Azure Key Vault Key pattern-based discovery

  • Release version: Zurich
  • Updated April 28, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Azure Key Vault Key pattern-based discovery

    The Azure Key Vault Key pattern-based discovery in ServiceNow enables automated detection and inventory of Azure Key Vault Keys within your cloud environment. This capability is part of the Discovery and Service Mapping Patterns application and helps populate both CMDB and non-CMDB tables with detailed key information, facilitating comprehensive cloud asset management.

    Show full answer Show less

    This pattern is disabled by default and requires activation. It supports Azure GovCloud (US) accounts by configuring the discovery schedule with the appropriate datacenter URL. To ensure successful discovery, Microsoft Azure discovery prerequisites must be met.

    Key Features

    • Pattern Activation and Updates: Starting from Visibility Content version 6.28.0, enabling or disabling discovery patterns is no longer treated as customization, allowing for seamless updates and version resets without losing activation status.
    • Data Population: The discovery process populates data into:
      • Non-CMDB tables: Specifically, the cmdbazurekeyvaultkey table captures detailed key attributes such as name, unique object ID, key ID, cryptographic algorithm, curve, key operations, size, status, recovery level, and lifecycle dates.
      • CMDB tables: The cmdbcicmpresource table records key vault keys as cloud resources, including resource type, install status, and operational status.
    • CI Relationships and References: The pattern creates relationships linking keys to Azure datacenters and other cloud resources, supporting dependency mapping and infrastructure visualization.
    • Azure Tag Discovery: Tags associated with Azure Key Vault Keys are discovered and stored in the cmdbkeyvalue table, enabling enhanced categorization and filtering.

    Practical Considerations for ServiceNow Customers

    • Ensure that Microsoft Azure discovery prerequisites are fulfilled before enabling this pattern to guarantee accurate key vault key discovery.
    • Activate the Azure Key Vault Key pattern to start discovering these resources; note that this pattern is disabled by default.
    • Configure discovery schedules properly, especially when working with Azure GovCloud environments, by using the correct datacenter URLs.
    • Use the populated CMDB and non-CMDB tables to gain detailed visibility into your Azure Key Vault Keys, their configurations, and operational statuses.
    • Leverage CI relationships and tags to understand resource dependencies and to facilitate better asset management and compliance reporting.

    Discovery and Service Mapping Patterns finds Azure Key Vault Keys on your cloud environment. Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    Pattern-based discovery and mapping requirements

    Verify the Microsoft Azure discovery prerequisites
    For more information, see the prerequisites section in Microsoft Azure Cloud discovery using patterns.
    Enable the relevant pattern
    The pattern for this service is disabled by default. Starting with Visibility Content version 6.28.0, activating or deactivating a pattern won't be considered a customization, and it will continue to receive updates. Patterns that were previously activated or deactivated will reset to the latest predefined version after upgrading while retaining the last active field value. For more information on enabling patterns, see Activate a disabled pattern.
    Configure the Discovery schedule to support GovCloud
    Discovering Azure GovCloud (US) accounts requires using a datacenter URL when setting up an Azure service account. For more information, see Set up Azure service accounts.

    Discovery and Service Mapping Patterns application populates data in both CMDB and non-CMDB tables.

    Data stored in non-CMDB tables

    The Discovery and Service Mapping Patterns application populates data in the non-CMDB table when running the Azure - Key Vault Key - Extended Inventory(LP) pattern.

    You can review the non-CMDB Azure tables by navigating to All > Configuration > Azure. You can also search the navigation filter for the specific pattern name.

    Table 1. Azure Key Vault - Key [cmdb_azure_key_vault_key]
    Field Description
    Name [name] Name of the Key Vault Key.
    Object Id [object_id] Unique identifier for the Key Vault Key, in the format of the Azure Resource Manager (ARM) resource ID followed by /keys/<key-name>.

    For example: /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>/keys/<key-name>.
    Key ID [key_id] The versioned URI of the key in Azure Key Vault.
    Key Type [key_type] The cryptographic algorithm of the key.

    For example: RSA or EC.
    Curve [curve] The elliptic curve name for EC keys.

    For example: P-256 or P-384.
    Key Ops [key_ops] The operations permitted for the key.

    For example: sign,verify or sign,verify,wrapKey,unwrapKey,encrypt,decrypt.
    Key Size [key_size] The size of the key in bits.
    Enabled [enabled] Indicates whether the key is enabled.
    Recovery Level [recovery_level] The deletion recovery level for the key.

    For example: Recoverable, Purgeable, or Recoverable+Purgeable.
    Created Date [created_date] Date and time when the key was created.
    Updated Date [updated_date] Date and time when the key was last updated.
    Expiration Date [expiration_date] Date and time when the key expires.
    Configuration Item [configuration_item] References the Cloud Resource [cmdb_ci_cmp_resource] table.

    Data stored in CMDB tables

    The Discovery and Service Mapping Patterns application populates data in the CMDB when running the Azure - Key Vault Key - Extended Inventory(LP) pattern.

    Table 2. Cloud Resource [cmdb_ci_cmp_resource]
    Field Description
    Name [name] Name of the Key Vault Key.
    Object ID [object_id] Unique identifier for the Key Vault Key, in the format of the ARM resource ID followed by /keys/<key-name>.

    For example: /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>/keys/<key-name>.
    Resource type [resource_type] The Azure resource type: microsoft.keyvault/vaults/keys.
    Install Status [install_status] Install status of the resource. Default value is Installed.
    Operational status [operational_status] Operational status of the resource. Default value is Operational.

    CI relationships

    The Azure - Key Vault Key - Extended Inventory(LP) pattern creates the following relationships and references to support Azure Key Vault Key discovery. References link to records in other tables and don't appear in the CI Relationship [cmdb_rel_ci] table.

    Table 3. CI relationships
    CI Relationship CI
    Cloud Resource [cmdb_ci_cmp_resource] Hosted on::Hosts Azure Datacenter [cmdb_ci_azure_datacenter]
    Cloud Resource [cmdb_ci_cmp_resource] Members::Member of Cloud Resource [cmdb_ci_cmp_resource]
    Table 4. CI references
    CI Field Referenced CI
    Azure Key Vault - Key [cmdb_azure_key_vault_key] Configuration Item [configuration_item] Cloud Resource [cmdb_ci_cmp_resource]
    Key Value [cmdb_key_value] Configuration item [configuration_item] Cloud Resource [cmdb_ci_cmp_resource]

    Azure Tag discovery

    The Azure - Key Vault Key - Extended Inventory(LP) pattern collects tags and populates them in the Key Value [cmdb_key_value] table.

    Table 5. Key Value [cmdb_key_value]
    Field Description
    Key [key] Tag name.
    Value [value] Tag value.
    Configuration item [configuration_item] References the Cloud Resource [cmdb_ci_cmp_resource] table.