Skip to main content

Remediation

From Azure Portal

Go to Key Vaults.
For each Key Vault, select Keys.
In the main pane, ensure that an appropriate Expiration date is set for any keys that are Enabled.

From Azure CLI

Update the Expiration date for the key using the following command. Use a UTC timestamp in ISO 8601 format.

az keyvault key set-attributes \
    --name {{key-name}} \
    --vault-name {{vault-name}} \
    --expires {{expiration-date-time-utc}}

Note: To view the expiration date on all keys in a Key Vault using Microsoft API, the List Key permission is required.

To update the expiration date for the keys:

Go to the Key Vault and select Access Control (IAM).
Select Add role assignment and assign the Key Vault Crypto Officer role to the appropriate user.

From PowerShell

Set-AzKeyVaultKeyAttribute `
    -VaultName {{vault-name}} `
    -Name {{key-name}} `
    -Expires {{date-time}}

From Azure Portal
From Azure CLI
From PowerShell