Start course

Configuring and Managing Azure Key Vault starts with a key vault overview before moving on to authenticating and accessing Azure Key Vault as a user and as an application. We then deploy several key vaults to illustrate various creation, authentication, and access scenarios. Next, we create secrets and access them using the .NET and REST API interfaces. We then look at vault business continuity and backup options before seeing how to implement key rotation.

Learning Objectives

  • Overview of Azure Key Vault
  • Create an Azure Key Vault
  • Create and consume secrets
  • Learn about keeping vault data safe
  • Learn about key rotation

Intended Audience

  • Students working towards the AZ-500: Microsoft Azure Security Technologies exam
  • Those wanting to learn about Azure Key Vault and how to use it from application and user perspectives


  • Students should be familiar with Active Directory concepts such as managed identities and role-based access control

Azure Key Vault comes in 3 variants, Standard, Premium, and Managed HSM. Standard and Premium offer software management of secrets, keys, and certificates, where only asymmetrical keys are supported. Premium also supports hardware security module, HSM, backed keys. Managed HSM supports hardware security module keys but not secrets or certificates. Managed HSM does support symmetrical keys. 

Users, applications, and services authenticate with Azure Key Vault using Azure Active Directory identities. Once authenticated applications and services access permissions are controlled through either vault access policies or role-based access control in the data plane. RBAC offers more granular permissions configuration of vault resources than vault access policies.

Key vaults operate in the context of security worlds which are Azure regions that are, for the most part, analogous to countries. Vaults are automatically replicated to another data center within the same security world as part of built-in business continuity functionality. You can back up a vault, but only within the same security world. 

Many Azure services, like storage and databases, that use vault resources and are distributed across regions will need a vault located in the same region as themselves. Azure Key Vault supports automatic key rotation, and some integrated services will automatically detect and use the newly rotated key. 

My name is Hallam Webber, and I hope you've found this in-depth look at Azure Key Vault enlightening and instructive. Remember, the best-kept secret is the one you don't share.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.