Selective Key Restore Operation - Selective Key Restore Operation

Service:: Key Vault

API Version:: 2025-07-01

Restores all key versions of a given key using user supplied SAS token pointing to a previously stored Azure Blob storage backup folder

PUT {vaultBaseUrl}/keys/{keyName}/restore?api-version=2025-07-01

URI Parameters

Name	In	Required	Type	Description
keyName	path	True	string	The name of the key to be restored from the user supplied backup
vaultBaseUrl	path	True	string (uri)
api-version	query	True	string minLength: 1	The API version to use for this operation.

Request Body

Name	Required	Type	Description
folder	True	string	The Folder name of the blob where the previous successful full backup was stored
sasTokenParameters	True	SASTokenParameter	A user-provided SAS token to an Azure blob storage container.

Responses

Name	Type	Description
202 Accepted	SelectiveKeyRestoreOperation	The request has been accepted for processing, but processing has not yet completed. Headers Azure-AsyncOperation: string Retry-After: integer
Other Status Codes	KeyVaultError	An unexpected error response.

Name

Type

Description

202 Accepted

SelectiveKeyRestoreOperation

The request has been accepted for processing, but processing has not yet completed.

Headers

Azure-AsyncOperation: string
Retry-After: integer

Other Status Codes

KeyVaultError

An unexpected error response.

Security

OAuth2Auth

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
https://vault.azure.net/.default

Examples

Restores all key versions of a given key

Sample request

HTTP

PUT https://myvault.vault.azure.net/keys/hsm-mail-key/restore?api-version=2025-07-01

{
  "sasTokenParameters": {
    "storageResourceUri": "https://myaccount.blob.core.windows.net/sascontainer/sasContainer",
    "token": "se=2018-02-01T00%3A00Z&spr=https&sv=2017-04-17&sr=b&sig=REDACTED"
  },
  "folder": "mhsm-mypool-20200303062926785"
}

Sample response

Status code:: 202

Retry-After: 5
Azure-AsyncOperation: https://myvault.vault.azure.net/restore/45aacd568a23b0s49a2803861e8dd3ase21f/pending

{
  "status": "InProgress",
  "statusDetails": "Selective Key restore is in progress",
  "jobId": "45aacd568a23b0s49a2803861e8dd3ase21f",
  "startTime": 1490790000,
  "endTime": 0
}

Definitions

Name	Description
Error
KeyVaultError	The key vault error exception.
OperationStatus	The status of a long-running operation.
SASTokenParameter	An authentication method and location for the operation.
SelectiveKeyRestoreOperation	Selective Key Restore operation
SelectiveKeyRestoreOperationParameters	The authentication method and location for the selective key restore operation.

Error

Object

Name	Type	Description
code	string	The error code.
innererror	Error	The key vault server error.
message	string	The error message.

KeyVaultError

Object

The key vault error exception.

Name	Type	Description
error	Error	The key vault server error.

OperationStatus

Enumeration

The status of a long-running operation.

Value	Description
InProgress	The operation is in progress.
Succeeded	The operation successfully completed.
Canceled	The operation was canceled.
Failed	The operation failed.

SASTokenParameter

Object

An authentication method and location for the operation.

Name	Type	Default value	Description
storageResourceUri	string		Azure Blob storage container Uri
token	string		The SAS token pointing to an Azure Blob storage container
useManagedIdentity	boolean	False	Indicates which authentication method should be used. If set to true, Managed HSM will use the configured user-assigned managed identity to authenticate with Azure Storage. Otherwise, a SAS token has to be specified.