Azure Key Vault – How to configure key auto rotation step by step

Azure Key Vault allows to store the keys, secrets and certificate which are used by applications to access securely. The automated key rotation feature was one of the most await feature, however it is available in public preview now. The feature allows users or DevOps or scripting tools like PowerShall to configure the auto rotation policy. Later, Azure will automatically generate a new version of key at the specified duration.

Points to Remember

  1. Must have rotation policy operations applied to the user in Key Vault access policies.
  2. Helps to configure rotation for each individual key.
  3. Allows On-Demand rotation with or without configuring rotation policy.
  4. Needs “Key Vault Administrator” to perform key-rotation.
  5. Zero human interaction needed.

Rotation Policy Parameters

  1. Expiry time: key expiration interval. It is used to set expiration date on newly rotated key. It does not affect a current key.
  2. Enabled/disabled: Activate or Deactivate rotation of the key
  3. Rotation types:
    • Automatically renew at a given time after creation (default)
    • Automatically renew at a given time before expiry. It needs ‘Expiry Time’ set on rotation policy and ‘Expiration Date’ set on the key.
  4. Rotation time: This duration is for key rotation interval, the minimum value is 7 days from creation and 7 days from expiration time
  5. Notification time: key near expiry event interval for event grid notification. It requires ‘Expiry Time’ set on rotation policy and ‘Expiration Date’ set on the key.
1-Add New Policy

Set Rotation Policy

You can create new rotation policy at the time of key creation and you can also add rotation policy to an existing key. Let see these options in Azure Portal.

You can add rotation policy, by going to a key and clicking the Rotation policy as shown below:-

2-Add Rotation Policy

Rotation Policy Operations

You can only create rotation policy, only if the rotation policy operations are allowed in access policies. So, before you create a new key or applying rotation policy to a key, these are the must have settings.

3. Operation Access Polices

If the rotation policy operations are not applied to the user, then rotation policy cannot be created. As shown in below message.

4. Missing Operation Policies

Once operation permissions are given to the user, then you can add rotation policy at the time of the key creation itself by configuring a new policy as shown below:-

5- Set rotation policy while key creation


Once rotation policy is configured, you can either wait for the policy to trigger automatically or change it immediately by using “Rotate Now” option.

Another versions of the auto-rotate key is created using “Rotate Now” option.

So, this covers the key auto-rotation feature in key vault. Hope, you would be enjoyed it while learning.

If you have any suggestions/feedback, please put them in the comment box.

Happy Learning 🙂

Leave a Reply

Up ↑

%d bloggers like this: