Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  1. Make it possible with an ARM template to set an Access Policy for a Application Registration Principal

    After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able…

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add support for storage and retrieval of password protected certificates

    Currently all password protections applied on a certificate are stripped when they are uploaded and saved into Azure Key Vault. We would like to have the option of storing both the certificate and the password via the "az keyvault certificate import/download" set of cli commands with a toggleable optional argument to choose to preserve the transmission of the private key into and out of the keyvault along with the base certificate data together.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow key vault references without version

    It was previously possible to reference key vault settings without specifying the secret version in the URL. i.e. https://myvault.vault.azure.net/secrets/mysecret/

    And would automatically reference the most current version of the secret.

    This functionality stopped working after a rollout on 9 August 2019.

    This is a very useful feature when you need to use secrets across different environments as it is cumbersome to update the references whenever a secret needs to be updated.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support encryption/decryption for Elliptic Curve Cryptography, eg. for ECDH

    Currently only Sign and Verify action can be executed with elliptic curve (EC) keys. Add a possibility to use EC keys also for encryption and decryption (together with counterpart public key).
    For example, EC keys are used for encryption/decryption in steem blockchain.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow self-signed certificates to have a custom-set password

    Currently, self-signed certs created in the portal do not have a way to allow passwords to be set. This causes a problem when the PFX is needed to be uploaded to other Azure services, as they require passwords. Please allow a way for a password to be set on any self-signed certificate created in the Azure Key Vault portal.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add support for PGP keys

    Many of our vendors require us to send them files via SFTP using their public encryption keys most of which are PGP keys. As we start to migrate our Managed File Transfer service to Azure we'd like to leverage storing these keys in Azure Key Vault

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  7. Please make soft delete a default feature

    Currently soft delete is not a default feature. It would be great if this can be made a default feature to protect against loss of a complete keyvault or objects inside (keys,secrets,certs).

    We learned about this feature only after getting hit by an accidental keyvault deletion.
    We can save others who are not aware of this feature and may run into similar scenario.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add filtering and column sorting options to Keys, Secrets and Certificates

    Background:

    Is it just me, or is it really annoying that you can't write any filters or sort on columns in the Key Vault resource? We will have like 1500 keys when our projects reaches it's final stage, and the "Show more"-button is really not my best friend.

    Suggestion:

    Make the lists of Keys, Secrets and Certificates sortable on column name, and add a filter/search field to improve management when browsing the vault using Azure Portal.

    To find a Secret in a long list it requires you to scroll down, and press "Load more" which is not convinient at all.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  9. Provide the ability to create multiple lines' secret(SSH private key) in azure portal

    When I generate a manual type secret, it's impossible to save the multiple lines' secret(SSH private key) value, in fact, I think the input box should take text area as an option.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support storing certificates without private keys

    Right now keyvault doesn't allow storing a certificate WITHOUT the private key in the keyvault. This is useful for a number of use-cases, eg:


    • storing an internal CA public cert in the same place other internal certs are stored

    • Store the public cert for trusted clients, where the private key is only on the client

    The "workaround" right now is to store unsupported cert forms either in a storage account, or as secrets. Storage accounts aren't ideal b/c they are conceptually separate and are not audited in the same way; and don't support the same ability to browse or search…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  11. Filter on key-vault Secrets, Keys and Certificates

    We keep a lot of secrets in key vaults, would be great to have some way of finding particular secret easier. Same applies to Keys and Certificates.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Active Directory Certificate Service as external CA Provider

    Create an integration that allows the use of an existing on-prem or Azure VM Active Directory Certificate Services' CA to issue certificates.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  13. Ability to reference a secret without having to specify the secret version explicitly

    Hi! Currently the only way to specify a KeyVault reference is to specify the version as well. Could this perhaps be changed to be able to reference a particular version by default (perhaps the newest one). This would really help in the case that a secret needs to be updated and a particular version is no longer valid. Currently I have to go back and change my secret, fetch the new secret version and update all the references accordingly. This gets really tedious when you have a lot of secrets to keep track of.

    To make this clear:

    Currently my…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  14. Auto Rotate Secrets on connected Resources

    Microsoft docs highly recommends the keys/secrets/certificates to be rotated on regular interval for better security posture.

    The rotation is only possible by writing powershell code and dont have luxury to write and maintain for every resource.

    It would be great to have a feature in Key Vault to do that for us when a resource is connected. Resource could be PaaS SQL, Storage account, Azure Ad APP etc.

    KeyVault talks about writing powershell code to recycle keys on storage account.
    https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add Support for Future/Scheduled Certificate Versions

    I would like the ability to create a new certificate version in advance while continuing to use the current version for some time. In my scenario, I have a server application that issues digital signatures that IoT devices in the field need to verify, and the devices need the application’s public-key-containing certificate to perform this operation.

    Currently, when I renew the server application’s certificate, I must distribute it to all devices at that point in a “big bang” fashion. (To be precise, the devices detect that the certificate thumbprint sent with the signatures has changed, and they get the new…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support certificate revocation

    Key vault supports obtaining certificates from number of CAs and this works great.

    However, Key Vault does not currently provide interface to revoke such certificates, leaving a gap in certificate lifecycle management.

    Please extend integration between Key Vault and supported CAs to support revocation in addition to issuance.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow a key vault access policy to be restricted to a certain key

    If a company has a single KeyVault which holds dev and production keys, as long as you access the keyvault through a valid access policy and key can be used (for the usages mentioned in the access policy).

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add support for certificate request from Azure Key vault

    Add support to create certificate requests from Azure Key Vault.
    This would enable PDF signing in the cloud. And would open many possibilities for cloud based e-ID solutions.

    Adobe pdf signing certificates have requirements for hsm, smart card or equivalent secure storage so being able to have this in the Azure Key vault would be very useful.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  19. include functions as a trusted service in key vault firewall exceptions

    Include functions as a trusted service in key vault firewall exceptions. Why wouldn't you include all Azure services - unless we don't trust Azure PaaS anymore? ;-)

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to up-vote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

  20. Ability to sign cert with another self-signed cert

    It would be nice to create a root cert and store it in the keyvault. Then, create other self signed certs that are signed by the root cert. This would allow me to create a single CA for my cluster, then create certs for the various microservices in the cluster so they could communicate securely. I would simply need to install the root cert on all the machines.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base