Azure · DanielMicrosoft · Dec 30, 2025 · Dec 30, 2025 · Dec 31, 2025 · Dec 31, 2025
diff --git a/src/KeyVault/KeyVault.Test/PesterTests/CertificateBackedKeyFiltering.Tests.ps1 b/src/KeyVault/KeyVault.Test/PesterTests/CertificateBackedKeyFiltering.Tests.ps1
@@ -0,0 +1,57 @@
+
+$debugModulePath = "$PSScriptRoot\..\..\..\..\artifacts\Debug\Az.KeyVault\Az.KeyVault.psd1"
+Import-Module $debugModulePath -Force
+
-$debugModulePath = "$PSScriptRoot\..\..\..\..\artifacts\Debug\Az.KeyVault\Az.KeyVault.psd1"
-Import-Module $debugModulePath -Force
-$debugModulePath = "$PSScriptRoot\..\..\..\..\artifacts\Debug\Az.KeyVault\Az.KeyVault.psd1"
-Import-Module $debugModulePath -Force
+$vaultName = 'danielKV7103'
+. "$PSScriptRoot\..\Scripts\Common.ps1"
-$vaultName = 'danielKV7103'
-. "$PSScriptRoot\..\Scripts\Common.ps1"
+. "$PSScriptRoot\..\Scripts\Common.ps1"
+$vaultName = Get-KeyVaultName
-$vaultName = 'danielKV7103'
-. "$PSScriptRoot\..\Scripts\Common.ps1"
+. "$PSScriptRoot\..\Scripts\Common.ps1"
+$vaultName = Get-KeyVaultName
+
+Describe "Get-AzKeyVaultKey filters certificate-backed keys" {
+    It "Should not return certificate-backed managed keys" {
+        $certName = Get-CertificateName
+        $keyName = Get-KeyName
+
+        # Create a self-signed certificate (creates a managed key)
+        $policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=test.contoso.com" -IssuerName Self -ValidityInMonths 6
+        $certOp = Add-AzKeyVaultCertificate -VaultName $vaultName -Name $certName -CertificatePolicy $policy
+
+        Start-Sleep -Seconds 30
+        $cert = Get-AzKeyVaultCertificate -VaultName $vaultName -Name $certName
+        $cert | Should Not BeNullOrEmpty
+
+        $key = Add-AzKeyVaultKey -VaultName $vaultName -Name $keyName -Destination Software
+        $key | Should Not BeNullOrEmpty
+
+        $keys = Get-AzKeyVaultKey -VaultName $vaultName
+
+        $standaloneKey = $keys | Where-Object { $_.Name -eq $keyName }
+        $standaloneKey | Should Not BeNullOrEmpty
+
+        $certBackedKey = $keys | Where-Object { $_.Name -eq $certName }
+        $certBackedKey | Should BeNullOrEmpty
+    }
+}
+
+Describe "Get-AzKeyVaultSecret filters certificate-backed secrets" {
+    It "Should not return certificate-backed managed secrets" {
+        $certName = Get-CertificateName
+        $secretName = Get-SecretName
+
+        # Create a certificate (creates both managed key AND managed secret)
+        $policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=test2.contoso.com" -IssuerName Self -ValidityInMonths 6
+        $certOp = Add-AzKeyVaultCertificate -VaultName $vaultName -Name $certName -CertificatePolicy $policy
+
+        Start-Sleep -Seconds 30
+
+        $secretValue = ConvertTo-SecureString "MySecretValue123!" -AsPlainText -Force
+        $secret = Set-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -SecretValue $secretValue
+        $secret | Should Not BeNullOrEmpty
+
+        $secrets = Get-AzKeyVaultSecret -VaultName $vaultName
+
+        $standaloneSecret = $secrets | Where-Object { $_.Name -eq $secretName }
+        $standaloneSecret | Should Not BeNullOrEmpty
+
+        $certBackedSecret = $secrets | Where-Object { $_.Name -eq $certName }
+        $certBackedSecret | Should BeNullOrEmpty
+    }
+}
diff --git a/src/KeyVault/KeyVault/Models/Client/KeyVaultDataServiceClient.cs b/src/KeyVault/KeyVault/Models/Client/KeyVaultDataServiceClient.cs
@@ -719,7 +719,8 @@ public IEnumerable<PSKeyVaultSecretIdentityItem> GetSecrets(KeyVaultObjectFilter
 
                 options.NextLink = result.NextPageLink;
                 return (result == null) ? new List<PSKeyVaultSecretIdentityItem>() :
-                    result.Select((secretItem) => new PSKeyVaultSecretIdentityItem(secretItem, this.vaultUriHelper));
+                    result.Where((secretItem) => secretItem.Managed != true)
+                          .Select((secretItem) => new PSKeyVaultSecretIdentityItem(secretItem, this.vaultUriHelper));
             }
             catch (Exception ex)
             {
@@ -748,7 +749,8 @@ public IEnumerable<PSKeyVaultSecretIdentityItem> GetSecretVersions(KeyVaultObjec
                     result = this.keyVaultClient.GetSecretVersionsNextAsync(options.NextLink).GetAwaiter().GetResult();
 
                 options.NextLink = result.NextPageLink;
-                return result.Select((secretItem) => new PSKeyVaultSecretIdentityItem(secretItem, this.vaultUriHelper));
+                return result.Where((secretItem) => secretItem.Managed != true)
+                             .Select((secretItem) => new PSKeyVaultSecretIdentityItem(secretItem, this.vaultUriHelper));
             }
             catch (Exception ex)
             {

diff --git a/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs
@@ -142,7 +142,10 @@ private IEnumerable<PSKeyVaultKeyIdentityItem> GetKeys(KeyClient client)
             var allKeys = client.GetPropertiesOfKeys();
             foreach (var keyProperties in allKeys)
             {
-                results.Add(new PSKeyVaultKeyIdentityItem(keyProperties, _vaultUriHelper, false));
+                if (keyProperties.Managed != true)
+                {
+                    results.Add(new PSKeyVaultKeyIdentityItem(keyProperties, _vaultUriHelper, false));
+                }
             }
             return results;
         }
@@ -159,7 +162,10 @@ private IEnumerable<PSKeyVaultKeyIdentityItem> GetKeyVersions(KeyClient client,
             var allKeys = client.GetPropertiesOfKeyVersions(keyName);
             foreach (var keyProperties in allKeys)
             {
-                results.Add(new PSKeyVaultKeyIdentityItem(keyProperties, _vaultUriHelper, false));
+                if (keyProperties.Managed != true)
+                {
+                    results.Add(new PSKeyVaultKeyIdentityItem(keyProperties, _vaultUriHelper, false));
+                }
             }
             return results;
         }