Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  1. Azure Key vault api's return a 401 when the resource is https://vault.azure.net/

    The Azure key vault data plane API does not work when the signing resource is https://vault.azure.net/ and works fine with https://vault.azure.net . This seems to be pretty lame as only a forward slash should not make that much of a difference.
    The other resource such as management.azure.com works pretty fine with the forward slash

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  2. Azure Key Vault, Runtime error on create Key API-REST

    I have got a bug (I think).

    First of all, the normal input like label1, works ok. So I use the API fine.

    I have tested the possible names for a key, to know what type of inputs are compatible.
    The name of key is in URL:

    POST https://{vaultBaseUrl}/keys/{key-name}/create?api-version=2016-10-01

    So I wanted try with typical hacking inputs "'<

    I have encoded the inputs using URL Enconder, like this %22%27%3C

    The final url is:

    POST https://{vaultBaseUrl}/keys/%22%27%3C/create?api-version=2016-10-01

    And it produces a Runtime Error and sends internal information (show attached file), I think the correct answer should be 400 bad request.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. download a vault credential without login to Azure portal

    My coworker sometimes set up Azure Agent Backup, though he does not have azure portal login accont.
    So when he set up Azure Agent Backup, I need to download the vault credential and pass it to him every time.
    Because of this, my coworker cannot set up Azure Agent Backup when I cannot pass him a vault credential.
    So I want to download a vault credential without login to Azure portal.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Key Vault creation fails in CSP subscription

    Using google chrome version 54.0.2840.99 m (64-bit) and portal.azure.com

    When creating a new Key Vault inside an CSP subscription the following Error occurs:
    see attached screenshot

    My logged in user (example.adminuserr1) is member of the parent CSP AzureAD Tenants' (@csp.onmicrosoft.com) group "AdminAgents". I am working inside a subscription attatched to an customer AzureAD Tenant (@customer.onmicrosoft.com) created through PartnerCenter CSP Dashboard.

    I can replicate this error with other Accounts in the "AdminAgents" group located in the parent CSP AzureAD Tenant (example.user2@csp.onmicrosoft.com).

    I can create the keyvault with an user from the customer AzureAD Tenant (example.user@customer.onmicrosoft.com) without issues.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Key Vault Secret Backup / Restore Role

    You can currently backup / restore keys from Keyvault. it would be helpful to be able to provide backup/ restore functionality and roles for Secrets.
    the current design assumption is these would also be stored within an on-prem password vault or documentation or equivalent. however operational best practice varies across companies as such a catch all should allow the backup and restore of secrets as you can with KEYS.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Have better integration of Azure Key Vault and Crypteron

    Crypteron offers great SDK to offer easy encryption for Azure SQL and Azure Blob storage. However, the API keys are not accessible through Azure Key Vault for great level of security. Please work with Crypteron on better integration of their SDK offerings with use with KeyVault services.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow creation of "living" secrets that are linked to a resource and always returns an active key

    As an alternative to rotating keys, it would be cool if you could create a key vault secret that was linked to a resource such as blob storage or cosmos db that uses keys for authentication, so that when you call the GET operation on that secret it can proxy the request to that resource's listkeys operation and automatically choose one. In this way, it would guarantee that any time you reach out to key vault for that secret, you would be sure to get an active key. For this to work, I expect Azure would need to associate a…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow key vault references without version

    It was previously possible to reference key vault settings without specifying the secret version in the URL. i.e. https://myvault.vault.azure.net/secrets/mysecret/

    And would automatically reference the most current version of the secret.

    This functionality stopped working after a rollout on 9 August 2019.

    This is a very useful feature when you need to use secrets across different environments as it is cumbersome to update the references whenever a secret needs to be updated.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. keyvault version control and management

    enable versioning and tagging of entire keyvault properties to enable quick switching between configurations

    AND/OR enable online backup of keyvault to achieve the same effect

    Additionally, the keyvault user interface is very hard and inefficient to make a lot of changes and is error prone, so an improved table based UI might help ?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow ALL PaaS services to be trusted by KeyVault. Without this, firewall rules are unmanageable

    Allow all PaaS services to be trusted by KeyVault. Without this, firewall rules are unmanageable. Data factory has dynamic IPs, MIcrosoft solution to me was to add the 220 IP ranges for West US 2. Sadly, KeyVault only allows 127 entries. - Solution? Use the self hosted runtimes (higher cost). My solution if you want Key Vault to be enterprise ready, in the firewall screen, make it as simple as explicitly selecting an Azure service and saying - allow access - why do I have to figure out IP ranges? (too many anyway).Lets help the Azure Key Vault product team…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support for nCipher HSM and CNG

    Currently, Azure Key vault HSM doesn't support nCipher HSM and CNG ("nCipher World Key Provider"). Due to this we are not able to migrate few of our services to Azure and it become bottleneck for migration.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Key Vault Access Policies - Provide Identifier next to SP.

    In some scenarios there can be 2 service principals created in Azure AD such as function apps which have been re created and have the same name, by providing the Id next to the name it will allow contributors to verify they have selected the correct service principal to grant access to, and not old SP's

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. How to grant the AKV access to the web app hosted in IIS

    currently we are able to add the azure key vault access to the azure web app, but what is the app is not published to Azure, how to use the azure key vault with apps hosted in Azure VM IIS?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Custom applications  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add the Secret version GUID in the diagnostic logging output when a secret is created (SecretSet)

    The diagnostic logging output for Key Vaults do not include the version GUID when new secret or new version of an existing secret is created (SecretSet operation).

    Current data in properties_id field:
    https://<KeyVaultName>.vault.azure.net/secrets/test1234

    Requested data in properties_id field:
    https://<KeyVaultName>.vault.azure.net/secrets/test1234/38b6d47049704298affe8d0b1d3f47fb

    We would like to use this functionality to correlate diagnostic log outputs for SecretUpdate operations to SecretSet operations without requiring access to the Key Vault objects themselves, we use this data for tracing security events.

    The above method of including the version guid in the properties_id field is already used in a similar way when creating key versions (KeyCreate),…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  15. improve client exceptions around auth failures due to traffic routing failures

    I just spent a couple days trying to figure out why we couldn't use a service principal to auth against KeyVault from our on prem servers.

    It turned out we had failed to setup SNAT rules for a bank of machines, but none of the exceptions emitted by the client libraries were at all helpful in figuring this out.

    I've attached sample exceptions we got from the 2 different versions of the nuget packages we tried, but it was basically these 2 messages:

    Exception Message: Access token could not be acquired. Object reference not set to an instance of an…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. The Key vault should not allow it to be deleted

    The Key vault should not allow it to be deleted, as long as it has associations with other resources. In Azure the vast majority of resources have this restriction, for a resource as important as the Key Vault should also have this validation before allowing its elimination.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  17. Fix the article on Key Vault backups

    This article https://blogs.technet.microsoft.com/kv/2018/07/20/announcing-backup-and-restore-of-keys-secrets-and-certificates/ has some pretty major errors, such as stating that the CLI command line to backup a secret is the same as the one to backup a key. Someone needs to review and correct this article.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. nCipher Security has only one product, general purpose HSM

    LOL, this happen if somebody is not doing his work properly and only rename vendor.
    nCipher Security has only general purpose HSM and has no activities in NATO or with payment solution. The text is about Thales company.

    nCipher Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology, manufacturing, government, and technology sectors. With a 40-year track record of protecting corporate and government information, nCipher Security cryptographic solutions are used by four of the five largest energy and aerospace companies. Their solutions are also used by 22 NATO countries/regions, and…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Secure export options and access to KeyVault secrets from login screens

    Would be great to have following options in Key Vault – structured security permissions for all cryptographic resources. Possibility to deliver KeyVault secrets to users in secure way – direct export to encrypted archive + password, without use of system clipboard. One more option – direct access to KeyVault secret from mstsc or Windows Hello login screen, without copying of the sensitive information via system clipboard. Together with MFA security option KeyVault secret assigned to appropriate user can work as primary or backup login option.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  20. Chrome (or Edge) password manager extension integrated with Azure Key Vault

    We store our passwords in Azure Key Vault. It would be nice to be able to login into our applications using secrets stored in the key vault.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Custom applications  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base