![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 13%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,416 questions
Hi ,
Thanks for reaching out to Microsoft Q&A.
If your Key Vault is automatically switching its firewall setting from “Allow public access from all networks” to “Allow public access from specific virtual networks and IP addresses”, it is not expected default behavior.
This can happen due to one of the following reasons:
Policy or Compliance Enforcement
- Azure Policy might be applied at the subscription or management group level to enforce secure network rules on keyvaults.
- Example: A policy might be configured to deny or modify Key Vaults that allow access from all networks.
- You can check this in the Azure Policy blade in the portal or use the CLI:
az policy assignment list --query "[?policyDefinitionId.contains(@, 'keyvault')]" --output table
Security Center / Defender for Cloud Recommendations
- If Microsoft Defender for Cloud is configured with auto-remediation, it might automatically change network settings to comply with best practices.
Infrastructure as Code (IaC)
- If your environment is managed via tools like ARM templates, Bicep, Terraform, or Azure DevOps pipelines, a periodic deployment might be resetting the firewall settings.
- Review recent deployments in Key Vault Activity Logs or Resource Manager deployments.
Role-Based Automation
- A script or automation account with
ContributororKey Vault Administratorrole could be applying this change as part of a security workflow or scheduled task.
How to Investigate?
- Activity Logs:
- Go to the Key Vault -> Activity Log.
- Filter for “Update Key Vault” operations.
- This will show who/what made the change and when.
- Policy Compliance:
- Check for assigned Azure Policies at the management group/subscription/resource group level targeting
Microsoft.KeyVault/vaults/networkAcls.
- Check for assigned Azure Policies at the management group/subscription/resource group level targeting
- Deployment History:
- Check Resource Group -> Deployments for any updates related to the Key Vault.
Recommendation:
If this change is unintended, and you require public access:
- Exclude your keyvault from policy scope or modify the policy definitions.
- Disable autoremediation in Defender for Cloud for this specific resource if applicable.
- Communicate with the team managing your IaC pipelines or platform governance.
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.