Merge pull request #2634 from msmbaldwin/akv-whats-new

prmerger-automator[bot] · web-flow · commit 18f056c907db · 2026-03-24T22:38:17.000Z
akv-whats-new
diff --git a/articles/key-vault/general/access-control-default.md b/articles/key-vault/general/access-control-default.md
@@ -6,7 +6,7 @@ ms.author: mbaldwin
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: how-to
-ms.date: 02/27/2026
+ms.date: 03/24/2026
 ms.custom: devx-track-azurepowershell, devx-track-azurecli, sfi-image-nochange
 
 #customer intent: As an Azure Key Vault administrator, I want to migrate from access policies to Azure RBAC so that I can improve security and simplify access management.
@@ -15,15 +15,19 @@ ms.custom: devx-track-azurepowershell, devx-track-azurecli, sfi-image-nochange
 
 # Prepare for Key Vault API version 2026-02-01 and later: Azure RBAC as default access control
 
-Azure Key Vault API version 2026-02-01 and later change the default access control model for new vaults to Azure RBAC, consistent with the Azure portal experience. Both Azure RBAC and access policies remain fully supported.
+Azure Key Vault API version 2026-02-01 and later change the default access control model for new vaults to Azure RBAC, consistent with the Azure portal experience. Both Azure RBAC and access policies remain fully supported. API version 2026-02-01 is available in public Azure regions, Mooncake, and Fairfax.
 
 - **New key vault creation behavior**: When you create a new vault with API version `2026-02-01` or later, the default access control model is Azure RBAC (`enableRbacAuthorization = true`). This default applies only to **create** operations. To use access policies for new vaults, set `enableRbacAuthorization` to `false` at creation time.
 - **Existing key vault behavior**: Existing vaults keep their current access control model unless you explicitly change `enableRbacAuthorization`. Using API version `2026-02-01` or later to update a vault does not automatically change access control. Vaults where `enableRbacAuthorization` is `null` (from older API versions) continue using access policies.
 
 > [!IMPORTANT]
 > All Key Vault Control Plane API versions before 2026-02-01 retire on February 27, 2027. Adopt API version 2026-02-01 or later before this date. Data Plane APIs are not affected.
+>
+> Preview API versions (except 2026-04-01-preview) are being deprecated with a 90-day notice period.
 > 
 > Note that Azure Cloud Shell always uses the latest API version. If you have scripts that run in Cloud Shell, ensure they are compatible with API version 2026-02-01 or later.
+>
+> Control plane management SDKs supporting API version 2026-02-01 are available for all languages. For package details, see [What's new for Azure Key Vault](whats-new.md#control-plane-sdk-releases).
 
 We encourage you to migrate key vaults that currently use access policies (legacy) to Azure RBAC for improved security. For more information on why Azure RBAC is recommended, see [Azure role-based access control (Azure RBAC) vs. access policies](rbac-access-policy.md).
 
diff --git a/articles/key-vault/general/client-libraries.md b/articles/key-vault/general/client-libraries.md
@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: tutorial
-ms.date: 01/08/2026
+ms.date: 03/24/2026
 ms.author: mbaldwin
 
 
@@ -20,7 +20,7 @@ The Azure Key Vault client libraries provide programmatic access to Key Vault fu
 
 ## Client libraries per language and object
 
-Each SDK has separate client libraries for secrets, keys, certificates, and management (control plane).
+Each SDK has separate client libraries for secrets, keys, certificates, and management (control plane). For the latest control plane SDK release information supporting API version 2026-02-01, see [What's new for Azure Key Vault](whats-new.md#control-plane-sdk-releases).
 
 | Language | Secrets | Keys | Certificates | Key Vault (Control plane) |
 |--|--|--|--|--|
@@ -29,6 +29,7 @@ Each SDK has separate client libraries for secrets, keys, certificates, and mana
 | **Java** | - [API Reference](/java/api/overview/azure/security-keyvault-secrets-readme)<br>- [Source](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-secrets)<br>- [Quickstart](../secrets/quick-create-java.md) | - [API Reference](/java/api/overview/azure/security-keyvault-keys-readme)<br>- [Source](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-keys)<br>- [Quickstart](../keys/quick-create-java.md) | - [API Reference](/java/api/overview/azure/security-keyvault-certificates-readme)<br>- [Source](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-certificates)<br>- [Quickstart](../certificates/quick-create-java.md) | - [API Reference](/java/api/overview/azure/resourcemanager-keyvault-readme)<br>- [Source](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-resourcemanager-keyvault) |
 | **Spring** | - [Reference](/azure/developer/java/spring-framework/spring-cloud-azure?tabs=maven#secret-management)<br>- [Source](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/spring)<br>- [Quickstart](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault) | | - [Reference](/azure/developer/java/spring-framework/spring-cloud-azure-appendix#azure-key-vault-certificates-properties)<br>- [Source](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/spring)<br>- [Quickstart](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault-certificates) | |
 | **Node.js** | - [API Reference](/javascript/api/@azure/keyvault-secrets/)<br>- [npm](https://www.npmjs.com/package/@azure/keyvault-secrets)<br>- [Source](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/keyvault/keyvault-secrets)<br>- [Quickstart](../secrets/quick-create-node.md) | - [API Reference](/javascript/api/@azure/keyvault-keys/)<br>- [npm](https://www.npmjs.com/package/@azure/keyvault-keys)<br>- [Source](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/keyvault/keyvault-keys)<br>- [Quickstart](../keys/quick-create-node.md) | - [API Reference](/javascript/api/@azure/keyvault-certificates/)<br>- [npm](https://www.npmjs.com/package/@azure/keyvault-certificates)<br>- [Source](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/keyvault/keyvault-certificates)<br>- [Quickstart](../certificates/quick-create-node.md) | - [API Reference](/javascript/api/@azure/arm-keyvault/)<br>- [npm](https://www.npmjs.com/package/@azure/arm-keyvault)<br>- [Source](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/keyvault/arm-keyvault) |
+| **Go** | - [API Reference](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets)<br>- [Source](https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/security/keyvault/azsecrets) | - [API Reference](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys)<br>- [Source](https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/security/keyvault/azkeys) | - [API Reference](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates)<br>- [Source](https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/security/keyvault/azcertificates) | - [API Reference](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault)<br>- [Source](https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/resourcemanager/keyvault/armkeyvault) |
 
 ## Next steps
 - See the [Azure Key Vault developer's guide](developers-guide.md).
diff --git a/articles/key-vault/general/private-link-service.md b/articles/key-vault/general/private-link-service.md
@@ -3,7 +3,7 @@ title: Integrate Key Vault with Azure Private Link
 description: Learn how to integrate Azure Key Vault with Azure Private Link Service
 author: msmbaldwin
 ms.author: mbaldwin
-ms.date: 01/30/2026
+ms.date: 03/24/2026
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: how-to
@@ -31,6 +31,8 @@ Your private endpoint and virtual network must be in the same region. When you s
 
 Your private endpoint uses a private IP address in your virtual network.
 
+Azure Key Vault enforces limits on the number of private endpoints per vault. For information on these limits, see [Azure Key Vault service limits](service-limits.md).
+
 # [Azure portal](#tab/portal)
 
 ## Establish a private link connection to Key Vault using the Azure portal
diff --git a/articles/key-vault/general/rbac-access-policy.md b/articles/key-vault/general/rbac-access-policy.md
@@ -6,7 +6,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: how-to
-ms.date: 01/30/2026
+ms.date: 03/24/2026
 ms.author: mbaldwin
 
 ---
@@ -22,7 +22,9 @@ The access policy model is a legacy authorization system, native to Key Vault, w
 
 ## Data plane access control recommendation
 
-Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. It offers several advantages over Key Vault access policies:
+Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Starting with API version 2026-02-01, Azure RBAC is also the **default access control model for new key vaults**, consistent with the Azure portal experience. For details on this change and guidance for preparing your deployments, see [Prepare for Key Vault API version 2026-02-01 and later](access-control-default.md).
+
+Azure RBAC offers several advantages over Key Vault access policies:
 - Azure RBAC provides a unified access control model for Azure resources &mdash; the same APIs are used across all Azure services.
 - Access management is centralized, providing administrators with a consistent view of access granted to Azure resources.
 - The right to grant access to keys, secrets, and certificates is better controlled, requiring Owner or User Access Administrator role membership.
diff --git a/articles/key-vault/general/rbac-guide.md b/articles/key-vault/general/rbac-guide.md
@@ -7,7 +7,7 @@ ms.service: azure-key-vault
 ms.subservice: general
 ms.custom: devx-track-azurecli, devx-track-azurepowershell, sfi-image-nochange, copilot-scenario-highlight
 ms.topic: how-to
-ms.date: 01/30/2026
+ms.date: 03/24/2026
 ms.author: mbaldwin
 ---
 
@@ -16,7 +16,7 @@ ms.author: mbaldwin
 > [!NOTE]
 > Key Vault resource provider supports two resource types: **vaults** and **managed HSMs**. Access control described in this article only applies to **vaults**. To learn more about access control for managed HSM, see [Managed HSM access control](../managed-hsm/access-control.md).
 
-Azure role-based access control (Azure RBAC) is an authorization system built on [Azure Resource Manager](/azure/azure-resource-manager/management/overview) that provides centralized access management of Azure resources.
+Azure role-based access control (Azure RBAC) is an authorization system built on [Azure Resource Manager](/azure/azure-resource-manager/management/overview) that provides centralized access management of Azure resources. Starting with API version 2026-02-01, Azure RBAC is the default access control model for newly created key vaults. For details on this change and how to prepare, see [Prepare for Key Vault API version 2026-02-01 and later](access-control-default.md).
 
 Azure RBAC allows users to manage keys, secrets, and certificates permissions, and provides one place to manage all permissions across all key vaults.
 
diff --git a/articles/key-vault/general/rbac-migration.md b/articles/key-vault/general/rbac-migration.md
@@ -6,13 +6,15 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: how-to
-ms.date: 01/30/2026
+ms.date: 03/24/2026
 ms.author: mbaldwin
 ms.custom: sfi-image-nochange
 ---
 # Migrate to Azure RBAC from access policies
 
-Azure Key Vault offers two access control models: Azure role-based access control (Azure RBAC), and an access policy model. Azure RBAC is the default and recommended access control model for Azure Key Vault. For a comparison of the two methods of authorization, see [Azure role-based access control (Azure RBAC) vs. access policies](rbac-access-policy.md).
+Azure Key Vault offers two access control models: Azure role-based access control (Azure RBAC), and an access policy model. Azure RBAC is the default and recommended access control model for Azure Key Vault. Starting with API version 2026-02-01, Azure RBAC is the default access control model for new vaults. For a comparison of the two methods of authorization, see [Azure role-based access control (Azure RBAC) vs. access policies](rbac-access-policy.md).
+
+For information on preparing your existing deployments for this change, see [Prepare for Key Vault API version 2026-02-01 and later](access-control-default.md).
 
 This article provides the information necessary to migrate a key vault from an access policy model to an Azure RBAC model.
 
diff --git a/articles/key-vault/general/whats-new.md b/articles/key-vault/general/whats-new.md
@@ -6,7 +6,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: reference
-ms.date: 01/30/2026
+ms.date: 03/24/2026
 ms.author: mbaldwin
 
 #Customer intent: As an Azure Key Vault administrator, I want to react to soft-delete being turned on for all key vaults.
@@ -17,6 +17,57 @@ ms.author: mbaldwin
 
 Here's what's new with Azure Key Vault. New features and improvements are also announced on the [Azure updates Key Vault channel](https://azure.microsoft.com/updates/?category=security&query=Key%20vault).
 
+## March 2026
+
+### New control plane API versions
+
+New Azure Key Vault control plane API versions (2026-02-01 and 2026-03-01-preview) are now available across public Azure regions, with availability extended to Mooncake and Fairfax clouds.
+
+### Preview API version deprecation
+
+Azure Key Vault is deprecating older preview control plane API versions in accordance with Azure guidelines. All preview API versions except 2026-04-01-preview will be deprecated with a 90-day notice period. Customers using preview API versions should plan to migrate to the latest stable API version (2026-02-01) or the upcoming 2026-04-01-preview version.
+
+### Control plane SDK releases
+
+All five Azure Key Vault control plane management SDKs are now released:
+
+| Language | Package | Version |
+|----------|---------|---------|
+| .NET | [Azure.ResourceManager.KeyVault](https://www.nuget.org/packages/Azure.ResourceManager.KeyVault) | 1.4.0 |
+| JavaScript | [@azure/arm-keyvault](https://www.npmjs.com/package/@azure/arm-keyvault) | Latest |
+| Go | [armkeyvault](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/v2) | v2 |
+| Python | [azure-mgmt-keyvault](https://pypi.org/project/azure-mgmt-keyvault/) | Latest |
+| Java | [azure-resourcemanager-keyvault](https://central.sonatype.com/artifact/com.azure.resourcemanager/azure-resourcemanager-keyvault) | Latest |
+
+### Azure RBAC is the default access control model for new vaults
+
+Azure Key Vault API version 2026-02-01 introduces Azure RBAC as the default access control model for newly created key vaults when using this API version. Existing vaults continue using their current access model unless explicitly updated. Both Azure RBAC and access policies remain fully supported.
+
+For more information, see [Prepare for Key Vault API version 2026-02-01 and later](access-control-default.md).
+
+### Private endpoint limit enforcement
+
+Azure Key Vault is enforcing limits on the number of private endpoints per vault. Customers exceeding these limits may need to reduce usage or request an exception through Azure support.
+
+For more information on private endpoint limits, see [Azure Key Vault service limits](service-limits.md).
+
+## November 2025
+
+### Security best practices articles
+
+New security best practices documentation is available for Azure Key Vault workloads:
+
+- [Secure your Azure Key Vault](secure-key-vault.md): Comprehensive security guidance for vault architecture, network security, identity and access management, and monitoring.
+- [Secure your Azure Key Vault keys](../keys/secure-keys.md): Key-specific security recommendations for key types, protection levels, rotation, and operations.
+- [Secure your Azure Key Vault secrets](../secrets/secure-secrets.md): Secrets-specific best practices for storage, rotation, and access patterns.
+- [Secure your Azure Key Vault certificates](../certificates/secure-certificates.md): Certificate-specific guidance for lifecycle management, CA integration, and renewal.
+
+### Apps, API keys, and Key Vault secrets guidance
+
+New guidance is available for configuring applications to securely interact with API keys stored in Azure Key Vault, including best practices for access control, monitoring, and network restrictions.
+
+For more information, see [Apps, API keys, and Azure Key Vault secrets](apps-api-keys-secrets.md).
+
 ## July 2023
 
 Built-in policy to govern the key rotation configuration in Azure Key Vault. With this policy, you can audit existing keys in key vaults to ensure that all keys are configured for rotation and comply with your organization's standards. 
