New-AzKeyVault

Module:: Az.KeyVault Module

Creates a key vault.

Syntax

Default (Default)

New-AzKeyVault
    [-Name] <String>
    [-ResourceGroupName] <String>
    [-Location] <String>
    [-EnabledForDeployment]
    [-EnabledForTemplateDeployment]
    [-EnabledForDiskEncryption]
    [-EnablePurgeProtection]
    [-DisableRbacAuthorization]
    [-SoftDeleteRetentionInDays <Int32>]
    [-PublicNetworkAccess <String>]
    [-Sku <String>]
    [-Tag <Hashtable>]
    [-NetworkRuleSet <PSKeyVaultNetworkRuleSet>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [-SubscriptionId <String>]
    [<CommonParameters>]

Description

The New-AzKeyVault cmdlet creates a key vault in the specified resource group. This cmdlet also grants permissions to the currently logged on user to add, remove, or list keys and secrets in the key vault. Note: If you see the error The subscription is not registered to use namespace 'Microsoft.KeyVault' when you try to create your new key vault, run Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault" and then rerun your New-AzKeyVault command. For more information, see Register-AzResourceProvider.

The cmdlet may call below Microsoft Graph API according to input parameters:

GET /directoryObjects/{id}
GET /users/{id}
GET /servicePrincipals/{id}
GET /groups/{id}
GET /me

Examples

Example 1: Create a Standard key vault

New-AzKeyVault -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -Location 'East US'

Vault Name                       : contoso03vault
Resource Group Name              : group14
Location                         : East US
Resource ID                      : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/group14/providers
                                   /Microsoft.KeyVault/vaults/contoso03vault
Vault URI                        : https://contoso03vault.vault.azure.net/
Tenant ID                        : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
SKU                              : Standard
Enabled For Deployment?          :
Enabled For Template Deployment? :
Enabled For Disk Encryption?     :
Soft Delete Enabled?             : True
Access Policies                  :
                                   Tenant ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Object ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Application ID                             :
                                   Display Name                               : User Name (username@microsoft.com)
                                   Permissions to Keys                        : all
                                   Permissions to Secrets                     : all
                                   Permissions to Certificates                : all
                                   Permissions to (Key Vault Managed) Storage : all

Network Rule Set                  :
                                   Default Action                             : Allow
                                   Bypass                                     : AzureServices
                                   IP Rules                                   :
                                   Virtual Network Rules                      :

Tags                             :

This command creates a key vault named Contoso03Vault, in the Azure region East US. The command adds the key vault to the resource group named Group14. Because the command does not specify a value for the SKU parameter, it creates a Standard key vault.

Example 2: Create a Premium key vault

New-AzKeyVault -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -Location 'East US' -Sku 'Premium'

Vault Name                       : contoso03vault
Resource Group Name              : group14
Location                         : East US
Resource ID                      : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/group14/providers
                                   /Microsoft.KeyVault/vaults/contoso03vault
Vault URI                        : https://contoso03vault.vault.azure.net/
Tenant ID                        : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
SKU                              : Premium
Enabled For Deployment?          : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption?     : False
Soft Delete Enabled?             :
Access Policies                  :
                                   Tenant ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Object ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Application ID                             :
                                   Display Name                               : User Name (username@microsoft.com)
                                   Permissions to Keys                        : all
                                   Permissions to Secrets                     : all
                                   Permissions to Certificates                : all
                                   Permissions to (Key Vault Managed) Storage : all

Network Rule Set                 :
                                  Default Action                             : Allow
                                  Bypass                                     : AzureServices
                                  IP Rules                                   :
                                  Virtual Network Rules                      :

Tags                             :

This command creates a key vault, just like the previous example. However, it specifies a value of Premium for the SKU parameter to create a Premium key vault.

Example 3

$frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name frontendSubnet -AddressPrefix "110.0.1.0/24" -ServiceEndpoint Microsoft.KeyVault
$virtualNetwork = New-AzVirtualNetwork -Name myVNet -ResourceGroupName myRG -Location westus -AddressPrefix "110.0.0.0/16" -Subnet $frontendSubnet
$myNetworkResId = (Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myRG).Subnets[0].Id
$ruleSet = New-AzKeyVaultNetworkRuleSetObject -DefaultAction Allow -Bypass AzureServices -IpAddressRange "110.0.1.0/24" -VirtualNetworkResourceId $myNetworkResId
New-AzKeyVault -ResourceGroupName "myRg" -VaultName "myVault" -NetworkRuleSet $ruleSet -Location westus

Vault Name                       : myVault
Resource Group Name              : myRg
Location                         : East US
Resource ID                      : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myRg/providers
                                   /Microsoft.KeyVault/vaults/myVault
Vault URI                        : https://myVault.vault.azure.net/
Tenant ID                        : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
SKU                              : Premium
Enabled For Deployment?          : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption?     : False
Soft Delete Enabled?             :
Access Policies                  :
                                   Tenant ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Object ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Application ID                             :
                                   Display Name                               : User Name (username@microsoft.com)
                                   Permissions to Keys                        : all
                                   Permissions to Secrets                     : all
                                   Permissions to Certificates                : all
                                   Permissions to (Key Vault Managed) Storage : all

Network Rule Set                 :
                                  Default Action                             : Allow
                                  Bypass                                     : AzureServices
                                  IP Rules                                   : 110.0.1.0/24
                                  Virtual Network Rules                      : /subscriptions/0b1f6471-1bf0-4dda-ae
                                  c3-cb9272f09590/resourcegroups/myRg/providers/microsoft.network/virtualnetworks
                                  /myvnet/subnets/frontendsubnet

Tags                             :

Creating a key vault and specifies network rules to allow access to the specified IP address from the virtual network identified by $myNetworkResId. See New-AzKeyVaultNetworkRuleSetObject for more information.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	cf

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Parameter properties

Type:	IAzureContextContainer
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DisableRbacAuthorization

If specified, disables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be honored. Note that management actions are always authorized with RBAC.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-EnabledForDeployment

Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-EnabledForDiskEncryption

Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-EnabledForTemplateDeployment

Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-EnablePurgeProtection

If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Location

Specifies the Azure region in which to create the key vault. Use the command Get-AzLocation to see your choices.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	2
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Name

Specifies a name of the key vault to create. The name can be any combination of letters, digits, or hyphens. The name must start and end with a letter or digit. The name must be universally unique.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	VaultName

Parameter sets

(All)

Position:	0
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-NetworkRuleSet

Specifies the network rule set of the vault. It governs the accessibility of the key vault from specific network locations. Created by New-AzKeyVaultNetworkRuleSetObject.

Parameter properties

Type:	PSKeyVaultNetworkRuleSet
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-PublicNetworkAccess

Specifies whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. By default, we will enable public network access.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-ResourceGroupName

Specifies the name of an existing resource group in which to create the key vault.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	1
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Sku

Specifies the SKU of the key vault instance. For information about which features are available for each SKU, see the Azure Key Vault Pricing website (https://go.microsoft.com/fwlink/?linkid=512521).

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-SoftDeleteRetentionInDays

Specifies how long deleted resources are retained, and how long until a vault or an object in the deleted state can be purged. The default is 90 days.

Parameter properties

Type:	Int32
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-SubscriptionId

The ID of the subscription. By default, cmdlets are executed in the subscription that is set in the current context. If the user specifies another subscription, the current cmdlet is executed in the subscription specified by the user. Overriding subscriptions only take effect during the lifecycle of the current cmdlet. It does not change the subscription in the context, and does not affect subsequent cmdlets.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Tag

Key-value pairs in the form of a hash table. For example: @{key0="value0";key1=$null;key2="value2"}

Parameter properties

Type:	Hashtable
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	Tags

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	wi

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Share via

New-AzKeyVault

Syntax

Default (Default)

Description

Examples

Example 1: Create a Standard key vault

Example 2: Create a Premium key vault

Example 3

Parameters

-Confirm

Parameter properties

Parameter sets

-DefaultProfile

Parameter properties

Parameter sets

-DisableRbacAuthorization

Parameter properties

Parameter sets

-EnabledForDeployment

Parameter properties

Parameter sets

-EnabledForDiskEncryption

Parameter properties

Parameter sets

-EnabledForTemplateDeployment

Parameter properties

Parameter sets

-EnablePurgeProtection

Parameter properties

Parameter sets

-Location

Parameter properties

Parameter sets

-Name

Parameter properties

Parameter sets

-NetworkRuleSet

Parameter properties

Parameter sets

-PublicNetworkAccess

Parameter properties

Parameter sets

-ResourceGroupName

Parameter properties

Parameter sets

-Sku

Parameter properties

Parameter sets

-SoftDeleteRetentionInDays

Parameter properties

Parameter sets

-SubscriptionId

Parameter properties

Parameter sets

-Tag

Parameter properties

Parameter sets

-WhatIf

Parameter properties

Parameter sets

CommonParameters

Inputs

String

SwitchParameter

Hashtable

Outputs

PSKeyVault

Related Links

Feedback