Azure Key Vault Key pattern-based discovery

  • Release version: Yokohama
  • Updated April 28, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Azure Key Vault Key pattern-based discovery

    The Azure Key Vault Key pattern-based discovery in ServiceNow enables customers to identify and map Azure Key Vault Keys within their cloud environments using Discovery and Service Mapping Patterns. This capability requires meeting Microsoft Azure discovery prerequisites and activating the relevant pattern, which is disabled by default. It supports discovery across standard Azure and Azure GovCloud (US) accounts, with specific setup considerations such as using a datacenter URL for GovCloud.

    Show full answer Show less

    Key Features

    • Pattern Activation and Updates: Starting with Visibility Content version 6.28.0, enabling or disabling patterns is no longer treated as a customization, allowing patterns to receive updates and reset to the latest versions after upgrades while preserving the last active state.
    • Data Storage: Discovered Azure Key Vault Keys data is stored in both CMDB and non-CMDB tables. Non-CMDB data is populated by the Azure - Key Vault Key - Extended Inventory(LP) pattern and can be reviewed under Configuration > Azure.
    • CMDB Tables: Key Vault Keys are represented in the Cloud Resource [cmdbcicmpresource] table with fields such as name, object ID, resource type, install status, and operational status.
    • CI Relationships: The pattern establishes relationships linking the Key Vault Key resources to Azure Datacenters and other cloud resources, supporting comprehensive configuration item (CI) mapping.
    • Azure Tag Discovery: Tags associated with Key Vault Keys are collected and stored in the Key Value [cmdbkeyvalue] table, enabling tag-based identification and filtering within the CMDB.

    Practical Outcomes for ServiceNow Customers

    • Comprehensive visibility into Azure Key Vault Keys across subscriptions and resource groups, including metadata like cryptographic algorithm, key operations, size, status, and lifecycle dates.
    • Enhanced CMDB accuracy with detailed and up-to-date representations of Azure Key Vault Keys and their relationships to other cloud resources, supporting improved cloud asset management and risk assessment.
    • Facilitated compliance and governance through visibility of key attributes and tags, enabling better control over cryptographic assets within Azure environments.
    • Support for Azure GovCloud discovery ensures customers operating in regulated US government cloud environments can maintain accurate and compliant cloud resource records.

    Discovery and Service Mapping Patterns finds Azure Key Vault Keys on your cloud environment. Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    Pattern-based discovery and mapping requirements

    Verify the Microsoft Azure discovery prerequisites
    For more information, see the prerequisites section in Microsoft Azure Cloud components discovery using patterns.
    Enable the relevant pattern
    The pattern for this service is disabled by default. Starting with Visibility Content version 6.28.0, activating or deactivating a pattern won't be considered a customization, and it will continue to receive updates. Patterns that were previously activated or deactivated will reset to the latest predefined version after upgrading while retaining the last active field value. For more information on enabling patterns, see Activate a disabled pattern.
    Configure the Discovery schedule to support GovCloud
    Discovering Azure GovCloud (US) accounts requires using a datacenter URL when setting up an Azure service account. For more information, see Set up Azure service accounts.

    Discovery and Service Mapping Patterns application populates data in both CMDB and non-CMDB tables.

    Data stored in non-CMDB tables

    The Discovery and Service Mapping Patterns application populates data in the non-CMDB table when running the Azure - Key Vault Key - Extended Inventory(LP) pattern.

    You can review the non-CMDB Azure tables by navigating to All > Configuration > Azure. You can also search the navigation filter for the specific pattern name.

    Table 1. Azure Key Vault - Key [cmdb_azure_key_vault_key]
    Field Description
    Name [name] Name of the Key Vault Key.
    Object Id [object_id] Unique identifier for the Key Vault Key, in the format of the Azure Resource Manager (ARM) resource ID followed by /keys/<key-name>.

    For example: /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>/keys/<key-name>.
    Key ID [key_id] The versioned URI of the key in Azure Key Vault.
    Key Type [key_type] The cryptographic algorithm of the key.

    For example: RSA or EC.
    Curve [curve] The elliptic curve name for EC keys.

    For example: P-256 or P-384.
    Key Ops [key_ops] The operations permitted for the key.

    For example: sign,verify or sign,verify,wrapKey,unwrapKey,encrypt,decrypt.
    Key Size [key_size] The size of the key in bits.
    Enabled [enabled] Indicates whether the key is enabled.
    Recovery Level [recovery_level] The deletion recovery level for the key.

    For example: Recoverable, Purgeable, or Recoverable+Purgeable.
    Created Date [created_date] Date and time when the key was created.
    Updated Date [updated_date] Date and time when the key was last updated.
    Expiration Date [expiration_date] Date and time when the key expires.
    Configuration Item [configuration_item] References the Cloud Resource [cmdb_ci_cmp_resource] table.

    Data stored in CMDB tables

    The Discovery and Service Mapping Patterns application populates data in the CMDB when running the Azure - Key Vault Key - Extended Inventory(LP) pattern.

    Table 2. Cloud Resource [cmdb_ci_cmp_resource]
    Field Description
    Name [name] Name of the Key Vault Key.
    Object ID [object_id] Unique identifier for the Key Vault Key, in the format of the ARM resource ID followed by /keys/<key-name>.

    For example: /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>/keys/<key-name>.
    Resource type [resource_type] The Azure resource type: microsoft.keyvault/vaults/keys.
    Install Status [install_status] Install status of the resource. Default value is Installed.
    Operational status [operational_status] Operational status of the resource. Default value is Operational.

    CI relationships

    The Azure - Key Vault Key - Extended Inventory(LP) pattern creates the following relationships and references to support Azure Key Vault Key discovery. References link to records in other tables and don't appear in the CI Relationship [cmdb_rel_ci] table.

    Table 3. CI relationships
    CI Relationship CI
    Cloud Resource [cmdb_ci_cmp_resource] Hosted on::Hosts Azure Datacenter [cmdb_ci_azure_datacenter]
    Cloud Resource [cmdb_ci_cmp_resource] Members::Member of Cloud Resource [cmdb_ci_cmp_resource]
    Table 4. CI references
    CI Field Referenced CI
    Azure Key Vault - Key [cmdb_azure_key_vault_key] Configuration Item [configuration_item] Cloud Resource [cmdb_ci_cmp_resource]
    Key Value [cmdb_key_value] Configuration item [configuration_item] Cloud Resource [cmdb_ci_cmp_resource]

    Azure Tag discovery

    The Azure - Key Vault Key - Extended Inventory(LP) pattern collects tags and populates them in the Key Value [cmdb_key_value] table.

    Table 5. Key Value [cmdb_key_value]
    Field Description
    Key [key] Tag name.
    Value [value] Tag value.
    Configuration item [configuration_item] References the Cloud Resource [cmdb_ci_cmp_resource] table.