Configuring and Managing Azure Key Vault

The course is part of this learning path


Configuring and Managing Azure Key Vault starts with a key vault overview before moving on to authenticating and accessing Azure Key Vault as a user and as an application. We then deploy several key vaults to illustrate various creation, authentication, and access scenarios. Next, we create secrets and access them using the .NET and REST API interfaces. We then look at vault business continuity and backup options before seeing how to implement key rotation.

Learning Objectives

  • Overview of Azure Key Vault
  • Create an Azure Key Vault
  • Create and consume secrets
  • Learn about keeping vault data safe
  • Learn about key rotation

Intended Audience

  • Students working towards the AZ-500: Microsoft Azure Security Technologies exam
  • Those wanting to learn about Azure Key Vault and how to use it from application and user perspectives


  • Students should be familiar with Active Directory concepts such as managed identities and role-based access control

When we configure and manage applications, data, and Azure services, we use certificates, passwords, keys, connection strings, and other crucial and confidential information. These critical data need to be stored securely, and by securely, I mean they won't be lost, and only authorized users and applications can access them. Azure Key Vault is a repository structured explicitly for storing and managing highly sensitive data like secrets, keys, and certificates. In addition to providing secure storage, Azure Key Vault is a single location, so keys and app passwords don't end up spread around folders and config files with varying degrees of visibility. Just to clarify, when we talk about passwords in the context of the key vault, I'm referring to application passwords for accessing secured resources, not user passwords. 

I've mentioned certificates, keys, and secrets, and it's worth clarifying what these terms mean, as the Key Vault is specifically designed to work with and operate on these data types. Secrets can be anything but are typically text like connection strings, application passwords, or other credentials. Secrets can be created, read, updated, and deleted from a key vault. 

Keys are used for encryption and, with one exception, are asymmetrical, consisting of public and private keys. Keys can be imported into the vault, or you can get the key vault to generate a key, specifying its type and size. Apart from create, read, update, and delete operations, keys can be wrapped, unwrapped, encrypted, and decrypted. 

Certificates, like keys, can be imported or generated. Certificates can be self-signed or issued by a public certificate authority. Certificates have a life cycle, as in they expire and have to be renewed, preferably without interrupting the operation of services that use them for verification.

Azure Key Vault comes in three variants: standard, premium, and managed HSM. Standard and premium offer software support for secrets, keys, and certificates, with premium adding support for hardware security module-backed keys. Premium gives you HSM options for RSA and EC key generation. Managed HSM is a special case that only supports hardware security module-backed keys and is the only key vault variant that supports symmetrical keys.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.