Azure Key Vault is a Microsoft-managed secrets management service that centrally stores Secrets (passwords, connection strings, API keys), Keys (cryptographic keys), and Certificates (TLS certificates). It is the foundational service for building secretless apps on Azure: applications eliminate hardcoded credentials and fetch them dynamically via Managed Identity. This article comprehensively covers tier selection, when to use Secrets vs Keys vs Certificates, RBAC, Managed Identity integration, and security best practices.
| Item | Key Vault Standard | Key Vault Premium | Managed HSM |
|---|---|---|---|
| Backing | Software | HSM (shared) | Dedicated HSM |
| FIPS certification | 140-2 Level 2 | 140-2 Level 3 | 140-2 Level 3 |
| SLA | 99.99% | 99.9% | 99.99% |
| Monthly cost | A few hundred to a few thousand yen | $1 per key + per-operation fees | 1,000 USD+ |
| Use case | General Secret / Cert management | Needs HSM-protected keys | PCI DSS / HIPAA / fully isolated HSM required |
Microsoft's current recommendation is RBAC (Azure Role-Based Access Control)-based authorization. Key Vault Access Policies are the legacy approach.
Choose 'Use RBAC' for new Key Vaults and migrate existing Access Policies-based vaults to RBAC.
The standard pattern for modern secretless apps:
client.getSecret('db-connection-string'))This completely removes the need to put connection strings or API keys in App Settings / environment variables, eliminating the risk of leaking secrets through Git commits. It is Microsoft's recommended modern implementation pattern and should be adopted for every new Azure application.
| Feature | Behavior | Status |
|---|---|---|
| Soft Delete | On delete, retains for 7-90 days instead of removing immediately | Enabled by default, cannot be disabled |
| Purge Protection | Disables purge (immediate permanent deletion) during the Soft Delete window | Required in production; once enabled, cannot be disabled |
Enabling Purge Protection blocks attackers with compromised credentials from completely wiping a Key Vault. It becomes your last line of defense for data recovery against threats like ransomware. It is a required setting for production.
The standard for production Key Vaults is to disable the public endpoint and allow access only via a Private Endpoint.
The Selected Networks approach (allow only specific IPs / VNets) is useful combined with Service Endpoints for limited scenarios. See Private Endpoint vs Service Endpoint for details.
The biggest benefit of Key Vault Certificates is automatic renewal.
| Item | Standard pricing | Notes |
|---|---|---|
| Secret / Software Key operations | $0.03 per 10,000 transactions | Standard usage |
| HSM Key (Premium only) | $1/month per key + $0.15 per 10,000 transactions | For HSM-protected keys |
| Certificate operations | $3 per certificate (acquisition) | Public CA integration |
| Managed HSM | $3.20/hour ≈ $1,000+/month | Dedicated HSM |
For typical use, Key Vault Standard runs for a few hundred to a few thousand yen per month, so cost is rarely a barrier. Pick Premium only when HSM-protected Keys are required, and consider Managed HSM only when financial or healthcare requirements demand a fully isolated HSM.
What is Azure Key Vault?
Azure Key Vault is a Microsoft-managed secrets management service that centrally stores Secrets (passwords, connection strings, API keys), Keys (cryptographic keys), and Certificates (TLS certificates). It is the foundational service for building 'secretless apps' on Azure: applications eliminate hardcoded credentials and fetch them dynamically via Managed Identity. SLA: 99.99% (Standard) / 99.9% (Premium). Cost is minimal (from a few hundred yen per month). Compliance: FIPS 140-2 Level 2. The Premium tier is HSM (Hardware Security Module) backed and FIPS 140-2 Level 3 compliant. The higher-tier sibling service Managed HSM (dedicated HSM, FIPS 140-2 Level 3, $1,000+/month) is also available.
What is the difference between the Standard and Premium tiers?
Standard: software-backed, cheapest, FIPS 140-2 Level 2 compliant. Provides the standard Key / Secret / Certificate operations and runs for hundreds to a few thousand yen per month. Premium: HSM (Hardware Security Module) backed and FIPS 140-2 Level 3 compliant, required for compliance regimes (finance, healthcare, government). HSM-protected Keys incur extra cost ($1/month per key plus $0.15 per 10,000 operations). Pick Premium only when HSM-protected Keys are required; Standard is enough for Secret / Certificate workloads. The tier above that is Managed HSM (dedicated HSM, FIPS 140-2 Level 3, $1,000+/month) for PCI DSS / HIPAA / SOC2 requirements that demand a fully isolated HSM.
How does Key Vault handle authentication?
Microsoft's current recommendation is RBAC (Azure Role-Based Access Control)-based authorization. Key Vault Access Policies are the legacy approach. RBAC: assign Microsoft Entra ID roles (Key Vault Administrator, Key Vault Secrets User, Key Vault Crypto User, etc.) at the Subscription / RG / Key Vault level, then Managed Identities / Service Principals authenticate. Access Policies (legacy): grant access on individual users / Service Principals inside the Key Vault resource itself; now deprecated. Choose 'Use RBAC' for new Key Vaults and migrate existing Access Policies-based vaults to RBAC. The modern best practice is for applications to authenticate via Managed Identity + an RBAC role.
When should I use Secret vs Key vs Certificate?
Secret: stores arbitrary strings (passwords, connection strings, API keys, tokens, JSON), up to 25 KB; the most general-purpose. Key: stores cryptographic keys (RSA, EC, oct) and runs Sign / Verify / Encrypt / Decrypt / Wrap / Unwrap operations inside Key Vault (keys cannot be exported). Used for TDE (Transparent Data Encryption) Customer-Managed Keys, SSE (Storage Service Encryption), and similar. Certificate: stores X.509 certificates; the public portion is retrievable as a Secret and the private key is stored as a Key. Supports Auto Renewal (via Let's Encrypt and other CA integrations) and is ideal for managing SSL certificates on App Service / Application Gateway. Each is an independent resource with its own endpoint (secrets/keys/certificates) and RBAC roles.
How do Managed Identity and Key Vault work together?
This is the standard pattern for modern secretless apps. Steps: 1) enable a System-assigned or User-assigned Managed Identity on the Azure resource (VM, App Service, Functions, etc.); 2) grant the Managed Identity the Key Vault Secrets User role via Key Vault RBAC; 3) use the Azure Identity SDK (DefaultAzureCredential) in the app; 4) fetch secrets dynamically through the Key Vault Secret Client (e.g. `client.getSecret('db-connection-string')`). This completely removes the need to put connection strings or API keys in App Settings / environment variables, driving the risk of leaking secrets via Git commits to zero. It is Microsoft's recommended modern implementation pattern and should be adopted for every new Azure application.
What are Soft Delete and Purge Protection?
Soft Delete: when a Key Vault or Secret is deleted, it is not removed immediately but retained for 7-90 days (default 90). It enables recovery from accidental deletion and is enabled by default and cannot be disabled. Purge Protection: disables the ability to force-purge (immediately, permanently delete) a Soft-Deleted Key Vault / Secret during its retention window. Always enable Purge Protection in production (once enabled, it cannot be turned off). This blocks attackers with compromised credentials from completely wiping the Key Vault. A vault with Purge Protection on guarantees the full retention window and becomes your last line of defense for data recovery against threats like ransomware. It is a required setting for production.
How do I network-isolate Key Vault?
The standard for production Key Vaults is to disable the public endpoint and allow access only through a Private Endpoint. Setup: 1) under Network → Firewalls and virtual networks, choose 'Disable public access'; 2) create a Private Endpoint in your VNet (integrated with the privatelink.vaultcore.azure.net Private DNS Zone); 3) resolve from on-prem via VPN / ExpressRoute + Azure DNS Private Resolver. The Selected Networks approach (allow only specific IPs / VNets) is useful combined with Service Endpoints for limited scenarios. For production you should also enable Microsoft Defender for Key Vault (anomalous access pattern detection, threat intelligence) and send Diagnostic Logs to Microsoft Sentinel for audit trails.
Which certifications cover Key Vault?
AZ-204 (Developer Associate, retiring 2026-07) goes deep on retrieving secrets via the Key Vault SDK in domain 3 (Security, 20-25%). AZ-104 (Administrator) covers Key Vault configuration and RBAC; AZ-305 (Solutions Architect Expert) covers secret management strategy in architecture; SC-300 (Identity Admin) covers RBAC + Managed Identity together; SC-100 (Cybersecurity Architect Expert) covers data protection and encryption strategy; DP-300 (DBA) covers TDE Customer-Managed Keys for SQL DB; SC-400 (Information Protection) covers compliance. Understanding Key Vault is a required skill for every application developer and operator working with Azure.
Related articles and deep dives
Azure Managed Identity vs Service Principal 完全比較|認証パターンの選定と実装ベストプラクティス【2026 年版】
Azure の認証エンティティ Managed Identity と Service Principal を完全比較。System-assigned / User-assigned の使い分け、Client Secret vs Certificate vs Workload Identity Federation の選定、AKS Workload Identity、Azure サービス対応状況、関連認定試験 (SC-300 / AZ-204 / AZ-400) を日本語で網羅。実装パターン集付き。
Azure DDoS Protection 完全ガイド|Network/IP Protection・Always On Detection・WAF 組み合わせ【2026 年版】
Azure DDoS Protection の完全ガイド。DDoS Network Protection vs IP Protection vs Infrastructure Protection の使い分け、Always On Detection・Adaptive Tuning・Cost Protection、Application Gateway / Front Door WAF との組み合わせ、Microsoft DRR サポート、関連認定試験 (AZ-700 / SC-100) を日本語で網羅。
Microsoft Defender for Cloud 完全ガイド|CSPM・CWPP・Just-in-Time VM・マルチクラウド保護【2026 年版】
Microsoft Defender for Cloud (旧 Azure Security Center) の完全ガイド。Free Tier vs Defender Plans 選定、Microsoft Secure Score・Just-in-Time VM Access・Vulnerability Assessment・マルチクラウド (AWS/GCP) 対応・Microsoft Sentinel との連携・関連認定試験 (SC-200 / SC-100 / SC-500) を日本語で網羅。
Azure Files 完全ガイド|SMB/NFS・Standard/Premium・Entra Kerberos・Azure File Sync【2026 年版】
Azure Files の完全ガイド。Standard vs Premium ティア選定、SMB vs NFS プロトコル、Active Directory 認証 (オンプレ AD・Entra DS・Entra Kerberos)、Azure File Sync によるハイブリッド、AKS Persistent Volume 利用、セキュリティベストプラクティス、関連認定試験 (AZ-104 / AZ-800) を日本語で網羅。
Technical information in this article is based on the Azure Key Vault Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship relationship. Microsoft, Azure, and Microsoft Entra are trademarks of the Microsoft group of companies. Information is current as of the official public materials available on May 24, 2026. Always check the official pages for the latest details.
Practice with certification-focused question sets
Visit the Azure exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...