Azure – You can now automatically generate new key version (auto-rotation) in Key Vault (preview)

As you should already know you can use Azure Key Vault to store secret (either keys, secret or certificates) in a secure way for use by end users and/or automation.

Well, until then when you had a key going to expired you had to manually renew/update it.

Not anymore, you can now configure auto-rotation to automatically create a new key version when needed.

Before you start looking into it, few things:

  • You need to have Key Vault Administrator role assigned to the user/group going to manage the auto-rotation feature
  • You need to grant the Rotation and Get Rotation Policy permissions in the Access Policies
  • You can enable the auto-rotation on existing keys

During the preview there is no cost associated with it; once GA, there will be a cost (US $1 per rotation).

Grant the Key Vault Administrator role

Connect to your Azure portal ( to access the Access Control blade of the Key Vault you want to grant the role and configure auto-rotation

image  image

Enable the Rotation permissions

To enable the Rotation permissions, access the Access Policies to edit existing policy or create a new one and grant at minimum the Get Rotation Policy permission; you can also grant the Rotate permission if you want to allow the identity to allow the rotation on demand


If you don’t grant these permissions, when you will create a new Key and configure the the auto-rotation you will get the error

The operation “Get Rotation Policy” is not enabled in this key vault’s access policy.


Configure the auto-rotation

You can enable the auto-rotation during the creation of a new key or edit an existing one by accessing the key and access the Rotation policy tab

The Expiry time must be at least 28 days

image  image  image

If you also have granted the Rotate permission to the identity, you can use the Rotate now to immediately rotate the version; this can be helpful if you urgently need to rotate


Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.