Key Vault secrets should have an expiration date


By default, Key Vault secrets do not expire, which can be a security issue if secrets are compromised. As a best practice, an explicit expiration date should be set for secrets and secrets should be rotated.

Remediation Steps

Azure Portal

  • Navigate to Key Vault.

  • Select the Key.

  • In the left navigation under Settings, select Secrets.

  • Select the active secret and set enabled to Yes.

  • Set the expiration date.

Azure CLI

  • To set the Key Vault key to have an expiration date:

az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'