1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Managing Azure Data Protection and Security Compliance

Importing an Existing Software-Protected Key into Azure Key Vault

Start course
Duration1h 12m



As companies race toward the cloud, it’s imperative that IT professionals keep up with the times. Keeping up with the times means maintaining the ability to deploy and maintain cloud-based solutions – particularly those offered through Microsoft Azure.

In this course, you will learn how to create and manage encryption keys in Azure, prevent and respond to security threats to Azure resources, configure access to Azure applications via single sign-on, manage access to Azure applications, and configure federation with public consumer identity providers like Facebook and Google. 

Learning Objectives

  • Create and import keys in the Azure Key Vault
  • Define, configure, and assess security policies
  • Harden Azure resources against threats
  • Configure single sign-on for SaaS applications
  • Configure federation with public consumer identity providers like Facebook and Google

 Intended Audience

  • People interested in becoming Azure security engineers 


  • General knowledge of IT infrastructure
  • General knowledge of the Azure environment






- [Instructor] In addition to creating new keys, Azure Key Vault allows you to import existing keys as well. Since we've already worked through the process of creating a new key in the key vault, let's work through the process of importing an existing software-protected key using the the Add-AzureKeyVaultKey command. In this demo, I'm going to walk you through this import process. I have here, in my keys folder, a software-protected key called swkey.pfx. This exported key is protected with a password. I used A123456z! to secure this key when I exported it from my workstation. To upload this key to my key vault in Azure, I first need to store this password in a variable using the ConvertTo-SecureString command. I can then access the key and import it from the PFX file into my key vault. 


As you can see on the screen here, I'm converting the exported keys password to a secure string and storing it in the secure pfxpwd variable. Hitting ENTER runs this command and it usually doesn't do a whole lot. We're just saving a value to a variable. However, when it finishes, I can then import the key from the PFX file by running the Add-AzureKeyVaultKey command that I'm going to paste into the PowerShell session right now. When importing a software-protected key using this command, we need to specify the KeyFilePath and the KeyFilePassword. The KeyFilePath switch references the path to the PFX file that we're going to import. The KeyFilePassword is the secure password that we need to access the PFX file. That's the password we stored up here in the secure pfxpwd variable. Hitting ENTER here will create the key and store it in the vault. 


We can display the URI for this imported key by typing Key-ID at the PowerShell prompt. So we go ahead and type in our command here to pull up the URI for our newly imported key. Now as you can see here, the full URI references MyImportedPFX. The MyImportedPFX key is the name of the key that we imported in our command. Now to view the actual key, we need to use the Get-AzureKeyVaultKey command. I'm going to go ahead and paste that command into our window here. 

And as you can see on your screen, this command is essentially identical to the one we used previously to view the newly created key, except in this case, we're just specifying MyImportedPFX as our key that we're interested in. You can go ahead and hit ENTER here and what it's going to do is return some key attributes about our imported key. It's going to tell us when it was created when it was updated, and it gives us the vault name along with the ID. Now, if we wanted to view the properties of this imported key or really any other keys in our key vault, we could go into our Azure portal, as you can see here on the screen, browse into our actual key vault here and select Keys. On the screen where you can see that the portal tells us we have two keys in our vault, MyFirstKey which we created and MyImportedPFX which we imported. 

Clicking on either one of those pulls up properties for those keys. So with that said, let's move on.

About the Author


Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.