Azure Key Vault Key pattern-based discovery

  • Release version: Australia
  • Updated April 28, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Azure Key Vault Key pattern-based discovery

    The Azure Key Vault Key pattern-based discovery enables ServiceNow customers to automatically detect and inventory Azure Key Vault Keys within their cloud environment. This capability is part of the Discovery and Service Mapping Patterns application and helps populate detailed information about Azure keys into both CMDB and non-CMDB tables, supporting comprehensive cloud asset management and governance.

    Show full answer Show less

    Key Features

    • Pattern Activation: The Azure Key Vault Key discovery pattern is disabled by default. Customers must enable it to begin discovering keys. Starting with Visibility Content version 6.28.0, activating or deactivating patterns does not count as customization, allowing seamless updates.
    • Discovery Prerequisites: Proper Microsoft Azure discovery prerequisites must be met, including correct setup of Azure service accounts and data center URLs, especially for Azure GovCloud (US) environments.
    • Data Storage: Discovery populates data into two types of tables:
      • Non-CMDB tables: Data from the Azure - Key Vault Key - Extended Inventory(LP) pattern includes detailed key attributes such as name, object ID, key ID, cryptographic type, permitted operations, size, status, recovery level, and timestamps.
      • CMDB tables: The Cloud Resource table stores general resource information like name, object ID, resource type, installation and operational status.
    • CI Relationships and References: The pattern establishes relationships such as hosted-on and membership links between Azure Key Vault Keys and Azure Datacenters or other cloud resources, enhancing configuration item (CI) context within the CMDB.
    • Tag Discovery: Azure Key Vault Key tags are collected and stored in the Key Value table, allowing customers to capture metadata for better resource classification and management.

    What Customers Can Expect

    • Automated identification and inventory of Azure Key Vault Keys with rich attribute details.
    • Improved visibility into key lifecycle, cryptographic details, and operational status within ServiceNow’s CMDB.
    • Enhanced cloud resource relationships and metadata tagging to support governance, compliance, and operational workflows.
    • Seamless pattern updates without losing customization states, ensuring discovery remains current with evolving Azure environments.

    Discovery and Service Mapping Patterns finds Azure Key Vault Keys on your cloud environment. Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    Pattern-based discovery and mapping requirements

    Verify the Microsoft Azure discovery prerequisites
    For more information, see the prerequisites section in Microsoft Azure Cloud discovery using patterns.
    Enable the relevant pattern
    The pattern for this service is disabled by default. Starting with Visibility Content version 6.28.0, activating or deactivating a pattern won't be considered a customization, and it will continue to receive updates. Patterns that were previously activated or deactivated will reset to the latest predefined version after upgrading while retaining the last active field value. For more information on enabling patterns, see Activate a disabled pattern.
    Configure the Discovery schedule to support GovCloud
    Discovering Azure GovCloud (US) accounts requires using a datacenter URL when setting up an Azure service account. For more information, see Set up Azure service accounts.

    Discovery and Service Mapping Patterns application populates data in both CMDB and non-CMDB tables.

    Data stored in non-CMDB tables

    The Discovery and Service Mapping Patterns application populates data in the non-CMDB table when running the Azure - Key Vault Key - Extended Inventory(LP) pattern.

    You can review the non-CMDB Azure tables by navigating to All > Configuration > Azure. You can also search the navigation filter for the specific pattern name.

    Table 1. Azure Key Vault - Key [cmdb_azure_key_vault_key]
    Field Description
    Name [name] Name of the Key Vault Key.
    Object Id [object_id] Unique identifier for the Key Vault Key, in the format of the Azure Resource Manager (ARM) resource ID followed by /keys/<key-name>.

    For example: /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>/keys/<key-name>.
    Key ID [key_id] The versioned URI of the key in Azure Key Vault.
    Key Type [key_type] The cryptographic algorithm of the key.

    For example: RSA or EC.
    Curve [curve] The elliptic curve name for EC keys.

    For example: P-256 or P-384.
    Key Ops [key_ops] The operations permitted for the key.

    For example: sign,verify or sign,verify,wrapKey,unwrapKey,encrypt,decrypt.
    Key Size [key_size] The size of the key in bits.
    Enabled [enabled] Indicates whether the key is enabled.
    Recovery Level [recovery_level] The deletion recovery level for the key.

    For example: Recoverable, Purgeable, or Recoverable+Purgeable.
    Created Date [created_date] Date and time when the key was created.
    Updated Date [updated_date] Date and time when the key was last updated.
    Expiration Date [expiration_date] Date and time when the key expires.
    Configuration Item [configuration_item] References the Cloud Resource [cmdb_ci_cmp_resource] table.

    Data stored in CMDB tables

    The Discovery and Service Mapping Patterns application populates data in the CMDB when running the Azure - Key Vault Key - Extended Inventory(LP) pattern.

    Table 2. Cloud Resource [cmdb_ci_cmp_resource]
    Field Description
    Name [name] Name of the Key Vault Key.
    Object ID [object_id] Unique identifier for the Key Vault Key, in the format of the ARM resource ID followed by /keys/<key-name>.

    For example: /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>/keys/<key-name>.
    Resource type [resource_type] The Azure resource type: microsoft.keyvault/vaults/keys.
    Install Status [install_status] Install status of the resource. Default value is Installed.
    Operational status [operational_status] Operational status of the resource. Default value is Operational.

    CI relationships

    The Azure - Key Vault Key - Extended Inventory(LP) pattern creates the following relationships and references to support Azure Key Vault Key discovery. References link to records in other tables and don't appear in the CI Relationship [cmdb_rel_ci] table.

    Table 3. CI relationships
    CI Relationship CI
    Cloud Resource [cmdb_ci_cmp_resource] Hosted on::Hosts Azure Datacenter [cmdb_ci_azure_datacenter]
    Cloud Resource [cmdb_ci_cmp_resource] Members::Member of Cloud Resource [cmdb_ci_cmp_resource]
    Table 4. CI references
    CI Field Referenced CI
    Azure Key Vault - Key [cmdb_azure_key_vault_key] Configuration Item [configuration_item] Cloud Resource [cmdb_ci_cmp_resource]
    Key Value [cmdb_key_value] Configuration item [configuration_item] Cloud Resource [cmdb_ci_cmp_resource]

    Azure Tag discovery

    The Azure - Key Vault Key - Extended Inventory(LP) pattern collects tags and populates them in the Key Value [cmdb_key_value] table.

    Table 5. Key Value [cmdb_key_value]
    Field Description
    Key [key] Tag name.
    Value [value] Tag value.
    Configuration item [configuration_item] References the Cloud Resource [cmdb_ci_cmp_resource] table.