Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  1. Allow write operations to a failed over Key Vault instance

    The documentation states that when a regional disaster happens, Azure Key Vault instances are failed over to a paired region as read-only

    https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance

    While I understand that regional disasters are very unlikely, the odds of having to modify secrets such as connections strings after a regional disaster can be high.

    Being able to update a Key Vault after a disaster would increases the changes of meeting business' RTO.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  2. Multi-Region Key Vault

    Currently, Key Vault only supports one single region via collocation constraint, but there are usecases which having a multi-region Key Vault is necessary such as Encryption Scope.

    What I am suggesting is to implement a version of Key Vault which supports multiple regions instead of just one

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Is there a way to programatically create a key vault?

    I need to be able to programmatically create a key vault in code. c#. But I don't see any documentation that will allow me to do that except for az.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add ability to store any arbitrary string in Key Vault

    At the moment you can only add certificates, but there are many instances you may want to setup arbitrary pieces of 'secret' text like a password, connection string or other configuration information that can be retrieved securely from somewhere.

    I would like to suggest this ability is added to Key Vault (I believe AWS has something similar called AWS Parameter Store)

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  5. Not require "Key Vault contributor" role for devops app user

    For Azure Devops to access a Key Vault during deployment there is a process to create a custom role and assign it to key vault: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-powershell#grant-access-to-the-secrets

    We discovered that is is also necessary to have Azure Key Vault Contributor role as well to the devops app-user, which gives it more permissions than required. This has been verified with MS support.

    Please change so that deployment user only needs a read-only role to access the Vault during deployment.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add ability to add RBAC role or Action Group as Azure Key Vault certificate contact

    Would be awesome if you could add the ability to set either / both RBAC roles or a Action Groups as Azure Key Vault certificate contacts.

    This would be very nice to have especially for automation using Lighthouse for authentication, as Lighthouse alone can't be used to read Azure AD to get email addresses.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  7. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Custom applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support Azure Key Vault Reference for Application Insights in Portal

    https://github.com/MicrosoftDocs/azure-docs/issues/40988

    When configured key vault reference for 'APPINSIGHTS_INSTRUMENTATIONKEY' in Azure function app's application settings then open the function's monitor blade, portal throws a error that says 'App Insights instrumentation key in present in app settings but App Insights is not found in the function app's subscription.'

    BUT we do receive telemetry in application insights.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Encryption at rest  ·  Flag idea as inappropriate…  ·  Admin →
  9. No Log for downloaded Certs

    Add a Log Analytics OperationName for when a Certificate is downloaded from the Vault. Since the Vault only allows downloading a cert without a PK password, then allow us to generate an alert when the Certificate is downloaded so we can stop a person or check why they downloaded it. Currently non of the operations pinpoint that a download was attempted.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  10. API for create new version of key instead of using the same create key command to create key

    The command to create a new version of key is the same command as create key, It has been tested that the same key name but entered with different cases e.g. apple, APPLE, APPle does create a new version using the new key command.

    Can the command for new key and new version be separated for API calling? The new key command should checked for existing key before creation and create a new version is for creating of new version of the key.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. Missing "import" key operation

    Hello everyone,

    I trying to use BYOK for HSM, following the steps on the article: https://docs.microsoft.com/en-us/azure/key-vault/hsm-protected-keys-vendor-agnostic-byok

    But I can't find the "import" key operation as mentioned, even using powershell.

    any help?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. BYOK: Enable HSM and Key Vault traceability

    When using the BYOK procedure, after uploading your HSM-generated key to the Key Vault there is zero traceability to confirm that what was uploaded in the cloud is actually what you have originally generated with your nCipher HSM.
    The solution is very simple - nCipher HSMs already generate hashes for the generated keys in the security world metadata, AKV should store / display the hash after successful upload so you can verify your keys at any time.

    Otherwise the following attack scenario is possible (if unlikely):

    Prerequisites:
    * Knowledge of the attack target's subscription ID (not particularly confidential information at…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Show certificate thumbprint in AzurePortal

    Please make a way to see the certificate thumbprints in the Azure portal.
    Perferably there should also be a way to search by thumbprint to identify the corresponding certificate.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  14. Microsoft Security World Information for Key Vault

    I would like to see the security worldpackage information for the Key Vault in the Kyeey Vault information so that it is easier to deduce the package to us. This must be made available in AzPs, CLI, SDK and via the REST APIs

    Get-AzureRmKeyVault -VaultName Bxxxxxxxp

    VaultUri : https://bxxxxxxxp.vault.azure.net/
    TenantId : 0b98xxxx-xxxx-xxxx-xxxx-xxxxxxxxf102
    TenantName : 0b98xxxx-xxxx-xxxx-xxxx-xxxxxxxxf102
    Sku : Premium
    EnabledForDeployment : False
    EnabledForTemplateDeployment : False
    EnabledForDiskEncryption : False
    EnableSoftDelete :
    OriginalVault : Microsoft.Azure.Management.KeyVault.Models.Vault
    ResourceId : /subscriptions/2ed3xxxx-xxxx-xxxx-xxxx-xxxxxxxxf1f7/resourceGroups/Bxxxxxxxp/providers/Microsoft.KeyVault/vaults/Bxxxxxxxp
    VaultName : Bxxxxxxxp
    ResourceGroupName : Bxxxxxxxp
    Location : westeurope
    Tags : {}
    TagsTable :
    SecurityWorldRegion : Europe | France | Germany etc.

    > Name of…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. Dedicated HSMs as-a-service

    Hi,

    It would be really great to be able to achieve FIPS level 3 in a (new, separately priced) tier in KeyVault.

    Today, we would have to step into the domain of a dedicated HSM for that, which is a completely different beast to tackle (and it has no SLA).

    So - please consider adding FIPS level 3 as an option to KeyVault, and make it possible to upgrade an existing vault to this level.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop

    KeyVaultErrorException Error validating token: IDX10223 after changing timezone on laptop

    Fix exception after changing timezone on laptop. Or warn developers not to change timezones on business trip.

    Went on business trip where I changed the timezone.
    Everything worked fine.
    Returned home and restored timezone.
    .Net Core application stops working due to exception.

    Microsoft.Azure.KeyVault.Models.KeyVaultErrorException Error validating token: IDX10223
    HResult=0x80131500
    Message=Error validating token: IDX10223
    Source=Microsoft.Azure.KeyVault

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  17. Facilitate Key Valut Diagnostics Policies

    A Key Vault and the corresponding Diagnostics are seen as to separate resources.

    It is hence impossible (as advised by customer support) to create a policy preventing key vaults with no diagnostics being deployed.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow RunAs accounts to directly use Key Vault certificates.

    You can upload a self-signed certificate file for a RunAs account. I'd like to use Key Vault to create & renew a self-signed certificate for a RunAs account.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow creation of "living" secrets that are linked to a resource and always returns an active key

    As an alternative to rotating keys, it would be cool if you could create a key vault secret that was linked to a resource such as blob storage or cosmos db that uses keys for authentication, so that when you call the GET operation on that secret it can proxy the request to that resource's listkeys operation and automatically choose one. In this way, it would guarantee that any time you reach out to key vault for that secret, you would be sure to get an active key. For this to work, I expect Azure would need to associate a…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  20. keyvault version control and management

    enable versioning and tagging of entire keyvault properties to enable quick switching between configurations

    AND/OR enable online backup of keyvault to achieve the same effect

    Additionally, the keyvault user interface is very hard and inefficient to make a lot of changes and is error prone, so an improved table based UI might help ?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base