Feature Request: Enable Granular Exemptions for Azure Policy on Key Vault Secrets

Question

We require a mechanism to exempt specific secrets from the Azure Policy assignment: "Secrets should have the specified maximum validity period." However, we have encountered several limitations in achieving this. Below is a summary of our efforts:

Attempted Exemptions via Tagging:

• Explored the possibility of tagging specific secrets or assigning a custom content type (e.g., "exempt") for exemptions.
  • While tagging was supported conceptually, Azure Policy compliance reporting continued to show tagged secrets as non-compliant. This approach failed.
  Custom Policy Creation:

  - Created a custom policy using ARM mode and tried to include specific aliases such as `Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn`.
  
     - ARM mode only fetches **control plane properties**, while the requirement involves **data plane properties** like secret expiry.
  
        - Custom policy creation failed to evaluate resources for compliance, leaving compliance reports empty.
  

1. Testing Exemptions Using REST API:

• Attempted to create exemptions programmatically for specific secrets.
  • Although the exemption was created successfully, the compliance report still marked the resource as non-compliant. Exemptions at the individual secret level did not take effect

1. Consultation with Microsoft Support:
   • Reached out to Microsoft and confirmed that Azure Policy currently lacks the capability to evaluate data plane properties for granular resources like individual secrets.
2. Outcome and Recommendation from Microsoft:
   • Microsoft SMEs confirmed that exemptions at the secret level are not feasible due to technical constraints.
   • The only current workaround is to exempt the entire Key Vault, which does not align with our requirement for granular compliance control.
   Request: We are requesting a feature that allows:
   • Exemption of specific secrets from compliance policies, either through tags, content types, or other identifiers.
   • Full support for data plane properties in Azure Policy, enabling granular control at the individual resource level (e.g., secrets).

Answer 1

Hi Khushboo Brijlal Khurana

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

You used tags to exempt specific secrets, but Azure Policy still marked the tagged secrets as non-compliant.

Your attempt to create a custom policy using ARM mode didn't work because ARM mode only accesses control plane properties, while you need data plane properties.

Although you created exemptions with the REST API, compliance reports still marked those resources as non-compliant.

Microsoft confirmed that Azure Policy can't evaluate data plane properties for specific resources like individual secrets, so you can't enforce exemptions at that level.

The only workaround is to exempt the whole Key Vault, which doesn't give you the detailed control you need.

You can submit feedback through the Azure portal about needing these features. Microsoft reviews user feedback and may prioritize updates based on demand.

Keep an eye on Azure updates about Azure Policy and Key Vault, as Microsoft often releases new features.
https://azure.microsoft.com/en-us/updates/

Consider using other tools or solutions to manage secret lifecycles and enforce policies, as Azure Policy has some limitations.

For reference, please review this documentation: -
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure
https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
https://learn.microsoft.com/en-us/azure/defender-for-cloud/policy-reference?WT.mc_id=itopstalk-blog-socuff
https://learn.microsoft.com/en-us/azure/key-vault/general/azure-policy?tabs=certificates

If you have any further queries, do let us know.

---

If the answer is helpful, please click "Accept Answer" and "Upvote it".