This chapter covers Azure Key Vault, a cloud service for securely storing and managing secrets, encryption keys, and certificates. For the AZ-900 exam, understanding Key Vault is part of Objective 2.5, which covers identity, governance, privacy, and compliance features. This objective area carries approximately 30-35% of the exam weight, making Key Vault a high-yield topic. You will learn what Key Vault is, how it works, its key components, pricing tiers, and how to configure it via the portal and CLI. We will also explore common exam scenarios, misconceptions, and comparisons with related services.
Jump to a section
Imagine you run a large hotel with hundreds of guests. Each guest has valuables—passports, jewelry, cash—that they need to keep safe but also access quickly when needed. You could let guests leave items in their rooms, but that’s risky: maids, maintenance, or thieves might get in. Instead, you install a row of safety deposit boxes behind the front desk. Each box has two keys: one held by the guest, one by the hotel manager. To open the box, both keys are required. The guest can access their box only during certain hours and after showing ID. The hotel manager never opens a box without the guest present. This is exactly how Azure Key Vault works. Key Vault is a secure, centralized cloud service for storing secrets (like passwords, API keys, certificates) and cryptographic keys. Just like the hotel’s safety deposit boxes, each secret is stored in a separate “vault” with its own access policy. The “guest key” is the Azure Active Directory identity (user or application) that needs access. The “hotel manager key” is the vault’s master key, managed by Azure. To retrieve a secret, the identity must authenticate (show ID) and have the correct permissions. Azure Key Vault also handles key rotation and auditing, just like a hotel logs every box access. The mechanism ensures that even if one key is compromised, the other still protects the valuables. This separation of duties—access control by Azure AD and encryption by the vault—is the core security model.
What is Azure Key Vault and What Business Problem Does It Solve?
Azure Key Vault is a cloud service that provides a secure, centralized repository for storing and controlling access to secrets, encryption keys, and certificates. In traditional on-premises environments, sensitive information like database connection strings, API keys, and SSL certificates is often stored in configuration files, source code, or even plain text spreadsheets. This approach is risky: if a developer checks a secret into a public repository, or if a server is compromised, attackers can easily steal these credentials. Key Vault solves this by removing the need for developers and applications to handle secrets directly. Instead, secrets are stored in a hardware security module (HSM)-backed vault, and applications retrieve them at runtime via authenticated and authorized calls. This centralization also enables auditing, rotation, and granular access control.
How It Works – Step by Step
Create a Vault: You create a Key Vault instance in an Azure region. Each vault is a logical container for secrets, keys, and certificates. The vault itself is protected by Azure’s infrastructure and is isolated from other vaults.
Define Access Policies: You use Azure Role-Based Access Control (RBAC) or vault access policies to specify which users, groups, or applications can perform operations (e.g., read, write, delete) on the secrets. Access is granted via Azure Active Directory (Azure AD) authentication.
Store Secrets: You add secrets (e.g., a connection string) to the vault. Secrets are encrypted at rest using a per-vault encryption key (managed by Azure or by you using a customer-managed key).
Retrieve Secrets: An application authenticates to Azure AD (using a managed identity, service principal, or user identity) and obtains an access token. It then calls the Key Vault REST API, passing the token and the secret name. The vault validates the token and the access policy, and if authorized, returns the secret value.
Rotate and Monitor: You can set expiration dates on secrets and use Azure Monitor and Key Vault logging to track access. Key Vault can also integrate with Azure Automation to rotate secrets automatically.
Key Components
Vault: A logical container. Each vault has a unique DNS name (e.g., myvault.vault.azure.net).
Secret: A sensitive piece of data, such as a password, connection string, or API key. Stored as a JSON object with a value and optional metadata.
Key: A cryptographic key used for encryption, signing, or wrapping. Supports RSA, EC, and symmetric keys. Can be software-protected or HSM-protected.
Certificate: An X.509 v3 certificate. Key Vault can manage the entire lifecycle, including issuance, renewal, and revocation.
Access Policy: A set of permissions assigned to an Azure AD principal (user, group, or application) for a specific vault. Permissions include get, list, set, delete, backup, restore, and cryptographic operations.
Pricing Tiers
Key Vault offers two tiers:
Standard: Secrets, keys, and certificates are protected using software-based encryption. Suitable for most production workloads.
Premium: Keys are protected by hardware security modules (HSMs) that are FIPS 140-2 Level 2 validated. Offers higher assurance for sensitive keys. Premium tier also supports HSM-protected keys for Azure Disk Encryption and SQL Server TDE.
Both tiers include operations (e.g., get, set) that are billed per 10,000 transactions. There is also a monthly fee per vault, with the first 1 million transactions per month free for Standard tier.
Comparison to On-Premises Equivalent
In an on-premises environment, secrets are often stored in configuration files, Windows Credential Manager, or a dedicated secrets management appliance (e.g., HashiCorp Vault). Key Vault provides a similar function but with Azure’s built-in high availability, automatic replication (within the region), and integration with other Azure services. On-premises solutions require manual setup of redundancy, backup, and hardware security modules. Key Vault also eliminates the need to manage the underlying infrastructure, patching, and scaling. However, if you have a strict requirement for on-premises secret storage, you can use Azure Key Vault Managed HSM (a standalone HSM) or hybrid scenarios with Azure Arc.
Azure Portal and CLI Touchpoints
Azure Portal:
Navigate to "Key Vaults" and click "Create".
Configure basics: subscription, resource group, vault name, region, pricing tier.
Set access policies: choose RBAC or vault access policy.
Add secrets, keys, or certificates under the "Objects" blade.
Monitor logs and metrics under "Monitoring".
Azure CLI:
# Create a resource group
az group create --name MyResourceGroup --location eastus
# Create a Key Vault
az keyvault create --name MyVault --resource-group MyResourceGroup --location eastus
# Add a secret
az keyvault secret set --vault-name MyVault --name MySecret --value "MySecretValue"
# Retrieve a secret
az keyvault secret show --vault-name MyVault --name MySecretPowerShell:
New-AzKeyVault -VaultName 'MyVault' -ResourceGroupName 'MyResourceGroup' -Location 'EastUS'
Set-AzKeyVaultSecret -VaultName 'MyVault' -Name 'MySecret' -SecretValue (ConvertTo-SecureString 'MySecretValue' -AsPlainText -Force)
Get-AzKeyVaultSecret -VaultName 'MyVault' -Name 'MySecret' -AsPlainTextARM/Bicep Example:
resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = {
name: 'myVault'
location: resourceGroup().location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: subscription().tenantId
accessPolicies: []
enableSoftDelete: true
enablePurgeProtection: true
}
}Key Vault also integrates with Azure Policy to enforce compliance (e.g., require soft-delete).
Create a Key Vault
Navigate to the Azure portal, select 'Create a resource', search for 'Key Vault', and click 'Create'. Fill in the subscription, resource group, vault name (must be globally unique), region, and pricing tier (Standard or Premium). You can also enable soft-delete and purge protection for recovery. Once created, the vault has a DNS name like `https://<vault-name>.vault.azure.net/`. Behind the scenes, Azure provisions a secure, isolated storage container backed by Azure AD for authentication. The vault is automatically replicated within the region for high availability. You can also create a vault using Azure CLI: `az keyvault create --name MyVault --resource-group MyRG --location eastus --sku standard`.
Configure Access Policies
After creating the vault, you must grant permissions to users, groups, or applications. In the portal, go to the vault's 'Access policies' blade and click 'Add Access Policy'. Select the principal (an Azure AD identity) and assign permissions for secrets, keys, and certificates (e.g., Get, List, Set, Delete). You can use the predefined templates (e.g., 'Secret Management') or custom permissions. Alternatively, you can use Azure RBAC roles like 'Key Vault Secrets User' (read-only) or 'Key Vault Secrets Officer' (full control). The vault's access policy is evaluated at runtime: when an identity requests a secret, the vault checks the policy and the identity's token. If not authorized, the request fails with a 403 Forbidden. It is a best practice to use RBAC for broad permissions and vault access policies for fine-grained control.
Store a Secret
In the portal, under the vault's 'Secrets' blade, click 'Generate/Import'. Enter a name (e.g., 'DbConnectionString') and the value (e.g., 'Server=myServer;Database=myDB;...'). Optionally, set a content type, activation date, and expiration date. The secret is encrypted at rest using the vault's encryption key. You can also upload a secret as a file (e.g., a certificate .pfx). Using CLI: `az keyvault secret set --vault-name MyVault --name MySecret --value "MyValue"`. The vault stores the secret as a versioned object. Each time you update the secret, a new version is created. You can set a maximum number of versions (default 0 = unlimited). Secrets are not retrievable in plain text from the portal after creation for security reasons; you must use the CLI or SDK.
Retrieve a Secret from an Application
An application (e.g., a web app running on Azure App Service) needs to access the secret without hardcoding it. First, the app must have an identity in Azure AD—either a managed identity (recommended) or a service principal. For a managed identity, enable it on the App Service (under 'Identity' blade). Then grant the managed identity access to the vault via an access policy. At runtime, the app uses the Azure Identity SDK (e.g., `DefaultAzureCredential`) to authenticate and obtain a token. Then it calls `KeyVaultSecretClient.GetSecretAsync(secretName)`. The SDK handles token caching and retries. The vault returns the secret value only if the identity has 'Get' permission. This way, the secret never appears in configuration files or environment variables. For local development, you can use `AzureCliCredential` or `VisualStudioCredential`.
Monitor and Rotate Secrets
Key Vault logs all access to secrets, keys, and certificates. You can enable diagnostics settings to send logs to a Log Analytics workspace, Storage Account, or Event Hub. Use Azure Monitor to set alerts on failed access attempts (e.g., 401 or 403 errors). For secret rotation, you can manually create a new version and update applications. For automated rotation, use Azure Automation with a runbook that updates the secret and triggers a webhook. Key Vault also supports certificate auto-renewal if integrated with a certificate authority (e.g., DigiCert). The 'Key Vault Contributor' role allows managing vaults but not accessing secrets. Always enable soft-delete and purge protection to prevent accidental or malicious permanent deletion. Soft-delete retains deleted objects for a configurable retention period (default 90 days).
Scenario 1: E-commerce Application with Database Credentials
A retail company runs an e-commerce application on Azure App Service that connects to an Azure SQL Database. Previously, the database connection string was stored in the appsettings.json file, which was checked into a private GitHub repository. A developer accidentally made the repo public for a few minutes, exposing the credentials. To fix this, the team moves the connection string to Azure Key Vault. They enable a system-assigned managed identity on the App Service and grant it 'Get' and 'List' permissions on the vault. The application code is updated to use DefaultAzureCredential and SecretClient to retrieve the connection string at startup. The vault is configured with soft-delete and purge protection. The team also sets up a log analytics workspace to monitor access. Now, even if the source code is exposed, the actual credentials remain secure. The operations team can rotate the database password without redeploying the app—they just update the secret in Key Vault, and the app fetches the new value on the next restart. Cost is minimal: the Standard tier vault costs a few dollars per month plus transaction fees.
Scenario 2: Certificate Management for HTTPS
A financial services company needs to secure multiple web applications with SSL/TLS certificates. They previously purchased certificates from a third-party CA and manually installed them on each VM, which was error-prone and led to expired certificates causing outages. They migrate to Azure Key Vault for certificate management. They create a Premium tier vault to store the certificate (which includes a private key) and use the vault's auto-renewal feature with a trusted CA. The web applications are configured to pull the certificate from the vault using the Key Vault certificate binding in Azure App Service or Application Gateway. The vault logs all certificate operations, and alerts are set for upcoming expiration. The company saves time and avoids outages. The Premium tier is necessary because the certificate's private key must be HSM-protected per compliance requirements.
Scenario 3: Encryption Key Management for Azure Storage
A healthcare organization stores sensitive patient data in Azure Blob Storage. They are required to use customer-managed encryption keys for compliance. They create a Key Vault (Premium tier) and generate an RSA key. They then configure the storage account to use the key from Key Vault for encryption (Azure Storage Service Encryption with customer-managed keys). The storage account accesses the key via a managed identity. The organization can rotate the key manually or set up automated rotation. If the key is disabled or deleted, the storage account becomes inaccessible, providing a kill-switch capability. This setup ensures that even Microsoft cannot access the encrypted data without the key. The cost includes the vault fee and per-operation charges for key wrap/unwrap operations.
Common Pitfalls: When Key Vault is misconfigured (e.g., access policies too permissive, soft-delete disabled), secrets can be exposed or permanently lost. For example, if a vault is deleted without soft-delete, all secrets are gone forever. If RBAC is used but the wrong role is assigned (e.g., 'Owner' instead of 'Key Vault Secrets User'), a user might have unintended write access. Always follow the principle of least privilege.
Objective 2.5: Describe identity, governance, privacy, and compliance features
On the AZ-900 exam, Key Vault is tested primarily under the topic of 'security' and 'compliance'. You need to understand:
What Key Vault is used for (storing secrets, keys, certificates).
The difference between Standard and Premium tiers (HSM protection).
How access is controlled (Azure AD authentication, RBAC, or vault access policies).
Key Vault's role in Azure security best practices (e.g., never store secrets in code).
Common Wrong Answers and Why Candidates Choose Them: 1. "Key Vault is used to store virtual machine passwords." – While technically true, the exam emphasizes that Key Vault stores *secrets* like passwords, but it is not limited to VMs. Candidates often choose this because they recall using Key Vault for VM admin passwords, but the broader use case is for any secret. 2. "Key Vault provides identity management." – This is false. Key Vault relies on Azure AD for identity management; it does not manage identities itself. Candidates confuse Key Vault with Azure AD. 3. "Key Vault automatically rotates all secrets." – Key Vault supports manual rotation and can be integrated with Azure Automation for automatic rotation, but it does not rotate secrets by default. Candidates assume automation is built-in. 4. "Key Vault is only for encryption keys." – While keys are a key (pun intended) feature, Key Vault also stores secrets and certificates. Candidates may focus only on the name 'Key' Vault.
Specific Terms and Values: - Soft-delete retention period: 90 days (default). - Premium tier uses HSM (Hardware Security Module) – FIPS 140-2 Level 2. - Vault access policies can be assigned to users, groups, and service principals. - Key Vault supports both software-protected and HSM-protected keys.
Edge Cases and Tricky Distinctions: - The exam may ask whether Key Vault can be used to store connection strings for Azure SQL Database. Yes, it is a common use case. - It may ask if Key Vault can be used to store certificates for Azure Application Gateway. Yes. - It may compare Key Vault with Azure Information Protection (AIP). Key Vault stores secrets; AIP classifies and protects documents. - It may ask about backup/restore of secrets: Key Vault supports backup and restore of secrets, keys, and certificates as a blob file.
Memory Trick: "SKC" – Secrets, Keys, Certificates. Remember that Key Vault stores all three. If the question mentions any of these, think Key Vault.
Decision Tree for Eliminating Wrong Answers: 1. Is the question about storing sensitive data? -> Key Vault. 2. Is it about identity or authentication? -> Azure AD, not Key Vault. 3. Is it about encrypting data at rest? -> Key Vault can provide the key, but the encryption itself is done by another service (e.g., Azure Storage). 4. Is it about managing certificates? -> Key Vault (but also Azure App Service Certificate). Know that Key Vault can store and manage certificates.
Azure Key Vault is a cloud service for securely storing and managing secrets, encryption keys, and certificates.
Key Vault offers two tiers: Standard (software-protected) and Premium (HSM-protected, FIPS 140-2 Level 2).
Access to Key Vault is controlled via Azure AD authentication and either RBAC or vault access policies.
Key Vault supports soft-delete (default retention 90 days) and purge protection to prevent permanent data loss.
Never store secrets in code or configuration files; always use Key Vault for sensitive data.
Key Vault integrates with many Azure services (e.g., App Service, Azure SQL, Azure Storage) for transparent secret management.
Key Vault does NOT provide identity management; it relies on Azure AD for authentication.
The first 1 million transactions per month are free for the Standard tier.
These come up on the exam all the time. Here's how to tell them apart.
Azure Key Vault
Stores secrets (passwords, keys, certificates) with encryption at rest.
Access controlled via Azure AD and vault access policies.
Supports HSM-protected keys (Premium tier).
Auditing via Azure Monitor and diagnostics logs.
Ideal for highly sensitive data like database credentials.
Azure App Configuration
Stores application configuration settings (key-value pairs) with optional encryption.
Access controlled via Azure AD and RBAC.
Does not use HSMs; encryption is Azure-managed.
Supports feature flags and dynamic configuration refresh.
Ideal for non-sensitive configuration like URLs, feature toggles.
Mistake
Key Vault automatically rotates all secrets on a schedule.
Correct
Key Vault does not automatically rotate secrets by default. You must manually create a new version or use Azure Automation to implement rotation. However, Key Vault does support automatic certificate renewal if integrated with a certificate authority.
Mistake
Key Vault stores virtual machine passwords securely, but it cannot store database connection strings.
Correct
Key Vault can store any secret, including database connection strings, API keys, passwords, and certificates. It is a general-purpose secret store.
Mistake
Once a secret is stored in Key Vault, it cannot be retrieved in plain text.
Correct
Authorized users/applications can retrieve the secret value in plain text via the API or CLI. The portal hides the value by default but allows authorized users to view it. The secret is encrypted at rest but decrypted on retrieval for authorized callers.
Mistake
Key Vault is only available in the Premium tier.
Correct
Key Vault offers both Standard (software-protected) and Premium (HSM-protected) tiers. The Standard tier is suitable for most use cases and is free for the first 1 million transactions per month.
Mistake
Key Vault provides identity and access management (IAM) like Azure AD.
Correct
Key Vault relies on Azure AD for authentication and authorization. It does not manage identities itself. Access policies are defined in Key Vault but are based on Azure AD principals.
The Standard tier protects keys with software-based encryption, while the Premium tier uses hardware security modules (HSMs) that are FIPS 140-2 Level 2 validated. Premium is required for compliance scenarios where keys must be stored in dedicated hardware. Both tiers store secrets and certificates with encryption. The Premium tier costs more per vault and per operation. For AZ-900, remember that Premium offers HSM protection.
Yes, you can store any sensitive string as a secret in Key Vault, including database connection strings. The secret is encrypted at rest and can be retrieved by authorized applications at runtime. This is a common practice to avoid hardcoding credentials in configuration files.
The App Service must have a managed identity (system-assigned or user-assigned) enabled. Grant that identity 'Get' permission in the Key Vault access policy. Then, in the application code, use the Azure Identity SDK (e.g., `DefaultAzureCredential`) to authenticate and retrieve the secret via the Key Vault client library. No connection string is stored in the app's settings.
If soft-delete is not enabled, the vault and all its contents are permanently deleted immediately. There is no recovery option. Microsoft recommends always enabling soft-delete and purge protection to allow recovery within the retention period (default 90 days). On the exam, know that soft-delete is a data protection feature.
Key Vault itself does not automatically renew certificates, but it can be integrated with a certificate authority (CA) like DigiCert or GlobalSign. When you create a certificate in Key Vault, you can specify a CA and set an auto-renewal threshold (e.g., 80% of lifetime). Key Vault will then automatically renew the certificate before expiration. This is a premium feature for some CAs.
Yes, Azure Disk Encryption (ADE) can use Key Vault to store the encryption keys that protect OS and data disks of Azure VMs. You can use either a key encryption key (KEK) stored in Key Vault or a secret (the BitLocker/DM-Crypt key). This integrates with Azure Key Vault's access policies and auditing.
Azure Key Vault stores and manages secrets, keys, and certificates with access control and auditing. Azure Information Protection (AIP) is a classification and labeling solution that protects documents and emails by applying policies (e.g., encryption, watermarking). AIP does not store secrets; it classifies data. They are separate services.
You've just covered Azure Key Vault — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?