Key Vault keys should have an expiration date


By default, Key Vault keys do not expire, which can be a security issue if keys are compromised. As a best practice, an explicit expiration date should be set for keys and keys should be rotated.

Remediation Steps

Azure Portal

  • Navigate to Key Vault.

  • Select the Key.

  • In the left navigation under Settings, select Keys.

  • Set enabled to Yes and set the expiration date.

Azure CLI

  • To set the Key Vault key to have an expiration date:

az keyvault key set-attributes --name <keyName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'