Security Secrets and keys premium field-manual-complete

Key Vault

Key Vault is where Azure teams put sensitive values and cryptographic material so they are not scattered through app settings, scripts, source code, or deployment notes. It stores secrets, keys, and certificates, then controls who or what can read or manage them. A vault is not a general document store or a replacement for every configuration service. Its job is to keep high-risk values protected, auditable, recoverable, and reachable by trusted applications without exposing them to people or pipelines unnecessarily.

Back to glossary browser Open Microsoft Learn source
Aliases
Key Vault, Azure Key Vault, vault, secrets store, certificate vault, secure secrets store, key vault resource
Difficulty
Fundamentals
CLI mappings
5
Last verified
2026-05-30

Microsoft Learn

Azure Key Vault is a cloud service for storing and controlling access to secrets, keys, and certificates. It helps applications, administrators, and automation protect sensitive values with encryption, access control, logging, purge protection, private networking, and managed integration across Azure workloads.

Microsoft Learn: Azure Key Vault overview2026-05-30

Technical context

Technically, Key Vault sits at the security, identity, and data protection boundary. A vault resource belongs to a subscription, resource group, tenant, region, and access model. Objects inside it include secrets, keys, and certificates with versions, attributes, expiry dates, and access controls. Applications reach it through SDKs, REST APIs, managed identities, service principals, private endpoints, and firewall rules. Azure Monitor and diagnostic settings record access activity, while RBAC, access policies, purge protection, soft delete, and network rules govern operational behavior.

Why it matters

Key Vault matters because secret sprawl is one of the fastest ways to turn a small configuration mistake into a major incident. Expired certificates, leaked connection strings, hard-coded keys, and untracked manual rotations cause outages and audit failures. A well-run vault gives teams one controlled place for sensitive values, with clear ownership, logging, recovery settings, and identity-based access. It also helps separate duties: app teams can consume secrets, security teams can review access, and platform teams can enforce guardrails. The term is essential whenever an Azure workload authenticates, encrypts, signs, or connects to protected systems. It also reduces pressure on developers to handle cryptography themselves.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In the Azure portal, Key Vault appears with Secrets, Keys, Certificates, Access control, Access policies, Networking, Events, Diagnostic settings, and Properties blades during audits and rotations.

Signal 02

In CLI output, operators see vault name, URI, tenant, soft-delete state, purge protection, RBAC mode, network ACLs, object attributes, and expiry dates during incident reviews.

Signal 03

In audit and monitoring data, Key Vault appears as secret get operations, key usage, certificate changes, denied requests, access updates, and private endpoint activity weekly.

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Remove passwords, connection strings, API keys, and certificates from source code, pipeline variables, and application configuration files.
  • Centralize certificate storage and rotation for applications that need controlled TLS or client-certificate authentication.
  • Protect encryption keys used by storage, database, or application workloads that require customer-managed key governance.
  • Give managed identities controlled runtime access to only the secrets or keys their workload needs.
  • Provide auditable evidence of secret access, rotation, expiry, network restrictions, and purge protection for compliance reviews.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Payment credentials stop living in deployment variables

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A payment processor used pipeline variables for gateway passwords, webhook secrets, and client certificates. Two emergency rotations in one quarter caused checkout failures and weekend incident calls.

Business/Technical Objectives
  • Remove payment secrets from pipeline variables and app settings.
  • Rotate gateway credentials without redeploying the checkout app.
  • Alert 45 days before certificate expiration.
  • Produce audit evidence for every secret read and access change.
Solution Using Key Vault

Security engineers created a production Key Vault with purge protection, diagnostic settings, and private endpoint access from the checkout subnet. App Service used managed identity to read only the required secret names, while deployment identities could set new versions but not read values. Certificates were imported with expiration metadata and alert rules that notified both platform and payment owners. The team changed the application to reference versionless secret URIs where safe, letting new versions activate after validation. CLI runbooks listed object metadata without printing secret values, captured RBAC assignments, and confirmed network ACLs before each rotation.

Results & Business Impact
  • Pipeline-held payment secrets dropped from 37 to zero.
  • Credential rotation time fell from four hours to 28 minutes.
  • Certificate-expiry incidents fell to zero over two release quarters.
  • Audit evidence for secret reads was available in under ten minutes.
Key Takeaway for Glossary Readers

Key Vault is strongest when secret storage, identity access, rotation workflow, and audit evidence are designed together.

Case study 02

Genomics research protects encryption keys without blocking scientists

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A genomics institute stored sensitive research files in Azure Storage and needed customer-managed key control for grant requirements. Scientists still needed reliable access during analysis deadlines.

Business/Technical Objectives
  • Use customer-managed keys for regulated research storage.
  • Limit key administration to the security team.
  • Keep analysis jobs running during key rotation.
  • Retain evidence for grant and ethics-board reviews.
Solution Using Key Vault

The platform team stored encryption keys in Azure Key Vault and configured storage accounts to use those customer-managed keys. RBAC separated key administrators from data readers, and purge protection prevented accidental permanent deletion. Private endpoints restricted vault access to approved analytics networks, while diagnostic logs flowed to a protected Log Analytics workspace. Rotation was rehearsed in a staging environment with the same managed identities used by production compute. Runbooks documented how to verify key version state, storage encryption configuration, access denials, and recovery procedures. Researchers never handled key material directly; their jobs used normal storage access paths.

Results & Business Impact
  • All regulated storage accounts passed customer-managed key review.
  • Key administration was reduced from 18 operators to four approved owners.
  • Rotation rehearsal showed no failed analysis jobs during a 72-hour test.
  • Audit preparation time for encryption evidence dropped 55 percent.
Key Takeaway for Glossary Readers

Key Vault helps regulated teams separate cryptographic control from day-to-day data access without freezing productive work.

Case study 03

Factory device certificates become trackable before rollout

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

An industrial automation vendor shipped edge gateways that authenticated to cloud APIs with certificates. Certificate files were generated manually, stored on laptops, and difficult to revoke.

Business/Technical Objectives
  • Centralize certificate creation and lifecycle tracking.
  • Reduce device onboarding time by 40 percent.
  • Revoke compromised gateway credentials within one hour.
  • Stop storing private certificate material on engineer laptops.
Solution Using Key Vault

Engineers used Azure Key Vault certificates and keys to create a controlled certificate lifecycle for gateway onboarding. A provisioning service with managed identity requested certificates, stored metadata, and delivered only the approved enrollment package to the manufacturing line. The vault used private endpoint access, diagnostic logging, soft delete, and purge protection. Certificate expiry and near-expiry alerts routed to device operations. Support runbooks used CLI to list certificate metadata, confirm enabled status, and identify the gateway batch without exporting private material. Revocation steps were tested with an API Management policy that rejected disabled certificate thumbprints.

Results & Business Impact
  • Average device onboarding time fell from 19 minutes to 10 minutes.
  • Private certificate files were removed from engineer workstations.
  • A compromised test gateway was blocked in 23 minutes during a drill.
  • Certificate inventory accuracy improved from 71 percent to 99 percent immediately.
Key Takeaway for Glossary Readers

Key Vault turns certificate handling into an auditable operational process instead of a fragile file-sharing habit.

Why use Azure CLI for this?

I use Azure CLI for Key Vault because secret and certificate problems usually need precise evidence quickly. After ten years of Azure operations, I do not want to click around during a rotation incident and wonder which vault, tenant, policy, or network rule I saw. CLI lets me list vaults, show soft-delete and purge-protection state, inspect access configuration, inventory keys and certificates, and confirm private endpoint posture in repeatable output. It is also safer for change review: commands can be scripted as read-only checks first, with mutating commands gated behind approval and logged in runbooks. That discipline protects values while still moving incidents forward quickly.

CLI use cases

  • List vaults and export region, tenant, RBAC mode, purge protection, public access, private endpoint, and ownership tags.
  • List secret, key, and certificate metadata to find disabled, expired, orphaned, or soon-to-expire objects without printing values.
  • Update purge protection, network rules, or diagnostic settings through approved automation after recording current state.
  • Capture vault access and object inventory evidence for audits, incident response, or migration planning.

Before you run CLI

  • Confirm tenant and subscription because vault access is tenant-bound and cross-tenant confusion can look like an authorization failure.
  • Do not run value-reading commands unless the task explicitly requires it; metadata is enough for most inventory and audit work.
  • Check whether the vault uses Azure RBAC or access policies, because permission troubleshooting differs between the two models.
  • Treat delete, purge, recover, import, key rotation, and network update commands as high-risk production changes.

What output tells you

  • Vault output shows URI, tenant ID, region, SKU, RBAC mode, soft-delete state, purge protection, network ACLs, and tags.
  • Object metadata shows enabled state, creation and update timestamps, expiry dates, content type, key operations, and version identifiers.
  • Denied operations and diagnostic logs reveal whether failures are identity, permission, firewall, private DNS, disabled object, or expired object problems.

Mapped Azure CLI commands

Key Vault operational checks

direct
az keyvault list --resource-group <resource-group> --output table
az keyvaultdiscoverSecurity
read-only Microsoft docs
az keyvault show --name <vault-name> --resource-group <resource-group>
az keyvaultdiscoverSecurity
read-only Microsoft docs
az keyvault key list --vault-name <vault-name> --output table
az keyvault keydiscoverSecurity
read-only Microsoft docs
az keyvault secret list --vault-name <vault-name> --output table
az keyvault secretdiscoverSecurity
read-only Microsoft docs
az keyvault update --name <vault-name> --resource-group <resource-group> --enable-purge-protection true
az keyvaultconfigureSecurity
modifies-state Microsoft docs

Architecture context

Architecturally, Key Vault is a trust boundary for workloads, not a convenience drawer for random settings. I place it beside managed identities, RBAC, private networking, diagnostic logs, deployment pipelines, and applications that need secrets, keys, or certificates at runtime. The resource design should answer who administers the vault, who reads each object, how rotation happens, how objects are recovered, and whether access stays on a private path. It often integrates with App Service, Functions, AKS, API Management, Storage encryption, SQL, automation pipelines, and certificate-backed TLS. Good designs avoid shared catch-all vaults unless ownership and blast radius are deliberate. Those boundaries should be explicitly documented.

Security

Security is the core purpose of Key Vault. Restrict management-plane changes, data-plane reads, key operations, certificate imports, and purge actions to the few identities that need them. Enable soft delete and purge protection for production vaults, review public network access, and prefer private endpoints for sensitive workloads. Use managed identities rather than copying secrets into application settings when possible. Monitor secret reads, key operations, access changes, and denied requests. Remember that logs, deployment output, and troubleshooting screenshots can leak secret names, object IDs, or operational context even when values stay hidden. Review emergency accounts and break-glass procedures before a real recovery event.

Cost

Key Vault costs are usually modest compared with the outages it prevents, but they are not zero. Charges can come from operations, premium keys, certificate activity, managed HSM alternatives, private networking, diagnostics ingestion, and engineering work around rotation. Waste appears when teams create many lightly used vaults without ownership, send verbose logs forever, or keep unused certificates and secrets alive. The bigger cost is operational: leaked or expired secrets create emergency rotations, downtime, audit response, and customer trust damage. FinOps should connect vault count, premium usage, logging, and ownership to workload criticality. Measure the avoided incident effort as part of business value.

Reliability

Reliability depends on vault availability, network reachability, identity token acquisition, object versions, expiry dates, and application caching behavior. Key Vault is highly available, but an application can still fail if a firewall rule blocks access, a certificate expires, a secret version is disabled, or code fetches secrets on every request without fallback. Operators should track expiration alerts, rotation windows, private endpoint health, dependency latency, and soft-delete recovery procedures. For disaster recovery planning, document which vault objects are critical, how they are backed up, and how applications behave during transient failures. Alert before expiry, not at the moment a certificate-dependent request starts failing.

Performance

Performance impact is mostly about dependency latency and call patterns. Applications should not call Key Vault for every request when local caching, configuration refresh, or startup loading is appropriate. Private endpoints, DNS, network security, throttling, and retry policy can affect secret retrieval and key operations. Certificate and key operations may have different latency expectations than simple secret reads. Operators should monitor dependency duration, failed calls, throttling, and startup behavior. Good performance design keeps Key Vault in the secure control path without making it the bottleneck for normal application traffic. Retry policy and caching rules should be tested during deployment rehearsals.

Operations

Operations include vault inventory, access review, secret and certificate lifecycle, key rotation, diagnostic logging, private endpoint review, and incident evidence. Teams should know how to identify vault owners, list objects without revealing values, check expiry dates, confirm purge protection, and validate RBAC or access policy assignments. Runbooks should separate safe reads from value reads, and they should explain how to rotate a secret without breaking consumers. Change records need object names, version strategy, consuming apps, rollback path, and monitoring signals for failed authentication or certificate binding issues. Operators should test changes in lower environments with the same identity pattern first.

Common mistakes

  • Storing secrets in app settings or pipeline variables after the architecture says Key Vault is the authoritative secret store.
  • Granting broad vault administrator access to deployment identities that only need read access to one secret or certificate.
  • Disabling or rotating a secret version without confirming every application has moved to the new version or name.
  • Ignoring certificate expiry alerts until TLS bindings, client authentication, or downstream integrations fail in production.