Cyber Intelligence
PROTEGO
Cloud Security6 min read

Azure Key Vault: AZ-500 Secrets, Keys & Certificates

Key Vault stores secrets, keys, and certificates: the AZ-500 exam treats them as three distinct resource types with different access patterns. Understand soft delete, purge protection, access policies vs RBAC, and the HSM tier.

I
Idan Ohayon
Microsoft Cloud Solution Architect
AZ-500Key VaultSecretsKeysCertificatesHSMCertification

Secrets vs Keys vs Certificates

TypeWhat It StoresWho Uses It
SecretsPasswords, connection strings, API keysApplications that retrieve and use the secret value
KeysCryptographic keys (RSA, EC)Applications that encrypt/decrypt using Key Vault: the key never leaves the vault
CertificatesX.509 certificates plus private keysApplications that need TLS certs; Key Vault handles renewal
Key difference: When you use a Key, the cryptographic operation happens inside Key Vault. Your application sends data to Key Vault and receives the result: the key material never leaves. With a Secret, the value is returned to your application.

Access Models: Vault Access Policies vs RBAC

ModelGranularityRecommended
Vault access policiesPer-vault, per-principal; can grant secret plus key plus cert in one policyLegacy
Azure RBACStandard Azure roles on the vault or individual secretsRecommended
Azure RBAC roles for Key Vault: Key Vault Secrets Officer (read/write secrets), Key Vault Secrets User (read-only), Key Vault Administrator (full control), Key Vault Crypto User (use keys for operations), Key Vault Crypto Officer (manage keys). Exam tip: Azure RBAC and vault access policies cannot both be enabled on the same vault: you must choose one.

Soft Delete and Purge Protection

  • Soft delete: Deleted objects are retained for 7 to 90 days (configurable). They can be recovered. Enabled by default on new vaults.
  • Purge protection: Prevents hard deletion during the soft-delete retention period. Once enabled, it cannot be disabled. Required for vaults used with Customer-Managed Keys (CMK).

Premium Tier: HSM-Backed Keys

Premium Key Vault uses FIPS 140-2 Level 2 hardware security modules to protect key material. Key operations never leave the HSM. Use for regulatory requirements mandating hardware key protection.

N

Recommended tool: Nordpass

Up to 40% commission

Try for free

Get weekly security insights

Cloud security, zero trust, and identity guides — straight to your inbox.

I

Idan Ohayon

Microsoft Cloud Solution Architect

Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.

Share this article

TwitterLinkedIn

Questions & Answers

Related Articles

☁️
Cloud Security

Azure Firewall Premium vs Standard: When the Upgrade Is Worth It

16 min read

☁️
Cloud Security

Microsoft Security Score: How to Actually Improve It (Not Just Game It)

17 min read

☁️
Cloud Security

Microsoft Defender for Identity vs Defender for Endpoint: What They Actually Cover

16 min read

Need Help with Your Security?

Our team of security experts can help you implement the strategies discussed in this article.

Contact Us