Ensure that "Allow trusted Microsoft services to bypass this firewall" exception is enabled within your Azure Key Vault network firewall configuration settings in order to grant vault access to trusted Azure cloud services. The trusted Microsoft services must also be given explicit permissions within the access policies associated with the Key Vault.
Enabling network firewall rules for your Key Vaults will block access to incoming requests for data, including from other Azure services. To allow certain Azure cloud services to work as intended and be able to access your vault resources, you have to add an exception so that the trusted cloud services can bypass the firewall rules. If the "Allow trusted Microsoft services to bypass this firewall" exception is enabled, cloud services such as Azure Resource Manager, Azure Virtual Machines and Azure Disk Encryption can be granted access to your Key Vault resources. To enhance access security, all these Azure cloud services are using strong authentication methods to access your vault resources.
To determine if "Allow trusted Microsoft services to bypass this firewall" exception is enabled for your Key Vaults, perform the following actions:
Remediation / Resolution
To enable and configure "Allow trusted Microsoft services to bypass this firewall" exception for your Azure Key Vaults, perform the following actions:
- Azure Official Documentation
- Configure Azure Key Vault firewalls and virtual networks
- Virtual network service endpoints for Azure Key Vault
- Creating and configuring a key vault for Azure Disk Encryption
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Trusted Microsoft Services for Key Vault Access
Risk level: Medium