This chapter covers Microsoft Defender for Key Vault, a cloud-native security solution that provides advanced threat protection for Azure Key Vault. Defender for Key Vault is part of Microsoft Defender for Cloud's workload protection plans and is essential for securing secrets, keys, and certificates stored in Azure Key Vault. On the SC-200 exam, this topic appears in Domain 3 (Cloud Security) under Objective 3.1 (Plan and implement a security operations strategy for cloud workloads), and typically accounts for 5-10% of questions. You will be tested on how to enable, configure, and interpret alerts from Defender for Key Vault, as well as how it integrates with Microsoft Sentinel and Microsoft 365 Defender.
Jump to a section
Microsoft Defender for Key Vault acts like a hotel's secure safe deposit box system combined with a security guard who monitors every access. Each guest (application or user) can store their valuables (keys, secrets, certificates) in a numbered box (Key Vault). The hotel doesn't allow anyone to just walk in and open any box—access is strictly controlled by a key card (Azure AD authentication) and a list of who is allowed (RBAC or access policies). The security guard (Defender for Key Vault) watches every interaction: when a guest approaches the safe deposit room, when they insert their key, when they open the box, and when they remove or replace items. If someone tries to open a box they aren't authorized for, or if a guest accesses an unusually high number of boxes in a short time, the guard immediately alerts the hotel manager (security team) with a detailed report of what happened. The guard also keeps a log of every single access attempt, successful or not, so that later the manager can review any suspicious patterns, like a guest accessing their box at 3 AM or from a remote location. Importantly, the guard doesn't just watch—he also learns what normal behavior looks like for each guest, so he can spot anomalies like an employee from accounting suddenly accessing a box that contains production certificates. This monitoring is always on, requires no changes to how guests use their boxes, and provides immediate investigation tools when something goes wrong.
What is Microsoft Defender for Key Vault?
Microsoft Defender for Key Vault is a cloud-native security solution that provides advanced threat protection for Azure Key Vault. It is part of Microsoft Defender for Cloud's workload protection plans (previously Azure Security Center's advanced threat protection). Defender for Key Vault monitors access patterns and operations on your key vaults to detect suspicious and potentially malicious activities. It uses machine learning and behavioral analytics to identify threats such as unauthorized access, credential theft, and insider threats.
Why It Exists
Azure Key Vault is a critical service for storing and managing cryptographic keys, secrets (like connection strings and passwords), and certificates. If a key vault is compromised, an attacker can gain access to encrypted data, impersonate applications, or escalate privileges. Traditional security monitoring often fails to detect subtle attacks that involve legitimate but anomalous access patterns. Defender for Key Vault fills this gap by providing continuous monitoring and alerting for suspicious activities without requiring any changes to your key vault configuration.
How It Works Internally
Defender for Key Vault works by analyzing Azure Key Vault diagnostic logs and audit events. When you enable Defender for Key Vault on a subscription, it automatically monitors all key vaults in that subscription. The service uses the following data sources:
Azure Key Vault audit logs: These logs record every operation performed on the vault, including read, write, delete, and list operations on keys, secrets, and certificates. Each log entry includes the user or application identity (UPN or object ID), IP address, operation type, result, and timestamp.
Azure Active Directory (Azure AD) sign-in logs: These logs provide information about the authentication context of requests, such as whether the request came from a managed identity, a service principal, or a user.
Threat intelligence feeds: Defender for Key Vault leverages Microsoft's global threat intelligence to correlate IP addresses and user agents with known malicious actors.
The analysis engine processes these logs in near real-time (typically within minutes) and applies machine learning models trained on billions of signals from Azure's global infrastructure. The models establish a baseline of normal behavior for each key vault, including typical access patterns (e.g., which users access which secrets, from which locations, at what times). When an operation deviates from this baseline, an alert is generated.
Key Components, Values, Defaults, and Timers
Enabling Defender for Key Vault:
You enable Defender for Key Vault at the subscription level in Microsoft Defender for Cloud. It can also be enabled via Azure Policy.
Default: Disabled. You must explicitly enable it.
Cost: Approximately $0.02 per 10,000 operations (as of 2025), with a minimum monthly charge per vault.
Alert Types: Defender for Key Vault generates alerts based on the following categories: - Unusual access patterns: e.g., a user accessing a vault from an unusual location or at an unusual time. - Unusual operations: e.g., a large number of secret read operations in a short period (potential credential dumping). - Suspicious IP addresses: e.g., access from a known malicious IP or Tor exit node. - Privilege escalation attempts: e.g., a user trying to grant themselves access to a vault. - Data exfiltration: e.g., a user downloading a large number of secrets.
Alert Severity: Alerts are classified as High, Medium, or Low based on the confidence and potential impact. High severity alerts indicate a confirmed malicious activity, while Medium and Low indicate suspicious behavior that requires investigation.
Integration with Microsoft Sentinel: Defender for Key Vault alerts can be streamed to Microsoft Sentinel for advanced investigation and automation. Sentinel provides built-in analytics rules and workbooks for Key Vault monitoring.
Integration with Microsoft 365 Defender: Alerts are correlated with other signals in Microsoft 365 Defender, providing a unified incident view. For example, a Key Vault alert might be linked to a user compromise detected by Microsoft Defender for Identity.
Configuration and Verification Commands
Enable Defender for Key Vault using Azure CLI:
az security pricing create --name 'KeyVaults' --pricing-tier 'Standard'Check if Defender for Key Vault is enabled:
az security pricing show --name 'KeyVaults'The output should show pricingTier: 'Standard'.
Enable using PowerShell:
Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard'View alerts in Azure portal: Navigate to Microsoft Defender for Cloud > Security alerts. Filter by resource type 'Key Vault'.
Configure diagnostic settings for Key Vault audit logs:
az monitor diagnostic-settings create --name 'kv-diagnostics' --resource <keyvault-id> --logs '[{"category":"AuditEvent","enabled":true}]' --workspace <workspace-id>Interaction with Related Technologies
Azure Key Vault: Defender for Key Vault does not modify Key Vault behavior; it only monitors logs.
Microsoft Defender for Cloud: The central console for managing all Defender plans, including Key Vault.
Microsoft Sentinel: Can ingest Key Vault alerts and logs for SIEM-style analysis.
Microsoft 365 Defender: Alerts appear in the unified incidents queue.
Azure Policy: Can enforce enabling Defender for Key Vault on all subscriptions.
Step-by-Step Mechanism of Alert Generation
A user or application performs an operation on a key vault, e.g., GetSecret.
Azure Key Vault writes an audit log entry to the diagnostic storage (Log Analytics workspace or event hub).
Defender for Key Vault reads the log entry (usually within 2-5 minutes).
The machine learning model evaluates the operation against the baseline for that vault and user.
If the operation is anomalous, an alert is generated with details: alert name, description, severity, affected resources, and recommended actions.
The alert appears in Defender for Cloud and, if integrated, in Microsoft Sentinel and Microsoft 365 Defender.
Security analysts can investigate the alert using the provided evidence (e.g., IP address, user agent, operation count).
Important Defaults and Thresholds
Alert generation latency: Typically 2-5 minutes after the operation.
Baseline learning period: Approximately 7 days before alerts become accurate. During this period, alerts may be noisy.
Threshold for 'Unusual volume of operations': Typically 3 standard deviations above the baseline average for that vault.
Retention of logs: Audit logs are retained based on the diagnostic settings (default: 30 days in Log Analytics workspace).
Exam-Relevant Details
Defender for Key Vault is a subscription-level plan, not per vault.
It does not require any agent or configuration changes on the key vault.
It supports all Key Vault operations: keys, secrets, certificates, and storage account keys.
Alerts are actionable with recommended remediation steps.
It can detect access from Tor exit nodes and anonymous IP addresses.
Common exam trap: Candidates think Defender for Key Vault requires enabling diagnostic settings manually. Actually, if you enable Defender for Key Vault, it automatically enables the necessary logging (AuditEvent category) for all vaults in the subscription. However, for custom log retention, you may need to configure diagnostic settings separately.
Summary of the Mechanism
Defender for Key Vault is a passive monitoring system that analyzes audit logs using machine learning to detect anomalies. It does not block or modify operations; it only alerts. This is a key distinction from other security controls like Azure Policy or Key Vault firewall. The exam often tests whether you understand that Defender for Key Vault is a detection tool, not a prevention tool.
Enable Defender for Key Vault
Navigate to Microsoft Defender for Cloud in the Azure portal. Under 'Environment settings', select your subscription. Under 'Defender plans', find 'Key Vaults' and toggle it to 'On'. Alternatively, use Azure CLI or PowerShell as shown above. Once enabled, it applies to all existing and new key vaults in the subscription. There is no per-vault configuration. The plan incurs costs based on the number of operations. After enabling, it may take up to 24 hours for the baseline to start forming.
Audit Log Generation
Every operation on a key vault generates an audit log entry in the 'AuditEvent' category. This includes read, write, delete, list, backup, restore, and import operations. Each log entry contains: OperationName (e.g., SecretGet), ResultType (Success/Failure), CallerIPAddress, UserPrincipalName or ObjectId, and Timestamp. These logs are automatically sent to the default Log Analytics workspace associated with Defender for Cloud. If you have configured custom diagnostic settings, logs are sent there as well.
Log Ingestion and Analysis
Defender for Key Vault ingests audit logs from the Log Analytics workspace (or directly from the vault's diagnostic stream). The analysis engine processes logs in near real-time, typically within 2-5 minutes. Machine learning models compare each operation against the established baseline for the vault and the user. The baseline includes: typical access times, geographic locations, IP address ranges, frequency of operations, and types of operations. Any deviation beyond a statistical threshold triggers an alert.
Alert Generation and Prioritization
When an anomaly is detected, an alert is created in Defender for Cloud with a severity level. High severity indicates a confirmed threat (e.g., access from a known malicious IP). Medium severity indicates suspicious activity (e.g., unusual volume of secret reads). Low severity indicates a minor anomaly (e.g., access from a new geographic region). Each alert includes a description, affected resources, evidence (IP, user, operation count), and recommended actions such as 'Review recent access logs' or 'Revoke suspicious access permissions'.
Investigation and Response
Security analysts can investigate alerts directly in Defender for Cloud or via integrated tools like Microsoft Sentinel. The alert provides a link to the key vault's audit logs filtered by the relevant time and user. Analysts can determine if the activity was legitimate (e.g., a new employee accessing secrets for the first time) or malicious (e.g., credential theft). Response actions include: disabling the user, rotating secrets, or implementing network restrictions. For automated response, playbooks can be triggered using Azure Logic Apps.
Scenario 1: E-commerce Platform Secret Rotation
A large e-commerce company uses Azure Key Vault to store database connection strings, API keys for payment gateways, and TLS certificates. They have hundreds of microservices that retrieve secrets on startup. After enabling Defender for Key Vault, they received a Medium severity alert indicating that a service principal was reading 500 secrets in 10 minutes, which was 10x its normal rate. Investigation revealed that a developer had deployed a new version of a service that was misconfigured to read all secrets instead of just its own. The team was able to quickly identify and fix the issue, preventing potential performance degradation and accidental exposure. Without Defender for Key Vault, this anomaly would have gone unnoticed until a customer-facing incident occurred.
Scenario 2: Insider Threat Detection
A financial services firm had a disgruntled employee who attempted to exfiltrate secrets before leaving the company. The employee, who had legitimate access to a key vault containing production certificates, tried to download all certificates using a PowerShell script. Defender for Key Vault detected an unusual volume of certificate read operations from a specific user account, combined with access from an IP address outside the corporate network (the employee was working from home). A High severity alert was generated. The security team immediately revoked the user's access and initiated an incident response. The certificates were not compromised because the alert was generated early in the exfiltration attempt. The company later implemented a policy to require approval for bulk secret exports.
Scenario 3: Compromised Managed Identity
A SaaS provider uses managed identities for their Azure functions to access Key Vault. An attacker compromised a CI/CD pipeline and used the managed identity to access secrets. Defender for Key Vault detected that the managed identity was accessing secrets from an unusual IP address (the attacker's machine) and at an unusual time (3 AM UTC). The alert was correlated with other signals in Microsoft 365 Defender, which showed that the same IP had been involved in brute-force attacks against other services. The incident was escalated, and the managed identity credentials were rotated immediately. The attacker was blocked before they could use the secrets to access customer data.
Common Misconfigurations and Performance Considerations
Not enabling diagnostic settings for long-term retention: By default, Defender for Key Vault uses a built-in Log Analytics workspace that retains logs for 30 days. For compliance or historical analysis, you must configure custom diagnostic settings with longer retention.
Ignoring baseline learning period: During the first 7 days after enabling, alerts may be noisy as the system learns normal behavior. Do not disable alerts during this period; instead, use the feedback mechanism to tune the model.
Scaling issues: Very high-throughput vaults (millions of operations per day) may generate a large number of alerts if baselines are not properly established. Consider using alert suppression rules for known legitimate patterns.
Not integrating with Sentinel: For enterprises with a SOC, not streaming alerts to Sentinel misses the opportunity for advanced correlation and automation.
What Goes Wrong When Misconfigured
False positives: If the baseline is not given enough time to learn, or if the vault has highly variable usage patterns, many false alerts can overwhelm the security team.
Missed detections: If diagnostic settings are misconfigured (e.g., AuditEvent category not enabled), Defender for Key Vault cannot analyze logs and will not generate alerts. However, when you enable the plan, it automatically enables the necessary logging for all vaults in the subscription, so this is rare.
Alert fatigue: Without proper tuning, security teams may ignore alerts, leading to missed real threats.
SC-200 Exam Focus: Objective 3.1 – Plan and implement a security operations strategy for cloud workloads
The SC-200 exam tests your ability to plan and implement threat detection solutions for cloud workloads. Defender for Key Vault is a specific workload protection plan within Microsoft Defender for Cloud. You will be asked about its capabilities, configuration, alert interpretation, and integration.
Specific Objective Codes
3.1.1: Plan and implement a security operations strategy for cloud workloads (includes selecting appropriate Defender plans).
3.1.2: Configure Microsoft Defender for Cloud workload protection plans.
3.1.3: Interpret and investigate security alerts from cloud workloads.
Most Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: "Defender for Key Vault requires an agent installed on the key vault." - Why chosen: Candidates confuse it with Defender for Servers, which requires an agent. In reality, Defender for Key Vault is agentless and uses audit logs.
2. Wrong answer: "Defender for Key Vault can block suspicious operations." - Why chosen: Candidates assume all security tools prevent attacks. In reality, Defender for Key Vault is a detection-only solution; it alerts but does not block.
3. Wrong answer: "You must enable diagnostic settings for each key vault before Defender for Key Vault can work." - Why chosen: Candidates know that audit logs are needed and think they have to configure them manually. In reality, enabling Defender for Key Vault automatically enables the necessary logging.
4. Wrong answer: "Defender for Key Vault only monitors secrets, not keys or certificates." - Why chosen: Candidates misunderstand the scope. In reality, it monitors all three types of objects.
Specific Numbers, Values, and Terms That Appear on the Exam
Alert severity levels: High, Medium, Low.
Baseline learning period: 7 days.
Alert latency: 2-5 minutes.
Pricing tier name: 'Standard' (not 'Free' or 'Premium').
Azure CLI command: az security pricing create --name 'KeyVaults' --pricing-tier 'Standard'.
Alert categories: Unusual access patterns, unusual operations, suspicious IP addresses, privilege escalation attempts, data exfiltration.
Edge Cases and Exceptions the Exam Loves to Test
What if a key vault is in a different subscription than the one where Defender for Key Vault is enabled? Answer: Defender for Key Vault is enabled per subscription. If the vault is in a subscription without the plan enabled, it is not monitored.
What if the key vault has firewall enabled? Answer: Defender for Key Vault still works because it monitors audit logs, which are generated regardless of the firewall. However, if the firewall blocks access, the audit log will show a failure, and Defender might generate an alert for repeated failed access attempts.
Can Defender for Key Vault monitor on-premises key vaults? Answer: No, it is specific to Azure Key Vault.
How to Eliminate Wrong Answers Using the Underlying Mechanism
Understand that Defender for Key Vault is a passive, log-based detection system. Questions that imply active blocking, agent installation, or per-vault configuration are incorrect. Also, remember that it monitors all object types and is subscription-scoped. When you see an answer choice that says 'requires manual setup of diagnostic logs', it is wrong because the plan does that automatically. Always look for the option that describes detection and alerting without modification to the vault.
Defender for Key Vault is a subscription-level, agentless threat detection solution that monitors Azure Key Vault audit logs using machine learning.
It automatically enables audit logging (AuditEvent category) for all key vaults in the subscription when enabled.
Alerts are generated for unusual access patterns, suspicious IPs, privilege escalation, data exfiltration, and anomalous operations.
The baseline learning period is approximately 7 days; alerts may be noisy during this time.
Alert latency is typically 2-5 minutes after the operation.
Defender for Key Vault integrates with Microsoft Defender for Cloud, Microsoft Sentinel, and Microsoft 365 Defender.
It does NOT block or modify operations; it is a detection-only tool.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Key Vault
Detection-only: alerts on suspicious activity but does not block.
Agentless, uses audit logs.
Monitors all operations (read, write, delete) on secrets, keys, certificates.
Uses machine learning to detect anomalies.
Generates alerts in Defender for Cloud and Sentinel.
Azure Key Vault Firewall and VNet Service Endpoints
Prevention: blocks unauthorized network traffic.
No agent required; works at network level.
Controls access based on IP address and VNet rules.
Static rules; no anomaly detection.
Does not generate security alerts; only denies or allows.
Mistake
Defender for Key Vault can prevent unauthorized access by blocking requests.
Correct
Defender for Key Vault is a detection-only solution. It does not block or modify requests; it only generates alerts. Blocking is done by other controls like Key Vault firewall or Azure Policy.
Mistake
You must install an agent on each key vault to enable monitoring.
Correct
Defender for Key Vault is agentless. It works by analyzing audit logs that are automatically generated by Azure Key Vault. No software installation is required.
Mistake
Defender for Key Vault only monitors secret operations, not keys or certificates.
Correct
Defender for Key Vault monitors all operations on secrets, keys, certificates, and storage account keys. The alerts cover all object types.
Mistake
Enabling Defender for Key Vault on one subscription automatically protects key vaults in all subscriptions.
Correct
Defender for Key Vault is enabled per subscription. Each subscription must have the plan enabled separately to protect its key vaults.
Mistake
Defender for Key Vault requires you to configure diagnostic settings manually before it works.
Correct
When you enable Defender for Key Vault, it automatically enables the necessary audit logging (AuditEvent category) for all key vaults in the subscription. You only need to configure custom diagnostic settings if you want longer retention or different destinations.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Enable it in Microsoft Defender for Cloud under 'Environment settings' > 'Defender plans' > 'Key Vaults'. Toggle to 'On'. You can also use Azure CLI: `az security pricing create --name 'KeyVaults' --pricing-tier 'Standard'`. It applies to all key vaults in the subscription. No additional configuration is needed for basic monitoring.
No. Defender for Key Vault works by analyzing audit logs that Azure Key Vault already generates. When you enable the plan, it automatically enables the necessary logging. You do not need to modify key vault settings, install agents, or change application code.
Alerts include: 'Access from a Tor exit node', 'Suspicious IP address accessing Key Vault', 'Unusual volume of operations', 'Privilege escalation attempt', and 'Data exfiltration'. Each alert has a severity (High, Medium, Low) and includes evidence like IP address, user identity, and operation details.
No. Defender for Key Vault is a detection tool. It alerts you to suspicious activity but does not block or deny access. To block access, use Azure Key Vault firewall, VNet service endpoints, or Azure Policy.
The baseline learning period is approximately 7 days. During this time, alerts may be generated for legitimate activities that are not yet recognized as normal. After the learning period, the model becomes more accurate and false positives reduce.
Yes. If you already have diagnostic settings configured to send AuditEvent logs to a Log Analytics workspace, Defender for Key Vault can use those logs. However, if you enable the plan without custom diagnostics, it automatically sets up the necessary logging.
In Defender for Cloud, select the alert to view details. Use the 'Investigate' button to see related events. You can also open the key vault's audit logs in Azure Monitor for a deeper dive. For advanced investigation, integrate with Microsoft Sentinel, which provides workbooks and hunting queries.
You've just covered Microsoft Defender for Key Vault — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?