- Fixed a parameter validation issue in Set-AzureKeyVaultCertificatePolicy. [#25649]
- Fixed secrets exposure in example documentation.
- Upgraded Get-AzKeyVaultKey for key vault key to track 2 SDK.
- Fixed an issue during merging certificate process. [#24323]
- [Breaking change] Removed the offline fallback policy if specify parameter
UseDefaultCVMPolicy
inAdd-AzKeyVaultKey
. Key creation will fail if unable to get regional default CVM SKR policy from MAA Service Discovery API. - [Breaking change] Removed parameter
Value
fromInvoke-AzKeyVaultKeyOperation
. - [Breaking change] Removed property
Result
from the output typePSKeyOperationResult
ofInvoke-AzKeyVaultKeyOperation
. - [Breaking Change] Replaced parameter
EnableRbacAuthorization
byDisableRbacAuthorization
inNew-AzKeyVault
andUpdate-AzKeyVault
.- RBAC will be enabled by default during the process of key vault creation.
- Introduced secrets detection feature to safeguard sensitive data.
- [Upcoming Breaking Change] Added breaking change warning message for parameter
UseDefaultCVMPolicy
ofAdd-AzKeyVaultKey
.- The offline fallback policy will be removed. Key creation will fail if unable to get regional default CVM SKR policy from MAA Service Discovery API.
- Added parameter
PolicyPath
inAdd-AzKeyVaultCertificate
to support custom policy in the process of certificate enrollment. - Upgraded the API version of merging certificate to 7.5. [#24323]
- Introduced secrets detection feature to safeguard sensitive data.
- Formatted the output of Azure Key Vault certificate in removed state. [#24333]
- [Upcoming Breaking Change] Added breaking change warning message for parameter
EnableRbacAuthorization
ofNew-AzKeyVault
andUpdate-AzKeyVault
.- RBAC will be enabled by default during the process of key vault creation. To disable RBAC authorization, please use parameter 'DisableRbacAuthorization'.
- Parameter
EnableRbacAuthorization
is expected to be removed in Az.KeyVault 6.0.0 and Az 12.0.0. - Parameter
EnableRbacAuthorization
is expected to be replaced byDisableRbacAuthorization
.
- Upgraded Azure.Core to 1.37.0.
- Supported
HsmPlatform
inKeyAttributes
.
- Supported authentication via User Managed Identity by adding parameter
UseUserManagedIdentity
and makingSasToken
optional.
- Added parameter
ByteArrayValue
inInvoke-AzKeyVaultKeyOperation
to support operating byte array without conversion to secure string. - Added Property
RawResult
in the output typePSKeyOperationResult
ofInvoke-AzKeyVaultKeyOperation
. - [Upcoming Breaking Change] Added breaking change warning message for parameter
Value
inInvoke-AzKeyVaultKeyOperation
.- Parameter
Value
is expected to be removed in Az.KeyVault 6.0.0 ByteArrayValue
is the alternative of parameterValue
in byte array format
- Parameter
- [Upcoming Breaking Change] Added breaking change warning message for the output type
PSKeyOperationResult
ofInvoke-AzKeyVaultKeyOperation
.- Property
Result
is expected to be removed in Az.KeyVault 6.0.0 - Property
RawResult
is the alternative of parameterResult
in byte array format
- Property
- Removed redundant Microsoft Graph API calls for access policy in
Get-AzKeyVault
.
- Removed non-core types creation in PowerShell scripts to be compatible in constrained language mode.
- Supported user assigned identity for Managed HSM in
New/Update-AzKeyVaultManagedHsm
- [Breaking Change] Changed parameter
SoftDeleteRetentionInDays
inNew-AzKeyVaultManagedHsm
to mandatory. - Upgraded Azure.Core to 1.35.0.
- Supported splitting
Import-AzKeyVaultSecurityDomain
process into three steps to allow keys to be hidden offline.- Added
DownloadExchangeKey
,RestoreBlob
andImportRestoredBlob
inImport-AzKeyVaultSecurityDomain
.
- Added
- Fixed certificate policy bugs if DnsName is null. [#22642]
- Supported multi-regions for Managed Hsm: Added
Add/Get/Remove-AzAzKeyVaultManagedHsmRegion
. - Added
Test-AzKeyVaultNameAvailability
andTest-AzKeyVaultManagedHsmNameAvailability
. - Formatted the table view of
*-AzKeyVault
,*-AzKeyVaultKey
and*-AzKeyVaultSecret
- Added
SecurityDomain
andRegions
properties into the output ofNew/Update/Get-AzKeyVaultManagedHsm
(PSManagedHsm
). - Supported Setting for Managed HSM: Added
Get-AzKeyVaultSetting
andUpdate-AzKeyVaultSetting
. - Updated Azure.Core to 1.34.0.
- Bug Fix: Removed duplicated IpRules from
NetworkRuleSet
andMhsmNetworkRuleSet
. [#22472]
- Removed maximum number for
IpAddressRange
andVirtualNetworkResourceId
in*-AzKeyVaultNetworkRuleSet*
from client side. [#22137] - Updated Azure.Core to 1.33.0.
- Added breaking change announcement for parameter
SoftDeleteRetentionInDays
inNew-AzKeyVaultManagedHsm
. The parameterSoftDeleteRetentionInDays
is becoming mandatory- This change will take effect on version 5.0.0
- Changed the encoding way from a string into byte array in
Invoke-AzKeyVaultKeyOperation
from ASCII to UTF8. UTF8 is backward-compatible with ASCII. [#21269] - Bug fix: Changed the decoding way from byte array into a string from system default encoding to UTF8 to match encoding way. [#21269]
- Added parameter
PolicyPath
andPolicyObject
inImport-AzKeyVaultCertificate
to support custom policy [#20780]
- Added breaking change announcement for
Invoke-AzKeyVaultKeyOperation
. The encoded/decoded way between string and bytes inInvoke-AzKeyVaultKeyOperation
will change to UTF8.- This change will take effect on 5/23/2023
- The change is expected to take effect from the version 5.0.0
- Updated Azure.Core to 1.31.0.
- Updated Azure.Core to 1.28.0.
- Fixed certificate export parameter issue in
Add-AzKeyVaultKey
[#19623] - Fixed CertificateString decoding issue in
Import-AzKeyVaultCertificate
- Shifted the location of key CVM release policy to GitHub [#19984]
- Added fallback logic (reading default CVM policy from a local copy) if fetching default CVM Policy from GitHub failed.
- Bumped API version to 2022-07-01
- Added
Undo-AzKeyVaultManagedHsm
to recover deleted managed HSM
- Fixed the exception content swallowed issue when exception.Response is null [#19531]
- Added the existing parameters
Exportable
,Immutable
,UseDefaultCVMPolicy
, andReleasePolicyPath
to the parameter setsInteractiveCreate
,InputObjectCreate
, andResourceIdCreate
.
- Fixed parameter validation logic of
-UseDefaultCVMPolicy
- Added parameter
ContentType
inImport-AzKeyVaultCertificate
to support importing pem via certificate string - Allowed
DnsName
inNew-AzKeyVaultCertificatePolicy
to accept an empty list [#18954]
- Removed the warning messages for MSGraph migration [#18856]
- Supported importing pem certificate by
Import-AzKeyVaultCertificate
[#18494] - Supported accepting rotation policy in a JSON file
- [Breaking Change] Changed parameter
ExpiresIn
inSet-AzKeyVaultKeyRotationPolicy
from TimeSpan? to string. It must be an ISO 8601 duration like "P30D" for 30 days. - [Breaking Change] Changed output properties
ExpiresIn
,TimeAfterCreate
andTimeBeforeExpiry
ofSet-AzKeyVaultKeyRotationPolicy
andGet-AzKeyVaultKeyRotationPolicy
from TimeSpan? to string. - Supported creating/updating key with release policy in a Managed HSM
- Removed default value for
EnabledForDeployment
,EnabledForTemplateDeployment
,EnabledForDiskEncryption
andEnableRbacAuthorization
during the process of key vault creation - Changed default access policies for Key Vault secret, certificate and storage as
All
- Added
Rotate
into the list of permissions to keys [#17970]
- Supported getting random number from managed HSM by
Get-AzKeyVaultRandomNumber
- Skipped subscription connection status validation for Az.KeyVault.Extension [#17712]
- Enabled public network access setting
- Fixed a bug to continue visiting
NextPageLink
when listing key vaults from ARM API
New-AzKeyVaultManagedHsm
: supported specifying how long a deleted managed hsm is retained bySoftDeleteRetentionInDays
and enabling purge protection byEnablePurgeProtection
Update-AzKeyVaultManagedHsm
: supported enabling purge protection byEnablePurgeProtection
Get-AzKeyVaultManagedHsm
: Supported getting or listing deleted managed HSM(s)Remove-AzKeyVaultManagedHsm
: Supported purging a specified deleted managed HSM
- Improved the error message of Az.KeyVault.Extension [#16798]
- Added default access policies for Key Vault key as "All but purge"
- Absorbed KeyOps from parameter when importing key from certificate on managed HSM [#16773]
- Fixed a bug when updating key operations on managed HSM [#16774]
- Fixed the issue when importing no-password certificate [#16742]
- Added cmdlets:
Invoke-AzKeyVaultKeyRotation
,Get-AzKeyVaultKeyRotationPolicy
andSet-AzKeyVaultKeyRotationPolicy
- [Breaking Change] Renamed properties of
PSKeyVaultPermission
type to follow the pattern of Azure RBAC. - Migrated AAD Graph API to MSGraph API.
- Added a message to
Set-AzKeyVaultAccessPolicy
stating that for the Permissions parameters, using the 'All' option will not include the 'Purge' permission.
- Added warning message of upcoming breaking change to
New-AzKeyVaultRoleDefinition
andGet-AzKeyVaultRoleDefinition
.- To comply with the syntax of
New-AzRoleDefinition
andGet-AzRoleDefinition
we are going to rename some of the properties ofPSKeyVaultPermission
model, which might affect these two cmdlets.
- To comply with the syntax of
- Added warnings of upcoming breaking change of migrating to Microsoft Graph.
- Supported custom role definitions on managed HSM:
- Create via
New-AzKeyVaultRoleDefinition
, - Delete via
Remove-AzKeyVaultRoleDefinition
, - Filter all custom roles via
Get-AzKeyVaultRoleDefinition -Custom
.
- Create via
- Supported Encrypt/Decrypt/Wrap/Unwrap using keys [#15679]
- Enabled managing resources in other subscriptions without switching the context by adding
-Subscription <String>
.
- Supported adding EC keys in key vault [#15699]
- Removed duplicate list item in
Get-AzKeyVault
[#15164] - Added
SecretManagement
tag toAz.KeyVault
module [#15173]
- Provided key size for RSA key [#14819]
- Fixed a bug for
Get-AzKeyVaultSecret -IncludeVersions
when current version is disabled [#14740] - Displayed error code and message when updating purged secret [#14800]
- Fixed a bug for
Get-AzKeyVaultSecret -AsPlainText
if the secret is not found [#14645]
- Supported upcoming new API design for
Export-AzKeyVaultSecurityDomain
- Fixed several typos in cmdlet messages [#14341]
- Supported specifying key type and curve name when importing keys via a BYOK file
- Fixed an issue in Secret Management module
- Added a new parameter
-AsPlainText
toGet-AzKeyVaultSecret
to directly return the secret in plain text [#13630] - Supported selective restore a key from a managed HSM full backup [#13526]
- Fixed some minor issues [#13583] [#13584]
- Added missing return objects of
Get-Secret
in SecretManagement module - Fixed an issue that may cause vault to be created without default access policy [#13687]
- Supported "all" as an option when setting key vault access policies
- Supported new version of SecretManagement module [#13366]
- Supported ByteArray, String, PSCredential and Hashtable for
SecretValue
in SecretManagementModule [#12190] - [Breaking change] redesigned the API surface of cmdlets related to managed HSM.
- Supported updating key vault tag
- [Breaking Change] Deprecated parameter DisableSoftDelete in
New-AzKeyVault
and EnableSoftDelete inUpdate-AzKeyVault
- [Breaking Change] Removed attribute SecretValueText to avoid displaying SecretValue directly [#12266]
- Supported new resource type: managed HSM
- CRUD of managed HSM and cmdlets to operate keys on managed HSM
- Full HSM backup/restore, AES key creation, security domain backup/restore, RBAC
- Provided the detailed date of removing property SecretValueText
- Added support for RBAC authorization [#10557]
- Enhanced error handling in
Set-AzKeyVaultAccessPolicy
[#4007]
- Added warning messages for planning to disable soft delete
- Added warning messages for planning to remove attribute SecretValueText
- Removed two aliases:
New-AzKeyVaultCertificateAdministratorDetails
andNew-AzKeyVaultCertificateOrganizationDetails
- Enabled soft delete by default when creating a key vault
- Network rules can be set to govern the accessibility from specific network locations when creating a key vault
- Added support to bring your own key (BYOK)
Add-AzKeyVaultKey
supports generating a key exchange keyGet-AzKeyVaultKey
supports downloading a public key in PEM format
- Updated the "KeyOps" part of the help document of
Add-AzKeyVaultKey
- Added a new cmdlet
Update-AzKeyVault
that can enable soft delete and purge protection on a vault - Added support to Microsoft.PowerShell.SecretManagement [#11178]
- Fixed error in the examples of
Remove-AzKeyVaultManagedStorageSasDefinition
[#11479] - Added support to private endpoint
- Added breaking change attributes to
New-AzKeyVault
- Fixed duplicated text for Add-AzKeyVaultKey.md
- Add Name alias to VaultName attribute to make Remove-AzureKeyVault consistent with New-AzureKeyVault.
- Update references in .psd1 to use relative path
- Fixed error accessing value that is potentially not set
- Elliptic Curve Cryptography Certificate Management
- Added support to specify the Curve for Certificate Policies
- Fixed miscellaneous typos across module
- Added support to specify the KeySize for Certificate Policies
- Updated cmdlets with plural nouns to singular, and deprecated plural names.
- Fix documentation for wildcards
- Added wildcard support to KeyVault cmdlets
- Fix tagging on Set-AzKeyVaultSecret
- Update incorrect online help URLs
- General availability of
Az.KeyVault
module - Remove deprecated PurgeDisabled property from PS models