Adding a New Software-Protected Key to the Key Vault
Start course
1h 11m

As companies race toward the cloud, it’s imperative that IT professionals keep up with the times. Keeping up with the times means maintaining the ability to deploy and maintain cloud-based solutions – particularly those offered through Microsoft Azure.

In this course, you will learn how to create and manage encryption keys in Azure, prevent and respond to security threats to Azure resources, configure access to Azure applications via single sign-on, manage access to Azure applications, and configure federation with public consumer identity providers like Facebook and Google. 

Learning Objectives

  • Create and import keys in the Azure Key Vault
  • Define, configure, and assess security policies
  • Harden Azure resources against threats
  • Configure single sign-on for SaaS applications
  • Configure federation with public consumer identity providers like Facebook and Google

 Intended Audience

  • People interested in becoming Azure security engineers 


  • General knowledge of IT infrastructure
  • General knowledge of the Azure environment






If you want the Azure Key Vault to create a software-protected key for you, use the Add-AzureKeyVaultKey command. It's a relatively simple command and only requires a few switches. As you can see on the screen, I've got my PowerShell session opened. I've connected to my Azure tenant already, and I have my Key Vault, called BlueWidgetKeyVault, already provisioned. To create the new key in the Key Vault, I'm going to run the Add-AzureKeyVaultKey command. And with it, I'm going to specify the name of the vault, the name that I want to call the key that I'm creating and whether I want to store the key as a software-protected key or an HSM-protected key.

The command that I ran here creates a key named MyFirstKey in the Key Vault named BlueWidgetKeyVault. And it adds it as a software-protected key as defined by the software value in the destination switch. If I wanted to store the key as an HSM-protected key, I would have specified HSM as the value for destination instead. To view the URI for my newly-created key, I just need to call the key ID that's stored in the key variable from this command above. To do that, I simply type So essentially, I'm calling the ID attribute of the key variable.

When I hit enter here, the URI of my first key is returned. This URI is significant because the keys created or uploaded to the Azure Key Vault are referenced by URIs. The fact that we can retrieve the key's URI tells us that the key creation has actually been successful. We can further confirm the existence of this newly-created key by running the Get-AzureKeyVaultKey command and specifying the BlueWidgetKeyVault and MyFirstKey. So what I'll do here is copy this command into my session here, as you can see, we've got Get-AzureKeyVaultKey and we're simply specifying the name of the key and the vault name.

When we hit enter here, you can see that the command confirms that my MyFirstKey is stored in the vault. Now, the only required switch is VaultName when we run this command. However, by specifying that name switch up here, we can retrieve just the key that we're interested in.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.