Verify that the Expiration Date is set for all Secrets in RBAC Key Vaults

Last updated: April 9, 2026

Framework Reference: 9.3.1 Key Expiration Enforcement – Azure Key Vault (Level 1)

Why this matters

  • Azure Key Vault stores cryptographic keys used for encryption, signing, and key wrapping. By default, keys do not expire. Without an expiration date:

  • Keys may remain valid indefinitely

  • Key rotation policies may not be enforced

  • Long-lived keys increase the impact of compromise

  • Organizations risk violating cryptographic lifecycle best practices

  • The exp (expiration date) attribute defines the date after which a key must not be used for new encryption, key wrapping, or signing operations.

  • Setting expiration dates enforces key rotation discipline and reduces exposure from stale or compromised cryptographic material.

  • This control applies specifically to RBAC-enabled Key Vaults.

What this check does

This Auto Check verifies that all enabled keys in RBAC-enabled Azure Key Vaults have an expiration date configured.

Check Logic

Passes if:

  • The Key Vault has EnableRbacAuthorization set to True, and

  • Every key where enabled = True has a non-null expires attribute.

Fails if:

  • An enabled key has no expiration date, or

  • The expiration attribute is null or empty.

Applies to:

  • Azure Key Vaults configured with RBAC authorization

  • All cryptographic keys within those vaults

  • The check evaluates key attributes via Azure management APIs.

How to fix it

Set expiration dates for all enabled keys.

Azure Portal

  • Go to Key vaults.

  • Select a Key Vault.

  • Click Keys.

  • For each enabled key, set an appropriate Expiration date.

  • Repeat for all RBAC-enabled vaults.

Azure CLI

List all Key Vaults:

az keyvault list

Check keys in a vault:

az keyvault key list --vault-name <VaultName> \  --query '[*].{"kid":kid,"enabled":attributes.enabled,"expires":attributes.expires}' 

Update expiration date:

az keyvault key set-attributes \  --name <keyName> \  --vault-name <vaultName> \  --expires Y-m-d'T'H:M:S'Z' 

Replace placeholders with appropriate values.

PowerShell

List Key Vaults:

Get-AzKeyVault 

Check if vault uses RBAC:

Get-AzKeyVault -VaultName <VaultName>

List keys:

Get-AzKeyVaultKey -VaultName <VaultName>

Set expiration date:

Set-AzKeyVaultKeyAttribute -VaultName <VaultName> -Name <KeyName> -Expires <DateTime>

Default value

By default, Azure Key Vault keys do not expire.

Impact

  • Keys cannot be used beyond their expiration date.

  • Applications depending on expired keys may fail if rotation is not properly managed.

  • Requires a formal key rotation process.

  • Organizations must ensure keys are rotated before expiration to avoid service disruption.

Permissions Note

  • Viewing key expiration dates requires List permission on keys.

  • Updating expiration dates requires appropriate RBAC roles (e.g., Key Vault Crypto Officer).

Exceptions

  • No standard exceptions are recommended.

  • If key expiration cannot be enforced:

  • Document the business justification.

  • Implement a documented manual rotation process.

  • Monitor key age and usage regularly.

References

  1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis

  2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys 

  3. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-6-use-a-secure-key-management-process 

  4. https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyattribute?view=azps-0.10.0