This chapter covers Azure Key Vault, a core service for securely storing and managing secrets, encryption keys, and certificates in Microsoft Azure. Understanding Key Vault is essential for the SC-900 exam, as questions on this topic appear in roughly 10-15% of the Security Solutions domain (Objective 3.4). You will learn what Key Vault is, how it works internally, how to configure it, and common exam traps.
Jump to a section
Azure Key Vault is like a high-security bank vault with individual safety deposit boxes. The bank vault itself is made of reinforced steel, has multiple locks, and is monitored by guards (Azure security infrastructure). Each safety deposit box (a Key Vault) is inside the vault and can only be accessed by the person who rented it (the Azure subscription owner). The bank gives the renter two keys: one physical key (the vault's URI) and one authentication credential (the access policy). To store something, the renter goes to the bank, presents ID (Azure AD authentication), and places their item (secret, key, or certificate) into the box. To retrieve it, they again authenticate and use their key. Critically, the bank teller (Azure Key Vault service) never reveals the combination of the box to anyone else – even bank employees cannot open a box without the renter's permission. If the renter loses their key, they can request a new one through a formal process (key rotation or recovery), but the bank retains a backup copy (soft-delete and purge protection). The vault also has a log of every time the box was opened and by whom (diagnostic logging). This ensures that secrets remain confidential, access is controlled, and all operations are auditable – exactly how Key Vault works in the cloud.
What is Azure Key Vault?
Azure Key Vault is a cloud service that provides secure storage and management of sensitive information such as passwords, connection strings, API keys, encryption keys, and certificates. It helps organizations safeguard cryptographic keys and secrets used by cloud applications and services. Key Vault is part of Microsoft's security and compliance offerings and is designed to meet stringent compliance standards like FIPS 140-2 Level 2 (for hardware security modules) and SOC.
Key Vault eliminates the need for developers to store secrets in code or configuration files, which is a common security risk. Instead, applications can retrieve secrets at runtime from Key Vault using secure authentication methods like managed identities.
How Key Vault Works Internally
Azure Key Vault is built on top of Azure's infrastructure and uses hardware security modules (HSMs) for key protection. When you create a Key Vault, it is associated with an Azure subscription and an Azure AD tenant. The vault itself is a logical container with a unique DNS name (e.g., myvault.vault.azure.net).
Authentication to Key Vault happens via Azure Active Directory. There are two authentication models: - Access policies (legacy): You assign permissions to individual users, groups, or service principals at the vault level. Each vault has its own access policy. - Azure RBAC (recommended): Using the built-in roles like Key Vault Secrets User, Key Vault Crypto Officer, etc., you manage permissions at the vault scope using Azure role-based access control. This is the modern approach and is required for some features like managed HSM.
Once authenticated, operations on secrets, keys, and certificates are performed via REST API calls. For example, to get a secret, an application sends a GET request to https://myvault.vault.azure.net/secrets/MySecret?api-version=7.4. The Key Vault service checks the caller's permissions (via the access policy or RBAC), and if allowed, returns the secret value. All operations are logged to Azure Monitor and can be streamed to Log Analytics, Event Hubs, or Storage.
Key Components (Secrets, Keys, Certificates)
Secrets: Opaque blobs of data, typically connection strings, passwords, or API keys. Maximum size is 25 KB. Stored encrypted at rest using a key that is unique to each vault (or customer-managed key if using BYOK). Secrets have a content type (e.g., application/x-pkcs12 for certificates) and can have expiration dates and activation dates.
Keys: Cryptographic keys used for encryption, signing, or wrapping. Supported key types include RSA (2048, 3072, 4096), EC (P-256, P-384, P-521, P-256K), and symmetric keys (octets). Keys can be stored in software-protected or HSM-protected vaults. HSM-backed keys are generated or imported into a dedicated HSM (FIPS 140-2 Level 2 validated). Operations like encrypt, decrypt, sign, verify, wrap, and unwrap are performed by the HSM without exposing the private key.
Certificates: X.509 v3 certificates with their private keys. Key Vault can generate self-signed certificates or work with a certificate authority (CA). It can manage the full lifecycle: creation, renewal, and export. Certificates are stored as secrets with a content type of application/x-pkcs12. The private key is stored as a key in the same vault.
Defaults and Timers
Soft-Delete: Enabled by default. When a vault or secret is deleted, it is retained for a configurable retention period (7 to 90 days, default 90). During this period, it can be recovered. After the retention period, the item is permanently deleted.
Purge Protection: Optional, but when enabled, items cannot be purged (permanently deleted) until the retention period expires. This prevents accidental or malicious permanent deletion.
Access Policies: By default, no one has access to a new vault. The creator must explicitly grant permissions.
Key Rotation: Not automatic for keys. You must implement rotation via Azure Automation or custom logic. Certificate rotation can be automated using Key Vault's certificate auto-rotation feature (requires a CA that supports it).
Throttling: Key Vault has limits on operations per second. For example, GET operations on secrets are limited to 10,000 per second per vault (default). Exceeding this results in HTTP 429 responses.
Configuration and Verification Commands
Using Azure CLI:
# Create a resource group
az group create --name MyResourceGroup --location eastus
# Create a Key Vault
az keyvault create --name MyVault --resource-group MyResourceGroup --location eastus --sku standard
# Add a secret
az keyvault secret set --vault-name MyVault --name MySecret --value "P@ssw0rd!"
# Retrieve a secret
az keyvault secret show --vault-name MyVault --name MySecret --query value -o tsv
# Enable soft-delete and purge protection
az keyvault update --name MyVault --resource-group MyResourceGroup --enable-soft-delete true --enable-purge-protection trueUsing PowerShell:
New-AzKeyVault -VaultName 'MyVault' -ResourceGroupName 'MyResourceGroup' -Location 'eastus' -Sku 'Standard'
Set-AzKeyVaultSecret -VaultName 'MyVault' -Name 'MySecret' -SecretValue (ConvertTo-SecureString 'P@ssw0rd!' -AsPlainText -Force)
Get-AzKeyVaultSecret -VaultName 'MyVault' -Name 'MySecret' -AsPlainTextVerification: Check access policies, soft-delete status, and diagnostic settings.
az keyvault show --name MyVault --query "properties"
az keyvault list-deletedInteraction with Related Technologies
Azure AD Managed Identities: Allows Azure resources (VMs, App Services, Functions) to authenticate to Key Vault without storing credentials. The managed identity is automatically created in Azure AD and can be assigned to a resource. The resource then uses the identity to obtain tokens for Key Vault.
Azure Policy: Can enforce Key Vault settings like requiring soft-delete, restricting allowed key types, or mandating RBAC over access policies.
Azure Monitor: Diagnostic logs capture all Key Vault operations (read, write, delete, list) and can be sent to Log Analytics for analysis.
Azure Disk Encryption: Uses Key Vault to store encryption keys for Azure VMs. The keys are stored in a Key Vault and accessed during encryption/decryption.
Azure Information Protection: Uses Key Vault to store tenant keys for document encryption.
Pricing Tiers
Standard: Secrets, keys, and certificates stored in software-protected HSMs (FIPS 140-2 Level 1).
Premium: HSM-backed keys (FIPS 140-2 Level 2). More expensive but required for compliance.
Security Features
Access Control: Fine-grained permissions using access policies or RBAC. Each operation (get, set, delete, list, etc.) can be controlled.
Network Restrictions: Firewalls and virtual network service endpoints to restrict access to specific IP ranges or VNets.
Private Endpoints: Use Azure Private Link to access Key Vault over a private IP in your VNet, eliminating exposure to the public internet.
Soft-Delete and Purge Protection: Prevent accidental or malicious deletion.
Audit Logging: All operations are logged.
Common Exam Scenarios
You need to store a connection string securely. Use Key Vault secrets.
You need to encrypt data at rest using a customer-managed key. Use Key Vault keys.
You need to manage SSL/TLS certificates for your web app. Use Key Vault certificates.
You want to avoid storing credentials in code. Use managed identities to access Key Vault.
Exam Trap: Access Policies vs. RBAC
On the exam, you might be asked which method to use for granting access. Remember: RBAC is the recommended approach for new deployments. Access policies are legacy but still supported. The exam may test that RBAC is required for certain features like managed HSM.
Exam Trap: Soft-Delete Retention Period
The default retention period is 90 days, but it can be set between 7 and 90 days. The exam may ask what the default is.
Exam Trap: Key Vault Firewall
By default, Key Vault allows access from all networks. You must explicitly disable public access and configure firewall rules. The exam may present a scenario where an application cannot access Key Vault because network restrictions are too strict.
Exam Trap: Throttling
If an application receives HTTP 429 errors, it means it is exceeding the operation limit. The solution is to implement retry logic with exponential backoff, not to increase the limit (which is not configurable).
Create a Key Vault
In the Azure portal, navigate to 'Key Vaults' and click 'Create'. You must provide a unique name (e.g., 'myvault123'), select a subscription, resource group, location, and pricing tier (Standard or Premium). Optionally, you can enable soft-delete and purge protection. After creation, the vault is empty and no one has access except the creator (who is automatically granted full permissions via access policy). The vault's URI is `https://<vault-name>.vault.azure.net`.
Grant access to the vault
You need to grant permissions to users, groups, or applications. You can use either access policies (legacy) or Azure RBAC (recommended). For example, using RBAC, assign the 'Key Vault Secrets User' role to a user at the vault scope. This allows them to read secrets. For administrators, assign 'Key Vault Administrator' or 'Key Vault Contributor'. Using access policies, you select a principal and then check specific permissions (get, list, set, delete) for secrets, keys, and certificates. Note: RBAC and access policies are independent; you can use one or the other, but not both for the same vault (though you can switch).
Add a secret to the vault
In the portal, go to your vault, select 'Secrets', then 'Generate/Import'. Provide a name (e.g., 'MySecret'), the value (e.g., 'MyPassword123!'), and optionally set activation and expiration dates. The secret is encrypted at rest and stored. You can also upload secrets via CLI or PowerShell. The maximum secret size is 25 KB. Secrets are versioned; each time you update a secret, a new version is created. Old versions are retained until you delete them.
Retrieve a secret from an application
An application can retrieve the secret using the Key Vault SDK or REST API. For example, in C# using the Azure.Identity and Azure.Security.KeyVault.Secrets libraries, you can create a `SecretClient` with the vault URI and a credential (e.g., `DefaultAzureCredential` for managed identity). Then call `client.GetSecret("MySecret")`. The secret value is returned as a `KeyVaultSecret` object. The application must have the appropriate permissions (e.g., 'Key Vault Secrets User' role). If using managed identity, the Azure resource (e.g., VM) must have a system-assigned or user-assigned identity, and that identity must be granted access to the vault.
Monitor and audit Key Vault operations
To audit access, enable diagnostic settings for the vault. In the portal, under 'Monitoring' -> 'Diagnostic settings', add a diagnostic setting to send logs to a Log Analytics workspace, storage account, or event hub. Select the categories: 'AuditEvent' (administrative operations) and 'SecretEvent' (secret operations). You can then query logs in Log Analytics using KQL. For example, `KeyVaultAuditEvent | where OperationName == "SecretGet"` shows all secret retrievals. This is crucial for compliance and security investigations.
Enterprise Scenario 1: Centralized Secrets Management for Microservices
A large e-commerce company runs hundreds of microservices on Azure Kubernetes Service (AKS). Each service needs database connection strings, API keys, and service-to-service authentication tokens. Previously, developers stored secrets in environment variables or config files, leading to security incidents when secrets were exposed in logs or source code. The company deployed Azure Key Vault as a central secrets store. They created one Key Vault per environment (dev, test, prod) in the same region as the AKS cluster. They used Azure AD pod-managed identities (now replaced by Workload Identity) to allow each pod to authenticate to Key Vault without storing any credentials. They assigned RBAC roles at the vault scope: each service got a custom role with only the permissions it needed (e.g., 'Secrets Get' for its own secrets). They enabled soft-delete with a 90-day retention and purge protection to prevent accidental deletion. Diagnostic logs were sent to a central Log Analytics workspace for auditing. The result: secrets are never in code, access is granular, and all access is logged. One challenge was throttling: during peak traffic, some services exceeded the default 10,000 GET operations per second per vault. They solved this by implementing caching with a 5-minute TTL and adding retry logic with exponential backoff. They also considered using multiple vaults to distribute load.
Enterprise Scenario 2: Customer-Managed Key for Azure Storage Encryption
A financial services company must comply with regulatory requirements that mandate customer-managed keys for encryption at rest. They use Azure Storage for sensitive data. They created a Key Vault in the same region as the storage account, using the Premium tier to ensure HSM-backed keys (FIPS 140-2 Level 2). They generated a new RSA key (4096-bit) in the vault. Then, when creating the storage account, they selected 'Customer-managed keys' and pointed to the Key Vault and key. The storage account now uses that key for envelope encryption. The company also enabled soft-delete and purge protection on the vault to prevent accidental key deletion, which would render the storage account inaccessible. They set up alerts for key operations (e.g., key disable, key deletion) using Azure Monitor. A common misconfiguration: if the storage account's managed identity does not have 'Get', 'Wrap Key', and 'Unwrap Key' permissions on the key, encryption will fail. They used RBAC to assign the 'Key Vault Crypto Service Encryption User' role to the storage account's system-assigned managed identity. They also tested key rotation by creating a new key version and updating the storage account to use the new version – this required manual intervention via Azure CLI because automatic rotation is not supported for storage encryption keys.
Enterprise Scenario 3: SSL/TLS Certificate Management for Web Applications
A SaaS company manages hundreds of custom domains for its multi-tenant web application. They use Azure Key Vault to store and automatically renew TLS certificates. They import certificates from a public CA (e.g., DigiCert) into Key Vault, or generate self-signed certificates for internal use. They then configure Azure Front Door or Application Gateway to reference the certificate stored in Key Vault. This allows centralized certificate management: when a certificate expires, they only need to update it in Key Vault, and the front-end service automatically picks up the new version (with a short propagation delay). They enabled auto-rotation for certificates that support it (e.g., DigiCert). For domains that require manual validation, they set up alerts 30 days before expiration. A common issue: the service principal for Front Door must have 'Get' and 'List' permissions on the certificate secret. If these are missing, the certificate cannot be retrieved. They used RBAC with the 'Key Vault Secrets User' role. They also had to ensure the certificate is exported as a PFX with the private key included. If the private key is not marked as exportable, Key Vault cannot use it for TLS termination.
SC-900 Exam Focus on Azure Key Vault
Objective Code: 3.4 – Describe the capabilities of Azure Key Vault. This is part of the 'Describe the capabilities of Microsoft's security solutions' domain. You will likely see 2-4 questions on Key Vault.
Common Wrong Answers and Why Candidates Choose Them:
'Key Vault is used to store user passwords for Azure AD.' – WRONG. Azure AD stores user passwords itself. Key Vault stores secrets like application passwords, connection strings, and API keys, not user credentials.
'Key Vault provides encryption for data at rest automatically.' – WRONG. Key Vault stores the keys, but does not automatically encrypt data. You use those keys in other services (e.g., Azure Storage, SQL Database) to enable customer-managed encryption.
'Access policies and RBAC are interchangeable and can be used together.' – WRONG. While you can enable both, they are independent. If you use RBAC, access policies are ignored. The exam may ask which method is recommended (RBAC).
'Soft-delete is optional and disabled by default.' – WRONG. Soft-delete is enabled by default. The exam may test the default retention period of 90 days.
'Key Vault can store secrets up to 10 MB.' – WRONG. The maximum secret size is 25 KB. Candidates often confuse this with Azure App Configuration (which supports larger values).
Specific Numbers and Terms That Appear Verbatim: - Default soft-delete retention: 90 days (range 7-90) - Maximum secret size: 25 KB - Pricing tiers: Standard (software-protected) and Premium (HSM-protected) - Key types: RSA, EC, symmetric - Authentication: Azure AD (not SQL Server or other) - Access methods: Access policies (legacy) or Azure RBAC (recommended)
Edge Cases and Exceptions: - If a Key Vault is deleted with soft-delete enabled, it can be recovered within the retention period. After that, it is permanently deleted. If purge protection is enabled, it cannot be purged until the retention period ends. - Managed identities: A resource can have a system-assigned or user-assigned identity. Both can be granted access to Key Vault. The exam may ask which one is automatically created when you enable a managed identity on a VM (system-assigned). - Network restrictions: By default, Key Vault allows public access from all networks. To restrict, you must configure firewall rules or use private endpoints.
How to Eliminate Wrong Answers: - If the question mentions 'storing user passwords' or 'authentication for Azure AD', eliminate Key Vault – that's Azure AD's job. - If the question says 'automatically encrypts data', eliminate – Key Vault only stores keys. - If the question asks about 'maximum size', remember 25 KB – anything larger is incorrect. - If the question involves 'default retention period', 90 days is the answer. - For access control, prefer RBAC over access policies if the question says 'recommended' or 'modern'.
Azure Key Vault securely stores secrets, keys, and certificates; maximum secret size is 25 KB.
Authentication to Key Vault requires Azure AD; use managed identities for Azure resources.
Soft-delete is enabled by default with a retention period of 90 days (configurable 7-90).
Use Azure RBAC (recommended) over access policies for permission management.
Key Vault does not automatically encrypt data; it provides keys for customer-managed encryption.
Pricing tiers: Standard (software-protected) and Premium (HSM-protected, FIPS 140-2 Level 2).
Enable diagnostic settings to audit all Key Vault operations.
These come up on the exam all the time. Here's how to tell them apart.
Access Policies
Legacy method, still supported.
Configured per-vault, not at subscription level.
Permissions are granular (get, set, list, delete) per secret/key/certificate.
Cannot be used with Managed HSM.
Management is via the Key Vault blade in portal.
Azure RBAC
Modern, recommended method.
Uses Azure role assignments at any scope (management group, subscription, resource group, vault).
Built-in roles: Key Vault Administrator, Secrets User, Crypto Officer, etc.
Required for Managed HSM.
Management is via Azure RBAC (IAM) blade.
Mistake
Azure Key Vault can be used to store user passwords for Azure AD.
Correct
Key Vault stores secrets like application passwords, connection strings, and API keys. Azure AD stores user passwords itself. Key Vault is not for user authentication.
Mistake
Key Vault automatically encrypts data at rest in Azure services.
Correct
Key Vault stores the encryption keys, but it does not perform encryption. You use the keys in other services (e.g., Azure Storage, SQL) to enable customer-managed encryption.
Mistake
Soft-delete is disabled by default and must be enabled manually.
Correct
Soft-delete is enabled by default for all new Key Vaults. The default retention period is 90 days (configurable between 7 and 90).
Mistake
Access policies and Azure RBAC can be used together simultaneously.
Correct
While you can enable both, they are independent. If you use RBAC, access policies are ignored. You should use one method consistently.
Mistake
Key Vault can store secrets up to 10 MB in size.
Correct
The maximum secret size is 25 KB. For larger configuration values, use Azure App Configuration.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Key Vault is designed for storing sensitive information like passwords, connection strings, and cryptographic keys. It provides encryption at rest, access control, and auditing. Azure App Configuration is for managing application configuration settings (non-secret) like feature flags, connection strings (though it can reference Key Vault secrets), and environment-specific settings. App Configuration stores values in plaintext (though encrypted at rest) and does not have the same security features as Key Vault. For secrets, always use Key Vault.
Yes, but only for secrets. For non-sensitive configuration, use Azure App Configuration. However, you can combine them: store the actual secret in Key Vault and reference it from App Configuration using a Key Vault reference. This allows your app to get configuration from App Configuration while keeping secrets secure in Key Vault.
Enable a managed identity on the VM (system-assigned or user-assigned). Then grant that identity the appropriate permissions on the Key Vault (e.g., 'Key Vault Secrets User' role). The VM can then authenticate to Key Vault using its managed identity, obtaining tokens from Azure AD without any stored credentials.
The vault is soft-deleted and enters a 'deleted' state. It is retained for the configured retention period (default 90 days). During this time, you can recover the vault (with all its contents) using the 'Recover' option in the portal or CLI. After the retention period, the vault is permanently deleted. If purge protection is enabled, you cannot purge (permanently delete) the vault until the retention period expires.
The default limit for GET operations on secrets is 10,000 per second per vault. Other operations have different limits. If exceeded, the client receives HTTP 429 (Too Many Requests). The solution is to implement retry logic with exponential backoff; you cannot increase the limit.
Yes, Key Vault can store and manage X.509 certificates. You can import existing certificates or generate self-signed ones. Key Vault can also handle certificate renewal if you use a supported CA. The certificate's private key is stored as a key in the vault.
The Premium tier uses HSMs that are FIPS 140-2 Level 2 validated. The Standard tier uses software-protected keys that are FIPS 140-2 Level 1. For compliance requiring FIPS 140-2 Level 2, use Premium.
You've just covered Azure Key Vault Basics — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?