Azure · simonzhang0428 · Oct 9, 2025 · Copilot · Oct 10, 2025
diff --git a/src/Sql/Sql/Common/TdeKeyHelper.cs b/src/Sql/Sql/Common/TdeKeyHelper.cs
@@ -30,7 +30,9 @@ class TdeKeyHelper
         /// <summary>
         /// Creates the SQL Server Key Name from an Azure Key Vault KeyId
         /// Throws an exception if the provided KeyId is malformed.
-        /// An example of a well formed Azure Key Vault KeyId is: https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901
+        /// Examples of well formed Azure Key Vault KeyIds are:
+        /// https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901 (versioned)
+        /// https://YourVaultName.vault.azure.net/keys/YourKeyName (versionless)
         /// </summary>
         /// <param name="keyId">The full Azure Key Vault KeyId</param>
         /// <returns>The Server Key Name for the provided KeyId</returns>
@@ -41,8 +43,8 @@ public static string CreateServerKeyNameFromKeyId(string keyId)
                 return ServerKeyType.ServiceManaged.ToString();
             }
 
-            // Validate that the url is a keyvault url and has a key and version
-            Regex r = new Regex(@"https://(.)+\.(managedhsm.azure.net|managedhsm-preview.azure.net|vault.azure.net|vault-int.azure-int.net|vault.azure.cn|managedhsm.azure.cn|vault.usgovcloudapi.net|managedhsm.usgovcloudapi.net|vault.microsoftazure.de|managedhsm.microsoftazure.de|vault.cloudapi.eaglex.ic.gov|vault.cloudapi.microsoft.scloud)(:443)?\/keys/[^\/]+\/[0-9a-zA-Z]+$", RegexOptions.IgnoreCase);
+            // Validate that the url is a keyvault url and has a key with an optional version
+            Regex r = new Regex(@"^https://(.)+\.(managedhsm\.azure\.net|managedhsm-preview\.azure\.net|vault\.azure\.net|vault-int\.azure-int\.net|vault\.azure\.cn|managedhsm\.azure\.cn|vault\.usgovcloudapi\.net|managedhsm\.usgovcloudapi\.net|vault\.microsoftazure\.de|managedhsm\.microsoftazure\.de|vault\.cloudapi\.eaglex\.ic\.gov|vault\.cloudapi\.microsoft\.scloud|mdep\.azure\.net)(:443)?/keys/[^/]+(/([0-9a-zA-Z]+))?/?$", RegexOptions.IgnoreCase);
             if (!r.IsMatch(keyId))
             {
                 // Throw an error here, since we don't want to use a non keyvault url
@@ -53,10 +55,17 @@ public static string CreateServerKeyNameFromKeyId(string keyId)
             var uri = new Uri(keyId);
 
             string vault = uri.Host.Split('.').First();
-            string key = uri.Segments[2].TrimEnd('/');
-            string version = uri.Segments.Last();
+            string[] pathSegments = uri.AbsolutePath.Trim('/').Split(new[] { '/' }, StringSplitOptions.RemoveEmptyEntries);
-            string[] pathSegments = uri.AbsolutePath.Trim('/').Split(new[] { '/' }, StringSplitOptions.RemoveEmptyEntries);
+            string[] pathSegments = uri.AbsolutePath.Trim('/').Split(new[] { '/' }, StringSplitOptions.RemoveEmptyEntries);
+            if (pathSegments.Length < 2)
+            {
+                throw new ArgumentException(message:String.Format(Properties.Resources.InvalidKeyId, keyId), paramName:"KeyId");
+            }
-            string[] pathSegments = uri.AbsolutePath.Trim('/').Split(new[] { '/' }, StringSplitOptions.RemoveEmptyEntries);
+            string[] pathSegments = uri.AbsolutePath.Trim('/').Split(new[] { '/' }, StringSplitOptions.RemoveEmptyEntries);
+            if (pathSegments.Length < 2)
+            {
+                throw new ArgumentException(message:String.Format(Properties.Resources.InvalidKeyId, keyId), paramName:"KeyId");
+            }
+            string key = pathSegments[1];
+            bool hasVersion = pathSegments.Length >= 3 && !string.IsNullOrEmpty(pathSegments[2]);
 
-            return String.Format("{0}_{1}_{2}", vault, key, version);
+            if (hasVersion)
+            {
+                string version = pathSegments[2];
+                return String.Format("{0}_{1}_{2}", vault, key, version);
+            }
+
+            return String.Format("{0}_{1}", vault, key);
         }
     }
 }
diff --git a/src/Sql/Sql/Properties/Resources.Designer.cs b/src/Sql/Sql/Properties/Resources.Designer.cs
diff --git a/src/Sql/Sql/Properties/Resources.resx b/src/Sql/Sql/Properties/Resources.resx
@@ -454,7 +454,7 @@
     <value>KeyId parameter is required for encryption protector type AzureKeyVault</value>
   </data>
   <data name="InvalidKeyId" xml:space="preserve">
-    <value>Invalid parameter format for keyId: '{0}'. It should be a well formed Azure Key Vault KeyId like: https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901</value>
+    <value>Invalid parameter format for keyId: '{0}'. It should be a well formed Azure Key Vault KeyId such as https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901 (versioned) or https://YourVaultName.vault.azure.net/keys/YourKeyName (versionless).</value>
   </data>
   <data name="SetAzureSqlInstanceDescription" xml:space="preserve">
     <value>Setting Azure Sql Database Managed Instance '{0}'.</value>
@@ -778,4 +778,4 @@
   <data name="InvalidSoftDeleteRetentionDaysRange" xml:space="preserve">
     <value>SoftDeleteRetentionDays must be between 1 and 35 when EnableSoftDelete is true.</value>
   </data>
-</root>
+</root>
diff --git a/src/Sql/Sql/help/Add-AzSqlServerKeyVaultKey.md b/src/Sql/Sql/help/Add-AzSqlServerKeyVaultKey.md
@@ -38,7 +38,7 @@ Thumbprint        : 1122334455667788990011223344556677889900
 CreationDate      : 1/1/2017 12:00:00 AM
 ```
 
-This command adds the Key Vault key with Id 'https://contoso.vault.azure.net/keys/contosokey/01234567890123456789012345678901' to the SQL server named 'ContosoServer' in the resource group 'ContosoResourceGroup'.
+This command adds the Key Vault key with Id 'https://contoso.vault.azure.net/keys/contosokey/01234567890123456789012345678901' to the SQL server named 'ContosoServer' in the resource group 'ContosoResourceGroup'. Versionless key IDs, for example 'https://contoso.vault.azure.net/keys/contosokey', are also supported.
 
 ## PARAMETERS
 

diff --git a/src/Sql/Sql/help/Get-AzSqlServerKeyVaultKey.md b/src/Sql/Sql/help/Get-AzSqlServerKeyVaultKey.md
@@ -53,7 +53,7 @@ $MyServerKeyVaultKey = Get-AzSqlServerKeyVaultKey -KeyId 'https://contoso.vault.
 ```
 
 This command gets the Key Vault key with Id 'https://contoso.vault.azure.net/keys/contosokey/01234567890123456789012345678901', and then stores it in the $MyServerKeyVaultKey variable.
-You can inspect the properties of $MyServerKeyVaultKey to get details about the key vault.
+You can inspect the properties of $MyServerKeyVaultKey to get details about the key vault. Versionless key IDs, for example 'https://contoso.vault.azure.net/keys/contosokey', are also supported.
 
 ## PARAMETERS
 

diff --git a/src/Sql/Sql/help/Set-AzSqlServerTransparentDataEncryptionProtector.md b/src/Sql/Sql/help/Set-AzSqlServerTransparentDataEncryptionProtector.md
@@ -48,7 +48,7 @@ ResourceGroupName    ServerName                   Type ServerKeyVaultKeyName
 ContosoResourceGroup ContosoServer       AzureKeyVault contoso_contosokey_01234567890123456789012345678901
 ```
 
-This command updates a server to use the Server Key Vault Key with Id 'https://contoso.vault.azure.net/keys/contosokey/01234567890123456789012345678901' as the TDE protector.
+This command updates a server to use the Server Key Vault Key with Id 'https://contoso.vault.azure.net/keys/contosokey/01234567890123456789012345678901' as the TDE protector. You can also specify a versionless key, for example 'https://contoso.vault.azure.net/keys/contosokey'.
 
 ### Example 3
 
@@ -123,7 +123,7 @@ Accept wildcard characters: False
 ```
 
 ### -KeyId
-The Azure Key Vault KeyId.
+The Azure Key Vault KeyId. Supports versioned and versionless key IDs.
 
 ```yaml
 Type: System.String