Skip to content

Instantly share code, notes, and snippets.

@infamousjoeg

infamousjoeg/AzureKeyVaultsWithSecrets.ps1

Created August 6, 2025 17:31
Show Gist options
  • Save infamousjoeg/ab55953bcd5f729a5a569a626d6c0b58 to your computer and use it in GitHub Desktop.
Save infamousjoeg/ab55953bcd5f729a5a569a626d6c0b58 to your computer and use it in GitHub Desktop.
Download ZIP
Get all Azure Key Vaults in an Azure Management Group that contain Secret objects
Raw
_README.md

How to Run

Install the Azure PowerShell module (if not installed):

Install-Module -Name Az -Scope CurrentUser

Save the script to a file, e.g., Find-KeyVaults-With-Secrets.ps1.

Run in PowerShell:

.\Find-KeyVaults-With-Secrets.ps1

It will prompt you to log in to Azure and then scan the management group.

Security Notes

  • Requires Microsoft.KeyVault/vaults/secrets/read permission on each vault.
  • If you have read permission on vault metadata but not secrets, the vault will be skipped.
  • This script does not output secret values—only counts and metadata.
Raw
AzureKeyVaultsWithSecrets.ps1
# Requires: Az PowerShell Module
# Install with: Install-Module -Name Az -Scope CurrentUser
# ------------------------
# VARIABLES - EDIT THESE
# ------------------------
$ManagementGroupId = "<YourManagementGroupID>" # e.g. "mg-root"
# ------------------------
# CONNECT TO AZURE
# ------------------------
Write-Host "Logging into Azure..." -ForegroundColor Cyan
Connect-AzAccount -UseDeviceAuthentication
# ------------------------
# GET SUBSCRIPTIONS UNDER MANAGEMENT GROUP
# ------------------------
Write-Host "Fetching subscriptions under management group '$ManagementGroupId'..." -ForegroundColor Cyan
$subscriptions = Get-AzManagementGroupSubscription -GroupName $ManagementGroupId
if (-not $subscriptions) {
Write-Host "No subscriptions found under management group $ManagementGroupId" -ForegroundColor Red
exit
}
# ------------------------
# PROCESS EACH SUBSCRIPTION
# ------------------------
$results = @()
foreach ($sub in $subscriptions) {
$subId = $sub.SubscriptionId
Write-Host "Switching to subscription: $subId" -ForegroundColor Yellow
Set-AzContext -SubscriptionId $subId | Out-Null
# Get all Key Vaults in subscription
$vaults = Get-AzKeyVault
foreach ($vault in $vaults) {
try {
# List all secrets in the vault
$secrets = Get-AzKeyVaultSecret -VaultName $vault.VaultName -ErrorAction Stop
if ($secrets.Count -gt 0) {
$results += [PSCustomObject]@{
SubscriptionId = $subId
VaultName = $vault.VaultName
ResourceGroup = $vault.ResourceGroupName
Location = $vault.Location
SecretCount = $secrets.Count
}
}
}
catch {
# Skip vaults where we can't list secrets (lack of permissions)
Write-Host "Skipping vault '$($vault.VaultName)' due to permissions or other errors." -ForegroundColor DarkGray
}
}
}
# ------------------------
# OUTPUT RESULTS
# ------------------------
if ($results.Count -gt 0) {
Write-Host "Vaults with secrets found:" -ForegroundColor Green
$results | Format-Table -AutoSize
# Optional: Export to CSV
$csvPath = ".\AzureKeyVaultsWithSecrets.csv"
$results | Export-Csv -Path $csvPath -NoTypeInformation
Write-Host "Results exported to $csvPath" -ForegroundColor Cyan
}
else {
Write-Host "No vaults with secrets found under management group '$ManagementGroupId'." -ForegroundColor Red
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment