Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  1. Support dot in property name

    Dots are very common in Java spring boot properties, and many spring boot starter projects.

    Azure key vault should support dot in the property name.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Custom applications  ·  Flag idea as inappropriate…  ·  Admin →
  2. when remove blue print, please also remove policies it created

    We found that the policies we had created using blueprint were not cleared out when we removed the blueprint. We had to manually remove the policy from policies.

    We should automatically remove those blueprint created policies when delete a blueprint.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Translate User/Service Principal names into GUIDs in the portal

    Given that the Access Policies show only the user or service principal name in the portal, it would be very nice to be able to be able to determine the GUIDs that these names resolve to troubleshoot issues.

    Having the same name listed multiple times with different GUIDs may prove confusing, so taking it one step further, the portal could also resolve the GUIDs (user, SP, Groups, Application IDs) into their objects for full information, perhaps by using something like Graph’s GetObjectsByObjectIds.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Should we have two methods for fetching secrets from Key Vault? GetSecretsAsync | GetSecretsNextAsync

    I am using Key Vault Client Library to pull all secrets from Key Vault. I used GetSecretsAsync(maxresults: 25). It yields pagination link to iterate on next set of secrets.

    But I could not browse Key Vault using same GetSecretsAsync(vaultUri: NextPageLink), it did not work.

    After hours of browsing, I found source samples from Key Vault itself which is almost buried in that page. It says we need to use GetSecretsNextAsync().

    On my understanding, we can have same method GetSecretsAsync() for iterating thru secrets rather than a couple of methods.

    For documentation, is it possible to have sample code snippets in…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Custom applications  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow users to link azure resource credentials into key vault secrets

    So ideally a user could create a key in a vault then be allowed to navigate to a resources credentials and store the password or username as the key value. This avoids credentials going out if date if users have build an API that calls secrets via AAD tokens. I'd use it for storage accounts,SQL servers etc.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure Key vault api's return a 401 when the resource is https://vault.azure.net/

    The Azure key vault data plane API does not work when the signing resource is https://vault.azure.net/ and works fine with https://vault.azure.net . This seems to be pretty lame as only a forward slash should not make that much of a difference.
    The other resource such as management.azure.com works pretty fine with the forward slash

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure Key Vault, Runtime error on create Key API-REST

    I have got a bug (I think).

    First of all, the normal input like label1, works ok. So I use the API fine.

    I have tested the possible names for a key, to know what type of inputs are compatible.
    The name of key is in URL:

    POST https://{vaultBaseUrl}/keys/{key-name}/create?api-version=2016-10-01

    So I wanted try with typical hacking inputs "'<

    I have encoded the inputs using URL Enconder, like this %22%27%3C

    The final url is:

    POST https://{vaultBaseUrl}/keys/%22%27%3C/create?api-version=2016-10-01

    And it produces a Runtime Error and sends internal information (show attached file), I think the correct answer should be 400 bad request.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. download a vault credential without login to Azure portal

    My coworker sometimes set up Azure Agent Backup, though he does not have azure portal login accont.
    So when he set up Azure Agent Backup, I need to download the vault credential and pass it to him every time.
    Because of this, my coworker cannot set up Azure Agent Backup when I cannot pass him a vault credential.
    So I want to download a vault credential without login to Azure portal.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. Key Vault creation fails in CSP subscription

    Using google chrome version 54.0.2840.99 m (64-bit) and portal.azure.com

    When creating a new Key Vault inside an CSP subscription the following Error occurs:
    see attached screenshot

    My logged in user (example.adminuserr1) is member of the parent CSP AzureAD Tenants' (@csp.onmicrosoft.com) group "AdminAgents". I am working inside a subscription attatched to an customer AzureAD Tenant (@customer.onmicrosoft.com) created through PartnerCenter CSP Dashboard.

    I can replicate this error with other Accounts in the "AdminAgents" group located in the parent CSP AzureAD Tenant (example.user2@csp.onmicrosoft.com).

    I can create the keyvault with an user from the customer AzureAD Tenant (example.user@customer.onmicrosoft.com) without issues.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Key Vault Secret Backup / Restore Role

    You can currently backup / restore keys from Keyvault. it would be helpful to be able to provide backup/ restore functionality and roles for Secrets.
    the current design assumption is these would also be stored within an on-prem password vault or documentation or equivalent. however operational best practice varies across companies as such a catch all should allow the backup and restore of secrets as you can with KEYS.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. Have better integration of Azure Key Vault and Crypteron

    Crypteron offers great SDK to offer easy encryption for Azure SQL and Azure Blob storage. However, the API keys are not accessible through Azure Key Vault for great level of security. Please work with Crypteron on better integration of their SDK offerings with use with KeyVault services.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow Azure Key Vault Certificate user (read only) RBAC role

    Allow Azure Key Vault Certificate user (read only) RBAC role, because right now it's only possible to have a Certificate Officer. I can think of lots of scenario's where you only want to allow read access to a certificate, instead of allowing both read, write and delete permissions.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  13. List of secrets can be larger than 9 entries

    In azure portal, the list of secrets is by default capped to 9 entries. If you want to see more, you can press 'Load more'.
    There is room for much more than 9, so it would be good to make it the same as other lists in the azure portal are working

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  14. Keyvault secret expiry should accept an ISO 8601 timestamp

    The built in utcNow and dateTimeAdd functions currently can only format to date/time strings using dotnet format strings so can't output seconds since the epoch. This is a problem because the KeyVault secret expiry only accepts seconds since the epoch (https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/secrets) so there's no way to set this value from a template.

    The Key Vault resource provider should be updated to accept the ISO 8601 timestamp that dateTimeAdd uses (the output of utcNow('u')). The resource provider could convert the property to an int to keep the api backwards compatible either by allowing 'exp' to be a string or…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  15. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  17. Data Encryption of Key Storage Vault

    15KB of storage or lockers for Azure Defender in which to put the encryption coded keys that can be purged from storage using the Biometric information or feedback information to retrieve data.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Encryption at rest  ·  Flag idea as inappropriate…  ·  Admin →
  18. Within documentation or in the product overview pages include a list of other Azure services that are dependencies for Key Vault

    When large organizations adopt cloud services they may evaluate the cloud service in depth, along with all other cloud services that must or may be adopted as dependencies of the primary service being planned for use. An example is that when adopting Azure Key Vault a customer will be required to adopt Azure Active Directory if not already adopted, and therefore adopting Key Vault will necessitate an in-depth security assessment of Azure AD in addition to Key Vault.

    Currently Microsoft does not list dependencies of any kind on the product web pages of all the many Azure services. This obliges…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. HMAC signing

    As an application developer, I have had a number of situations where HMAC signing has been a key part of application security, such as:


    • Signing “local” session tokens (JWT, cookies, etc)

    • Third-party integrations (API authentication)

    • Integrity of data at rest

    In many of these scenarios, ECC signing is either too heavy or not possible due to third-party dependencies. For scenarios where the same Key Vault can do the signing and verification, it would be ideal for us to be able to either generate or import a symmetric key in Key Vault for use with HMAC.

    This would allow us to…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Remove option to toggle IP config from dynamic to static

    As per documentation: "When creating a private endpoint, a read-only network interface is also created for the lifecycle of the resource. The interface is assigned dynamically private IP addresses from the subnet that maps to the private link resource. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint."
    However now the system lets you go into the NIC, go into the IP cofig and toggle the IP settings from dynamic to static. This is not allowed by the system and results in an error when saving. Please remove this option from here…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base