Azure

Azure Key Vault Complete Guide: Secret/Key/Certificate Management, Managed Identity Integration, Security Best Practices

2026-05-24
NicheeLab Editorial Team

Azure Key Vault is a Microsoft-managed secrets management service that centrally stores Secrets (passwords, connection strings, API keys), Keys (cryptographic keys), and Certificates (TLS certificates). It is the foundational service for building secretless apps on Azure: applications eliminate hardcoded credentials and fetch them dynamically via Managed Identity. This article comprehensively covers tier selection, when to use Secrets vs Keys vs Certificates, RBAC, Managed Identity integration, and security best practices.

Tier Selection: Standard vs Premium vs Managed HSM

ItemKey Vault StandardKey Vault PremiumManaged HSM
BackingSoftwareHSM (shared)Dedicated HSM
FIPS certification140-2 Level 2140-2 Level 3140-2 Level 3
SLA99.99%99.9%99.99%
Monthly costA few hundred to a few thousand yen$1 per key + per-operation fees1,000 USD+
Use caseGeneral Secret / Cert managementNeeds HSM-protected keysPCI DSS / HIPAA / fully isolated HSM required

Secret / Key / Certificate

Secret

  • Stores arbitrary strings (passwords, connection strings, API keys, tokens, JSON)
  • Up to 25 KB
  • The most general-purpose; about 80% of new Key Vault use cases are Secrets
  • Versioning (previous versions are kept automatically on update)
  • Activation Date / Expiration Date can be set

Key

  • Stores cryptographic keys (RSA 2048/3072/4096, EC P-256/P-384/P-521, oct AES)
  • Runs Sign / Verify / Encrypt / Decrypt / Wrap / Unwrap operations inside Key Vault (keys cannot be exported)
  • Customer-Managed Key for TDE (Transparent Data Encryption)
  • Customer-Managed Key for SSE (Storage Service Encryption)
  • Customer-Managed Key for Azure Disk Encryption

Certificate

  • Stores X.509 certificates
  • The public portion can be retrieved as a Secret; the private key is stored as a Key
  • Auto Renewal supported (via Let's Encrypt and other CA integrations)
  • Ideal for managing SSL certificates on App Service / Application Gateway

RBAC-Based Access Control

Microsoft's current recommendation is RBAC (Azure Role-Based Access Control)-based authorization. Key Vault Access Policies are the legacy approach.

Key RBAC Roles

  • Key Vault Administrator: full Key Vault permissions (RBAC, Secret, Key, and Certificate operations)
  • Key Vault Reader: metadata read only (cannot read Secret values)
  • Key Vault Secrets Officer: all Secret operations (create, read, update, delete)
  • Key Vault Secrets User: Secret read only (for applications)
  • Key Vault Crypto Officer: all Key operations
  • Key Vault Crypto User: Key cryptographic operations only (Sign / Encrypt, etc.)
  • Key Vault Certificates Officer: all Certificate operations

Choose 'Use RBAC' for new Key Vaults and migrate existing Access Policies-based vaults to RBAC.

Managed Identity Integration Pattern

The standard pattern for modern secretless apps:

  1. Enable a System-assigned or User-assigned Managed Identity on the Azure resource (VM, App Service, Functions, etc.)
  2. Grant the Managed Identity the Key Vault Secrets User role via Key Vault RBAC
  3. Use the Azure Identity SDK (DefaultAzureCredential) in the application
  4. Fetch secrets dynamically with the Key Vault Secret Client (e.g. client.getSecret('db-connection-string'))

This completely removes the need to put connection strings or API keys in App Settings / environment variables, eliminating the risk of leaking secrets through Git commits. It is Microsoft's recommended modern implementation pattern and should be adopted for every new Azure application.

Soft Delete and Purge Protection

FeatureBehaviorStatus
Soft DeleteOn delete, retains for 7-90 days instead of removing immediatelyEnabled by default, cannot be disabled
Purge ProtectionDisables purge (immediate permanent deletion) during the Soft Delete windowRequired in production; once enabled, cannot be disabled

Enabling Purge Protection blocks attackers with compromised credentials from completely wiping a Key Vault. It becomes your last line of defense for data recovery against threats like ransomware. It is a required setting for production.

Network Isolation

The standard for production Key Vaults is to disable the public endpoint and allow access only via a Private Endpoint.

Setup Steps

  1. Under Network → Firewalls and virtual networks, choose 'Disable public access'
  2. Create a Private Endpoint in your VNet
  3. Integrate with the privatelink.vaultcore.azure.net Private DNS Zone (auto-configuration)
  4. From on-prem, resolve via VPN / ExpressRoute + Azure DNS Private Resolver

The Selected Networks approach (allow only specific IPs / VNets) is useful combined with Service Endpoints for limited scenarios. See Private Endpoint vs Service Endpoint for details.

Security Best Practices

  1. Enable Purge Protection (required in production)
  2. Public Access Disable + Private Endpoint
  3. RBAC-based access control (migrate from Access Policies)
  4. Managed Identity authentication (secretless apps)
  5. Microsoft Defender for Key Vault enabled (anomalous access detection)
  6. Send Diagnostic Logs to Microsoft Sentinel
  7. Set Expiration Date on Secrets / Keys / Certificates (regular rotation)
  8. Regular backups (mandatory for BYOK Keys)
  9. Encrypt the Key Vault itself with a Customer-Managed Key (CMK) (Premium only)
  10. Standardize Key Vault naming (include environment, region, and use case)

Automatic Certificate Renewal

The biggest benefit of Key Vault Certificates is automatic renewal.

  • Integrate Key Vault with public CAs (DigiCert, GlobalSign, etc.) to automate certificate purchase and renewal end-to-end
  • Auto-renew free certificates via Let's Encrypt integrations (e.g. open-source Acmebot Function Apps)
  • App Service / Application Gateway can reference certificates directly via Key Vault Reference, with automatic propagation on renewal
  • Expiration alerts (Event Grid notifications when renewal fails)

Pricing

ItemStandard pricingNotes
Secret / Software Key operations$0.03 per 10,000 transactionsStandard usage
HSM Key (Premium only)$1/month per key + $0.15 per 10,000 transactionsFor HSM-protected keys
Certificate operations$3 per certificate (acquisition)Public CA integration
Managed HSM$3.20/hour ≈ $1,000+/monthDedicated HSM

For typical use, Key Vault Standard runs for a few hundred to a few thousand yen per month, so cost is rarely a barrier. Pick Premium only when HSM-protected Keys are required, and consider Managed HSM only when financial or healthcare requirements demand a fully isolated HSM.

Related Certifications

Frequently Asked Questions

What is Azure Key Vault?

Azure Key Vault is a Microsoft-managed secrets management service that centrally stores Secrets (passwords, connection strings, API keys), Keys (cryptographic keys), and Certificates (TLS certificates). It is the foundational service for building 'secretless apps' on Azure: applications eliminate hardcoded credentials and fetch them dynamically via Managed Identity. SLA: 99.99% (Standard) / 99.9% (Premium). Cost is minimal (from a few hundred yen per month). Compliance: FIPS 140-2 Level 2. The Premium tier is HSM (Hardware Security Module) backed and FIPS 140-2 Level 3 compliant. The higher-tier sibling service Managed HSM (dedicated HSM, FIPS 140-2 Level 3, $1,000+/month) is also available.

What is the difference between the Standard and Premium tiers?

Standard: software-backed, cheapest, FIPS 140-2 Level 2 compliant. Provides the standard Key / Secret / Certificate operations and runs for hundreds to a few thousand yen per month. Premium: HSM (Hardware Security Module) backed and FIPS 140-2 Level 3 compliant, required for compliance regimes (finance, healthcare, government). HSM-protected Keys incur extra cost ($1/month per key plus $0.15 per 10,000 operations). Pick Premium only when HSM-protected Keys are required; Standard is enough for Secret / Certificate workloads. The tier above that is Managed HSM (dedicated HSM, FIPS 140-2 Level 3, $1,000+/month) for PCI DSS / HIPAA / SOC2 requirements that demand a fully isolated HSM.

How does Key Vault handle authentication?

Microsoft's current recommendation is RBAC (Azure Role-Based Access Control)-based authorization. Key Vault Access Policies are the legacy approach. RBAC: assign Microsoft Entra ID roles (Key Vault Administrator, Key Vault Secrets User, Key Vault Crypto User, etc.) at the Subscription / RG / Key Vault level, then Managed Identities / Service Principals authenticate. Access Policies (legacy): grant access on individual users / Service Principals inside the Key Vault resource itself; now deprecated. Choose 'Use RBAC' for new Key Vaults and migrate existing Access Policies-based vaults to RBAC. The modern best practice is for applications to authenticate via Managed Identity + an RBAC role.

When should I use Secret vs Key vs Certificate?

Secret: stores arbitrary strings (passwords, connection strings, API keys, tokens, JSON), up to 25 KB; the most general-purpose. Key: stores cryptographic keys (RSA, EC, oct) and runs Sign / Verify / Encrypt / Decrypt / Wrap / Unwrap operations inside Key Vault (keys cannot be exported). Used for TDE (Transparent Data Encryption) Customer-Managed Keys, SSE (Storage Service Encryption), and similar. Certificate: stores X.509 certificates; the public portion is retrievable as a Secret and the private key is stored as a Key. Supports Auto Renewal (via Let's Encrypt and other CA integrations) and is ideal for managing SSL certificates on App Service / Application Gateway. Each is an independent resource with its own endpoint (secrets/keys/certificates) and RBAC roles.

How do Managed Identity and Key Vault work together?

This is the standard pattern for modern secretless apps. Steps: 1) enable a System-assigned or User-assigned Managed Identity on the Azure resource (VM, App Service, Functions, etc.); 2) grant the Managed Identity the Key Vault Secrets User role via Key Vault RBAC; 3) use the Azure Identity SDK (DefaultAzureCredential) in the app; 4) fetch secrets dynamically through the Key Vault Secret Client (e.g. `client.getSecret('db-connection-string')`). This completely removes the need to put connection strings or API keys in App Settings / environment variables, driving the risk of leaking secrets via Git commits to zero. It is Microsoft's recommended modern implementation pattern and should be adopted for every new Azure application.

What are Soft Delete and Purge Protection?

Soft Delete: when a Key Vault or Secret is deleted, it is not removed immediately but retained for 7-90 days (default 90). It enables recovery from accidental deletion and is enabled by default and cannot be disabled. Purge Protection: disables the ability to force-purge (immediately, permanently delete) a Soft-Deleted Key Vault / Secret during its retention window. Always enable Purge Protection in production (once enabled, it cannot be turned off). This blocks attackers with compromised credentials from completely wiping the Key Vault. A vault with Purge Protection on guarantees the full retention window and becomes your last line of defense for data recovery against threats like ransomware. It is a required setting for production.

How do I network-isolate Key Vault?

The standard for production Key Vaults is to disable the public endpoint and allow access only through a Private Endpoint. Setup: 1) under Network → Firewalls and virtual networks, choose 'Disable public access'; 2) create a Private Endpoint in your VNet (integrated with the privatelink.vaultcore.azure.net Private DNS Zone); 3) resolve from on-prem via VPN / ExpressRoute + Azure DNS Private Resolver. The Selected Networks approach (allow only specific IPs / VNets) is useful combined with Service Endpoints for limited scenarios. For production you should also enable Microsoft Defender for Key Vault (anomalous access pattern detection, threat intelligence) and send Diagnostic Logs to Microsoft Sentinel for audit trails.

Which certifications cover Key Vault?

AZ-204 (Developer Associate, retiring 2026-07) goes deep on retrieving secrets via the Key Vault SDK in domain 3 (Security, 20-25%). AZ-104 (Administrator) covers Key Vault configuration and RBAC; AZ-305 (Solutions Architect Expert) covers secret management strategy in architecture; SC-300 (Identity Admin) covers RBAC + Managed Identity together; SC-100 (Cybersecurity Architect Expert) covers data protection and encryption strategy; DP-300 (DBA) covers TDE Customer-Managed Keys for SQL DB; SC-400 (Information Protection) covers compliance. Understanding Key Vault is a required skill for every application developer and operator working with Azure.

Related articles and deep dives

Azure Managed Identity vs Service Principal 完全比較|認証パターンの選定と実装ベストプラクティス【2026 年版】

Azure の認証エンティティ Managed Identity と Service Principal を完全比較。System-assigned / User-assigned の使い分け、Client Secret vs Certificate vs Workload Identity Federation の選定、AKS Workload Identity、Azure サービス対応状況、関連認定試験 (SC-300 / AZ-204 / AZ-400) を日本語で網羅。実装パターン集付き。

Azure DDoS Protection 完全ガイド|Network/IP Protection・Always On Detection・WAF 組み合わせ【2026 年版】

Azure DDoS Protection の完全ガイド。DDoS Network Protection vs IP Protection vs Infrastructure Protection の使い分け、Always On Detection・Adaptive Tuning・Cost Protection、Application Gateway / Front Door WAF との組み合わせ、Microsoft DRR サポート、関連認定試験 (AZ-700 / SC-100) を日本語で網羅。

Microsoft Defender for Cloud 完全ガイド|CSPM・CWPP・Just-in-Time VM・マルチクラウド保護【2026 年版】

Microsoft Defender for Cloud (旧 Azure Security Center) の完全ガイド。Free Tier vs Defender Plans 選定、Microsoft Secure Score・Just-in-Time VM Access・Vulnerability Assessment・マルチクラウド (AWS/GCP) 対応・Microsoft Sentinel との連携・関連認定試験 (SC-200 / SC-100 / SC-500) を日本語で網羅。

Azure Files 完全ガイド|SMB/NFS・Standard/Premium・Entra Kerberos・Azure File Sync【2026 年版】

Azure Files の完全ガイド。Standard vs Premium ティア選定、SMB vs NFS プロトコル、Active Directory 認証 (オンプレ AD・Entra DS・Entra Kerberos)、Azure File Sync によるハイブリッド、AKS Persistent Volume 利用、セキュリティベストプラクティス、関連認定試験 (AZ-104 / AZ-800) を日本語で網羅。

Technical information in this article is based on the Azure Key Vault Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship relationship. Microsoft, Azure, and Microsoft Entra are trademarks of the Microsoft group of companies. Information is current as of the official public materials available on May 24, 2026. Always check the official pages for the latest details.

Check what you learned with practice questions

Practice with certification-focused question sets

Visit the Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.