This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 45%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
I followed this guide: https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation
Does key vault create log entries to diagnostics logs when key is being automatically rotated? I tried to find log entries but found nothing around time of key's created attribute. The only thing I see is a new key version with creation time that matches with my rotation policy.
@Janne Kujanpää ,
Key Vault can write log entries to Azure Monitor logs when certain events occur in the key vault. The logs can be used to monitor the key vault, troubleshoot issues, and track the key usage.
By default, Key Vault writes log entries for the following events:
You can enable logging for these events by configuring diagnostic settings for your key vault in the Azure portal. Once you have enabled logging, you can view the log entries in Azure Monitor logs or export them to a storage account or event hub.
It's worth noting that Key Vault does not generate log entries specifically for key rotation events. However, you can use the key version created time to determine when a key was rotated. You can also use the Azure Key Vault REST API to query the key version history and get information about key versions, including their creation and activation times.
----------
Please "Accept as Answer" and Upvote if any of the above helped so that it can help others in the community looking for remediation for similar issues.
It's worth noting that Key Vault does not generate log entries specifically for key rotation events. However, you can use the key version created time to determine when a key was rotated. You can also use the Azure Key Vault REST API to query the key version history and get information about key versions, including their creation and activation times.
That's on e solution. Are API endpoints for that available on control layer? Otherwise getting that information requires extra work to get through resource firewall.
https://learn.microsoft.com/en-us/rest/api/keyvault/keys/get-key-versions/get-key-versions?tabs=HTTP lists endpoint for data layers only but rest-api-spec(1) lists this being available on control layer.
-----------------
Of course the most optimal solution for this would be logging to DiagnosticsTable. What would be the best next point for feature suggestion?
-----------------
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 34%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFG%3C/text%3E%3C/svg%3E)
@Janne Kujanpää we've recently added the operations you're looking for: https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Keys#operation-names-table
KeyRotateIfDue will tell you when the key was rotated based on the rotation policy.
Thank you very much.
This was a good pointer to find the correct log entry:
* KeyRotateIfDue operation name
* and ResultSignature == "OK"
looks like to be a correct combination to find automated key rotations.
Missed ResultSignature earlier when checking logs.