Feature Request - customizable Azure Key Vault values policies

[tom-tsabar]

Hey,
I would like to be able to create a custom Azure policy, with custom non-compliance message that able to Deny creation or modification of Key Vault values (Like Keys, Certificate or Secrets) if certain conditions hold.

As for now Azure policies for Key Vault values with Deny effect just doesn't work...

These types of Azure policies do exist as built-ins like policy but can't be customized in general.
Their assignment can't even get a customizable non-compliance message.

[Springstone]

@tom-tsabar thanks for reaching out. Key Vault is a special resource and works differently than normal resource policies. For obvious reasons, it's not possible to manipulate the contents of a Key Vault, however, you can interact with attributes (not values). Key Vault is a resource that uses a special Resource Provider mode to allow management of the vault. This mode is different to traditional policy modes and surfaces compliance differently in the portal (under Component Compliance - instead of Resource Compliance), and this is why you can't set a custom non-compliance message at this time.

I recommend reviewing the following documents:

• https://learn.microsoft.com/en-us/azure/key-vault/general/azure-policy
• More about the modes: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-basics#resource-provider-modes
• And review compliance for Resource Provider mode here: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#component-compliance

Depending on what you're doing in your Policy, you may need to ensure you are using the Resource Provider mode instead of the normal "Indexed" / "All".