Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  1. Show keys/secrets paths next to certificates path

    In the key vault portal, when you view a certificate, the top URL is the "Certificate Identifier". If you specify this in Express V2 deployment, it will only contain the public key. If you need the cert with private key, you have to go to the bottom of the page and look for the "Secret Identifier" URL and use that instead. IMO, the "Key Identifier", "Secret Identifier" and "Certificate Identifier" URLs should all be at the top of the certificate version page, and they should have some help text to indicate the difference.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow secret versions to be deleted

    You can create multiple versions for a given secret, however the api only allows a delete to be performed at the secret level and not for an individual version.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add sanity check before disabling or deleting keys if they are in use by a storage account

    I experienced issues regarding accidental key disabling and deletion.
    There is no check if the keys are use by any storage account which leads to not being able to switch/access keys and storage errors on the vms which use those storage account also it block from deleting vms.

    If this happens on production a simple mistake could take down a whole environment by accidentally disable or delete a key which was used to encrypt os disks of the vms.

    A simple check if the key is still actively in use by a storage account which throws an "KeyStillInUseError" would prevent…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Encryption at rest  ·  Flag idea as inappropriate…  ·  Admin →
  4. Azure Key Vault Step 3.2 for Thales HSM security world initialization uses deprecated cipher suite

    In this document:

    https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/key-vault/key-vault-hsm-protected-keys.md

    The step 3.2 suggests you should initialize your security world with:

    new-world.exe --initialize --cipher-suite=DLf1024s160mRijndael --module=1 --acs-quorum=2/3

    DLf1024s160mRijndael is the Thales nShield HSM legacy cipher suite, and should not be used in Production environments. The cipher suite should be DLf3072s256mRijndael so the command should be:

    new-world.exe --initialize --cipher-suite=DLf3072s256mRijndael --module=1 --acs-quorum=2/3

    I suggest updating the step to reflect the newer cipher suite.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. KeyVault and .NET xml signatures

    This is a mixed issue (Azure Key Vault and .NET).

    .NET has a service called SignedXml that can be used to create xml signatures. The problem is that you need the X509Certificate (with private key) to create the signature using its ComputeSignature method (the digest is calculated, internally, only when you compute the signature).

    It would be very nice if SignedXml could be more Azure-aware.
    We would like to calculate the digest from SignedXml (without using the priv.cert), sign the digest via Azure Key Vault's SignAsync method, and feed the signature back into the service so that it can create…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. manage permissions on an entry level

    We are creating a solution where multiple services (backend servers from different departments, ...), will use key vault to retreive their access keys. It would be great to be able to give a backend service access to only the relevant entry (e.g. only to secret1 and certificate2).
    The problem is, that a user that has access (to secrets for example), automatically has access to all secrets.

    In other words: Add access policies to secrets, keys and certificates

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  7. [Azure Key Vault] Microsoft.Azure.KeyVault library should provide a *default* retry policy

    Microsoft.Azure.KeyVault library should provide a default retry policy, which consider the Key Vault SLAs and operational capabilities (e.g. failover).

    Just like the Azure Storage Client library.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add download of SSL certificates from key vault

    Provide ability to download an SSL certificate from the key vault for use in other services (e.g. Azure API Management which only accepts uploaded certs).

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  9. KeyVault should interface with an organization's private CA

    For: organizations that have a private certificate authority.
    Goal: avoid certificates in email and manual uploads.
    New feature: configure private CA endpoint in KeyVault, then have the KeyVault arrange a csr and have it signed by the connected private CA and stored back in the KeyVault.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  10. Showing Azure Key Vault Regional Replication

    Presently in Azure portal, you cannot see the information regarding the regional replication or the location. As of now, it is not possible to view the data that are replicated to the secondary region.

    This information is needed for SOC audits and would be helpful to have in the Portal.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  11. Fix your DigiCert Automation Integration

    Fix your DigiCert integration. They've changed their SSL products and it's impossible to use KV to Order Basic Wildcard SSL (OV-Basic). You're api will not support any of their new product keywords. I literally spent two days figuring this out on my own. If you are going to tout integrated CA's and automation then make sure it works!

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  12. On Prem AKV

    Even with premium, AKV is placed in the Microsoft Datacenters. That is the main reason customers don't want to have both data and keys on the same cloud or with the provider, which is Microsoft.
    This is a much bigger problem in the EU.

    Why can't Microsoft create AKV as a device which customers can buy and put in their own data center? Add it as a registered device in Azure subscription, and then it provides the same interface and API.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add namespaces to key name

    We are planning to use Azure key vault to maintain DB passwords used by microservices. As per standards, in Java Spring, the property name for DB password is "spring.datasource.password". We can store only one value with key corresponding to "spring.datasource.password" in an Azure vault. There might be 100s of microservices and maintaining each microservice with a key vault will be difficult.
    Here's the issue from our customer: https://github.com/microsoft/azure-spring-boot/issues/763

    Hashicorp vault solves this issue with namespaces: https://learn.hashicorp.com/vault/operations/namespaces

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  14. Enable the exposure of User Details of External (Guest) users to Azure Keyvault.

    At present reporting on access to secrets stored in keyvaults is only easily deploy-able on users that a members of the underlying AD tenant. For invited users the logs only record the object ID and not the username - meaning that in order to generate reports on secret access additional scripting is required within the code to perform a lookup to gain the details that are already in the Tenant AD and populate a variable to be used. As the information is already in Azure AD it would be more elegant for this heavy lifting to be done by the…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Additional Event Types for Key Vault integration with Event Grid

    How about some additional event types, specifically Microsoft.KeyVault.SecretDeleted, Microsoft.KeyVault.CertificateDeleted, and Microsoft.KeyVault.KeyDeleted ?

    I'd like be able to subscribe to delete events. The *NewVersionCreated event types fire when adding a new key vault object or a new version is saved but I need to know when an object is deleted.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. Better Scope the access needed to restore a VM from recovery vault

    While our 3rd party MSP was attempting to restore a VM we found that they did not have the required permissions. After reviewing the docs here https://docs.microsoft.com/en-us/azure/backup/backup-rbac-rs-vault
    we found that they need Contributor access, specifically resourcegroups/write.
    Creating resources groups is an authorization we need to limit. Requesting the product group remove this authorization from VM restores.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. improve client exceptions around auth failures due to traffic routing failures

    I just spent a couple days trying to figure out why we couldn't use a service principal to auth against KeyVault from our on prem servers.

    It turned out we had failed to setup SNAT rules for a bank of machines, but none of the exceptions emitted by the client libraries were at all helpful in figuring this out.

    I've attached sample exceptions we got from the 2 different versions of the nuget packages we tried, but it was basically these 2 messages:

    Exception Message: Access token could not be acquired. Object reference not set to an instance of an…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Fix the article on Key Vault backups

    This article https://blogs.technet.microsoft.com/kv/2018/07/20/announcing-backup-and-restore-of-keys-secrets-and-certificates/ has some pretty major errors, such as stating that the CLI command line to backup a secret is the same as the one to backup a key. Someone needs to review and correct this article.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Simplify key rotation process

    Make it easier to rotate keys. Currently, when creating a new version it becomes the default version immediately - which makes the process very risky. It will be better to be able to do this process manually (marking a key as default) - so I can do it when I'm ready. Or, even better - support decrtpting using the old keys like AWS KMS or GCP KMS are doing.

    References:
    https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
    https://cloud.google.com/kms/docs/key-rotation

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Key Vault Service Limits

    The Key Vault limits are at a 10 second granularity but the granularity of its metrics are 1 minute. Please consider adjusting the limits to be in line with the granularity of the metrics available.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base