diff --git a/azurerm/internal/services/iothub/iothub_shared_access_policy_resource.go b/azurerm/internal/services/iothub/iothub_shared_access_policy_resource.go
index fe394e6196c4..b8908d588d0e 100644
--- a/azurerm/internal/services/iothub/iothub_shared_access_policy_resource.go
+++ b/azurerm/internal/services/iothub/iothub_shared_access_policy_resource.go
@@ -171,6 +171,15 @@ func resourceArmIotHubSharedAccessPolicyCreateUpdate(d *schema.ResourceData, met
 			if features.ShouldResourcesBeImported() && d.IsNewResource() {
 				return tf.ImportAsExistsError("azurerm_iothub_shared_access_policy", resourceId)
 			}
+
+			if existingAccessPolicy.PrimaryKey != nil {
+				expandedAccessPolicy.PrimaryKey = existingAccessPolicy.PrimaryKey
+			}
+
+			if existingAccessPolicy.SecondaryKey != nil {
+				expandedAccessPolicy.SecondaryKey = existingAccessPolicy.SecondaryKey
+			}
+
 			accessPolicies = append(accessPolicies, expandedAccessPolicy)
 			alreadyExists = true
 		} else {