Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Simplify key rotation process

    Make it easier to rotate keys. Currently, when creating a new version it becomes the default version immediately - which makes the process very risky. It will be better to be able to do this process manually (marking a key as default) - so I can do it when I'm ready. Or, even better - support decrtpting using the old keys like AWS KMS or GCP KMS are doing.

    References:
    https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
    https://cloud.google.com/kms/docs/key-rotation

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. Key Vault Service Limits

    The Key Vault limits are at a 10 second granularity but the granularity of its metrics are 1 minute. Please consider adjusting the limits to be in line with the granularity of the metrics available.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. when remove blue print, please also remove policies it created

    We found that the policies we had created using blueprint were not cleared out when we removed the blueprint. We had to manually remove the policy from policies.

    We should automatically remove those blueprint created policies when delete a blueprint.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Translate User/Service Principal names into GUIDs in the portal

    Given that the Access Policies show only the user or service principal name in the portal, it would be very nice to be able to be able to determine the GUIDs that these names resolve to troubleshoot issues.

    Having the same name listed multiple times with different GUIDs may prove confusing, so taking it one step further, the portal could also resolve the GUIDs (user, SP, Groups, Application IDs) into their objects for full information, perhaps by using something like Graph’s GetObjectsByObjectIds.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow users to link azure resource credentials into key vault secrets

    So ideally a user could create a key in a vault then be allowed to navigate to a resources credentials and store the password or username as the key value. This avoids credentials going out if date if users have build an API that calls secrets via AAD tokens. I'd use it for storage accounts,SQL servers etc.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. download a vault credential without login to Azure portal

    My coworker sometimes set up Azure Agent Backup, though he does not have azure portal login accont.
    So when he set up Azure Agent Backup, I need to download the vault credential and pass it to him every time.
    Because of this, my coworker cannot set up Azure Agent Backup when I cannot pass him a vault credential.
    So I want to download a vault credential without login to Azure portal.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  7. Key Vault Secret Backup / Restore Role

    You can currently backup / restore keys from Keyvault. it would be helpful to be able to provide backup/ restore functionality and roles for Secrets.
    the current design assumption is these would also be stored within an on-prem password vault or documentation or equivalent. however operational best practice varies across companies as such a catch all should allow the backup and restore of secrets as you can with KEYS.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. Within documentation or in the product overview pages include a list of other Azure services that are dependencies for Key Vault

    When large organizations adopt cloud services they may evaluate the cloud service in depth, along with all other cloud services that must or may be adopted as dependencies of the primary service being planned for use. An example is that when adopting Azure Key Vault a customer will be required to adopt Azure Active Directory if not already adopted, and therefore adopting Key Vault will necessitate an in-depth security assessment of Azure AD in addition to Key Vault.

    Currently Microsoft does not list dependencies of any kind on the product web pages of all the many Azure services. This obliges…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. HMAC signing

    As an application developer, I have had a number of situations where HMAC signing has been a key part of application security, such as:


    • Signing “local” session tokens (JWT, cookies, etc)

    • Third-party integrations (API authentication)

    • Integrity of data at rest

    In many of these scenarios, ECC signing is either too heavy or not possible due to third-party dependencies. For scenarios where the same Key Vault can do the signing and verification, it would be ideal for us to be able to either generate or import a symmetric key in Key Vault for use with HMAC.

    This would allow us to…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Remove option to toggle IP config from dynamic to static

    As per documentation: "When creating a private endpoint, a read-only network interface is also created for the lifecycle of the resource. The interface is assigned dynamically private IP addresses from the subnet that maps to the private link resource. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint."
    However now the system lets you go into the NIC, go into the IP cofig and toggle the IP settings from dynamic to static. This is not allowed by the system and results in an error when saving. Please remove this option from here…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Multi-Region Key Vault

    Currently, Key Vault only supports one single region via collocation constraint, but there are usecases which having a multi-region Key Vault is necessary such as Encryption Scope.

    What I am suggesting is to implement a version of Key Vault which supports multiple regions instead of just one

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Is there a way to programatically create a key vault?

    I need to be able to programmatically create a key vault in code. c#. But I don't see any documentation that will allow me to do that except for az.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. API for create new version of key instead of using the same create key command to create key

    The command to create a new version of key is the same command as create key, It has been tested that the same key name but entered with different cases e.g. apple, APPLE, APPle does create a new version using the new key command.

    Can the command for new key and new version be separated for API calling? The new key command should checked for existing key before creation and create a new version is for creating of new version of the key.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. Missing "import" key operation

    Hello everyone,

    I trying to use BYOK for HSM, following the steps on the article: https://docs.microsoft.com/en-us/azure/key-vault/hsm-protected-keys-vendor-agnostic-byok

    But I can't find the "import" key operation as mentioned, even using powershell.

    any help?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. BYOK: Enable HSM and Key Vault traceability

    When using the BYOK procedure, after uploading your HSM-generated key to the Key Vault there is zero traceability to confirm that what was uploaded in the cloud is actually what you have originally generated with your nCipher HSM.
    The solution is very simple - nCipher HSMs already generate hashes for the generated keys in the security world metadata, AKV should store / display the hash after successful upload so you can verify your keys at any time.

    Otherwise the following attack scenario is possible (if unlikely):

    Prerequisites:
    * Knowledge of the attack target's subscription ID (not particularly confidential information at…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Microsoft Security World Information for Key Vault

    I would like to see the security worldpackage information for the Key Vault in the Kyeey Vault information so that it is easier to deduce the package to us. This must be made available in AzPs, CLI, SDK and via the REST APIs

    Get-AzureRmKeyVault -VaultName Bxxxxxxxp

    VaultUri : https://bxxxxxxxp.vault.azure.net/
    TenantId : 0b98xxxx-xxxx-xxxx-xxxx-xxxxxxxxf102
    TenantName : 0b98xxxx-xxxx-xxxx-xxxx-xxxxxxxxf102
    Sku : Premium
    EnabledForDeployment : False
    EnabledForTemplateDeployment : False
    EnabledForDiskEncryption : False
    EnableSoftDelete :
    OriginalVault : Microsoft.Azure.Management.KeyVault.Models.Vault
    ResourceId : /subscriptions/2ed3xxxx-xxxx-xxxx-xxxx-xxxxxxxxf1f7/resourceGroups/Bxxxxxxxp/providers/Microsoft.KeyVault/vaults/Bxxxxxxxp
    VaultName : Bxxxxxxxp
    ResourceGroupName : Bxxxxxxxp
    Location : westeurope
    Tags : {}
    TagsTable :
    SecurityWorldRegion : Europe | France | Germany etc.

    > Name of…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Dedicated HSMs as-a-service

    Hi,

    It would be really great to be able to achieve FIPS level 3 in a (new, separately priced) tier in KeyVault.

    Today, we would have to step into the domain of a dedicated HSM for that, which is a completely different beast to tackle (and it has no SLA).

    So - please consider adding FIPS level 3 as an option to KeyVault, and make it possible to upgrade an existing vault to this level.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. keyvault version control and management

    enable versioning and tagging of entire keyvault properties to enable quick switching between configurations

    AND/OR enable online backup of keyvault to achieve the same effect

    Additionally, the keyvault user interface is very hard and inefficient to make a lot of changes and is error prone, so an improved table based UI might help ?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base