Clarification on Azure Key Vault Secret Update Behavior with Azure App Service (Web-APP)

Hi @Vicheth Sim

Thank you for reaching out to Microsoft Q&A.

When using Azure Key Vault references in Azure App Service application settings, updating a secret value in Azure Key Vault does not automatically restart the App Service. Azure App Service resolves Key Vault references and caches the resolved secret values. These cached values are not refreshed instantly when a secret is updated. Instead, App Service re-fetches all Key Vault–referenced secrets approximately once every 24 hours due to this internal caching behavior. Microsoft does not provide an SLA or guaranteed refresh interval, and the only documented behavior is that the refresh occurs within this approximate 24‑hour window. Because of this, applications may continue using stale secret values for some time after a secret rotation unless an explicit refresh action occurs.

Refer below points to resolve this issue or use as a workaround:

Secret updates do not trigger an automatic App Service restart

Updating a secret in Azure Key Vault alone does not cause the Azure App Service to restart or immediately reload configuration. The application continues running with the cached secret value until a refresh occurs.

Key Vault reference values are refreshed approximately every 24 hours

Azure App Service periodically refreshes all Key Vault references, typically within a 24‑hour window. This interval is due to platform caching and is not configurable or guaranteed to be faster. There is no official SLA for immediate or near‑real‑time refresh.

Any configuration change forces an immediate refresh (with restart)

If you modify any App Service configuration (for example, updating or adding an app setting), the App Service restarts and immediately re-resolves all Key Vault references, pulling the latest secret values. This is a supported way to force refresh but does involve a restart.

Manually refresh Key Vault references without a full restart

You can force Azure App Service to refresh Key Vault references by calling the management API. This refreshes the cached secret values without manually restarting the app:

HTTPPOST https://management.azure.com/{resourceId}/config/configreferences/appsettings/refresh?api-version=2022-03-01Show more lines

This approach is commonly used in automation scenarios after secret rotation. [learn.microsoft.com],

Avoid pinning secrets to a specific version

Ensure your Key Vault reference does not include a SecretVersion. Referencing only the secret name or base SecretUri allows App Service to automatically resolve the latest version during refresh cycles.

For near real-time updates, consider Azure App Configuration

If your application requires near real‑time secret or configuration updates without restarts, Microsoft recommends using Azure App Configuration with Key Vault integration, which supports dynamic refresh patterns and explicit refresh triggers in application code. This is the preferred approach for minimizing downtime and manual intervention.

1. Updating a secret in Azure Key Vault does not automatically restart an Azure App Service.
2. When using Key Vault references in App Service application settings without specifying a secret version, App Service automatically picks up the latest version. However, values are cached and re-fetched approximately every 24 hours:
   • App Service caches Key Vault reference values.
   • It refetches all referenced secrets every 24 hours.
3. There is documented behavior, but not an instant refresh SLA. The documented refresh interval is “within 24 hours” due to caching. Any configuration change to the app (for example, changing an app setting) causes an app restart and an immediate refetch of all referenced secrets.
4. Recommended approaches for near real-time updates without manual restarts:
   • Avoid pinning to a specific secret version in the Key Vault reference so the latest version is used automatically:
     • @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret)
     • or @Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)
   • Trigger an immediate refresh of Key Vault references without a full manual restart by calling the management API:
     • Make an authenticated POST request to: https://management.azure.com/[Resource ID]/config/configreferences/appsettings/refresh?api-version=2022-03-01
     • This forces resolution of the app’s Key Vault references and updates the cached values.
   • Any configuration change that restarts the app (for example, touching an app setting) will also cause an immediate refetch, but this is more disruptive than using the refresh API.
5. Azure Web Apps do have an automatic refresh, but it is not instant. The platform behavior is:
   • Automatic refresh of Key Vault references approximately every 24 hours due to caching.
   • Faster refresh can be forced via the management API or by causing a configuration change that restarts the app.

For scenarios that require tighter control and more frequent refresh of secrets and certificates, Azure App Configuration with Key Vault references can be used from application code. For example, in an ASP.NET Core app, the SetSecretRefreshInterval API can be used to reload Key Vault secrets and certificates on a custom interval, independent of App Service’s 24-hour cache, while being mindful of Key Vault service limits.

References:

• Use Key Vault references as app settings in Azure App Service, Azure Functions, and Azure Logic Apps (Standard)
• Reload secrets and certificates from Key Vault automatically
• Azure Key Vault developer's guide
• Azure App Configuration best practices