Old and Current secret conflict

Question

Old and Current secret conflict

Cheedella, Satyanarayana 0

I have created a new secret in Azure Key Vault, which is used by my application. For certain reasons, I disabled the latest (current) version of the secret. However, there is an older version of the secret that is still enabled.

Generally, the expected behavior is that Azure Key Vault should return the latest enabled version of the secret when the current one is disabled. However, in our case, this doesn't seem to be happening.

Are there any insights or known reasons why the older enabled version is not being picked up automatically?

Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2025-10-17T14:43:06.9266667+00:00
Hello @Cheedella, Satyanarayana,

Disabling the most recent version of Azure Key Vault does not cause it to immediately revert to an earlier activated secret version.

Regardless of whether a secret is enabled or not, Key Vault always attempts the most recent version when you retrieve it by name alone.

The request won't return the most recent enabled version if that version is deactivated or has expired.

This is by default for security and consistency reasons.

You can list all secret versions, identify the most recent enabled one, and explicitly retrieve that version.

Let me know if any further queries - feel free to reach out!
Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2025-10-21T08:27:48.0766667+00:00

Hello @Cheedella, Satyanarayana,

Following up to see if the above provided answer was helpful. if you have any further queries do let us know.

1 answer

Your answer

Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2025-10-17T14:43:06.9266667+00:00

Hello @Cheedella, Satyanarayana,

Disabling the most recent version of Azure Key Vault does not cause it to immediately revert to an earlier activated secret version.

Regardless of whether a secret is enabled or not, Key Vault always attempts the most recent version when you retrieve it by name alone.

The request won't return the most recent enabled version if that version is deactivated or has expired.

This is by default for security and consistency reasons.

You can list all secret versions, identify the most recent enabled one, and explicitly retrieve that version.

Let me know if any further queries - feel free to reach out!
Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2025-10-21T08:27:48.0766667+00:00

Hello @Cheedella, Satyanarayana,

Following up to see if the above provided answer was helpful. if you have any further queries do let us know.

Answer 1

Hello Cheedella, Satyanarayana,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your old and current secret conflict.

The older enabled version picked automatically because GET secret by name always targets the latest version. If that version is disabled/expired, the value cannot be retrieved, and the service does not auto‑fallback to an older enabled version. Fetch a specific version or ensure the latest is enabled. - https://learn.microsoft.com/en-us/azure/key-vault/secrets/javascript-developer-guide-get-secret, and if you use App Service/Functions Key Vault references, remember they’re cached and auto‑refresh within 24 hours unless you pull/refresh explicitly or update configuration.- https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references, and https://stackoverflow.com/questions/77007906/azure-key-vault-lag-on-secret-changes gives more insight.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Share via

Old and Current secret conflict

1 answer

Your answer