configure service identity on HDI worker nodes, I would love to hear. Thanks.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support for adding a policy for an MSI without removing all other access policies

    When I create a web app with a Managed Service Identity and want to grant it access to an EXISTING vault, the ARM template for that - even when in incremental mode - removes the other existing access policies from the vault. Only the one for the newly added MSI will be there afterwards.

    This effectively disables any scenario where you want to use an existing key vault for a new web app.

    Similar to what has been reported here:
    https://stackoverflow.com/questions/47667050/azure-keyvault-add-function-msi-via-arm

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. Offer Logic App as a choice in the Event Endpoint dropdown

    When you are creating a new Event Subscription you should be able to choose Logic App as a possible option for the Event Handler / Endpoint Type.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add Notes Field

    Our team was evaluating AKV to replace KeePass as a department credential storage medium, one of the most useful features missing is the ability to add notes or comments to a credential. Context is for Kings, sometimes a credential needs descriptions or even instructions, pairing those with the credential is valuable.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. Improve PowerShell error messages

    Hello,

    I found an issue that when calling get-AzKeyVaultSecret from PS, it returns useless error "forbidden". When instead I call az keyvault secret show from Bash, i get error that "IP address *** not allowed".

    PS Azure:> Get-AzKeyVaultSecret -vaultname tbtest3-kv
    Get-AzKeyVaultSecret : Operation returned an invalid status code 'Forbidden'
    At line:1 char:1
    + Get-AzKeyVaultSecret -vaultname tbtest3-kv
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [Get-AzKeyVaultSecret], KeyVaultErrorException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret

    tomas@Azure:~$ az keyvault secret show --name "AppSecret" --vault-name "tbtest3-kv"
    Client address (137.117.226.47) is not authorized and caller is not a trusted service

    The IP restriction is intentional, but it appears so…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure Key Vault Step 3.2 for Thales HSM security world initialization uses deprecated cipher suite

    In this document:

    https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/key-vault/key-vault-hsm-protected-keys.md

    The step 3.2 suggests you should initialize your security world with:

    new-world.exe --initialize --cipher-suite=DLf1024s160mRijndael --module=1 --acs-quorum=2/3

    DLf1024s160mRijndael is the Thales nShield HSM legacy cipher suite, and should not be used in Production environments. The cipher suite should be DLf3072s256mRijndael so the command should be:

    new-world.exe --initialize --cipher-suite=DLf3072s256mRijndael --module=1 --acs-quorum=2/3

    I suggest updating the step to reflect the newer cipher suite.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow "Microsoft.KeyVault/vaults/accessPolicies/write" permission to work without having to also assign "Microsoft.KeyVault/vaults/write"

    At present "Microsoft.KeyVault/vaults/accessPolicies/write" is insufficient to block or enable user for modifying the access policy of the key vault.

    To block or enable access policy you have to add "Microsoft.KeyVault/vaults/write" as well. This means that we cannot properly apply least privilege to users who we just want to block or allow to modify access policies only.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Key Vault replication & backup/restore secret update

    TLDR: I want the possibility to overwrite already existing secrets with the Restore-AzKeyVaultSecret/Key/Certificate to allow for replication in the customers control.

    According to the Key Vault documentation Azure Key Vault provides a 99.9% availability percentage and a replication to the pair region takes place to ensure customers can continue using their Key Vaults after a failover in read-only.

    However this is a situation a customer does not and can not control. This means that a customer has to wait until Microsoft declares a disaster and fails over the vaults to the pair region. I would like it if we would…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow Azure services and resources to access this key vault

    It should be possible to select "Allow Azure services and resources to access this key vault" in Networking.

    As of today, you can only select:
    Option 1) ”Allow trusted Microsoft services to bypass this firewall”
    Option 2) "IPv4 address"
    Option 3) "Virtual networks"

    A scenario is, you have a “Azure WebApp”, and Identity is set to off.
    Then the WebApp is not a “trusted Microsoft services”, therefore option 1 is not useable.

    Option 2, the IP address solution, is not useable when you have many WebApps, and many key vaults, in our case we should then manually handle over 1000…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. Improve error messaging for Key Vault firewall vNet integration

    If you try to add a vNet/subnet to a Key Vault's firewall, the subscription where that vNet lives must have the Key Vault resource provider registered. If the Key Vault resource provider is not registered in the vNet's subscription, the error you see leads you down a different rabbit hole. Here's an example of the error message:

    Virtual Network could not be validated. code: AuthorizationFailed. message: "The client '{guid}' with object id '{same_guid}' does not have authorization to perform action 'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action' over scope '/subscriptions/my-vNet-subscription-guid/resourcegroups/my-Resource-Group/providers/microsoft.network/virtualnetworks/my-vNet/taggedTrafficConsumers/Microsoft.KeyVault.centralus' or the scope is invalid. If access was recently granted, please refresh your credentials.".

    That error…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. Additional Event Types for Key Vault integration with Event Grid

    How about some additional event types, specifically Microsoft.KeyVault.SecretDeleted, Microsoft.KeyVault.CertificateDeleted, and Microsoft.KeyVault.KeyDeleted ?

    I'd like be able to subscribe to delete events. The *NewVersionCreated event types fire when adding a new key vault object or a new version is saved but I need to know when an object is deleted.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Fix the article on Key Vault backups

    This article https://blogs.technet.microsoft.com/kv/2018/07/20/announcing-backup-and-restore-of-keys-secrets-and-certificates/ has some pretty major errors, such as stating that the CLI command line to backup a secret is the same as the one to backup a key. Someone needs to review and correct this article.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Simplify key rotation process

    Make it easier to rotate keys. Currently, when creating a new version it becomes the default version immediately - which makes the process very risky. It will be better to be able to do this process manually (marking a key as default) - so I can do it when I'm ready. Or, even better - support decrtpting using the old keys like AWS KMS or GCP KMS are doing.

    References:
    https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
    https://cloud.google.com/kms/docs/key-rotation

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Translate User/Service Principal names into GUIDs in the portal

    Given that the Access Policies show only the user or service principal name in the portal, it would be very nice to be able to be able to determine the GUIDs that these names resolve to troubleshoot issues.

    Having the same name listed multiple times with different GUIDs may prove confusing, so taking it one step further, the portal could also resolve the GUIDs (user, SP, Groups, Application IDs) into their objects for full information, perhaps by using something like Graph’s GetObjectsByObjectIds.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base