L12. Azure Key Vault
Course outlineLesson 12 of 18
Key Vault stores secrets, keys, and certificates: the AZ-500 exam treats them as three distinct resource types with different access patterns. Understand soft delete, purge protection, access policies vs RBAC, and the HSM tier.
Secrets vs Keys vs Certificates
| Type | What It Stores | Who Uses It |
|---|---|---|
| Secrets | Passwords, connection strings, API keys | Applications that retrieve and use the secret value |
| Keys | Cryptographic keys (RSA, EC) | Applications that encrypt/decrypt using Key Vault: the key never leaves the vault |
| Certificates | X.509 certificates plus private keys | Applications that need TLS certs; Key Vault handles renewal |
Access Models: Vault Access Policies vs RBAC
| Model | Granularity | Recommended |
|---|---|---|
| Vault access policies | Per-vault, per-principal; can grant secret plus key plus cert in one policy | Legacy |
| Azure RBAC | Standard Azure roles on the vault or individual secrets | Recommended |
Soft Delete and Purge Protection
- Soft delete: Deleted objects are retained for 7 to 90 days (configurable). They can be recovered. Enabled by default on new vaults.
- Purge protection: Prevents hard deletion during the soft-delete retention period. Once enabled, it cannot be disabled. Required for vaults used with Customer-Managed Keys (CMK).
Premium Tier: HSM-Backed Keys
Premium Key Vault uses FIPS 140-2 Level 2 hardware security modules to protect key material. Key operations never leave the HSM. Use for regulatory requirements mandating hardware key protection.
- ✓Key operations happen inside Key Vault: key material never leaves. Secrets are returned to the caller
- ✓Azure RBAC and vault access policies are mutually exclusive: pick one per vault
- ✓Soft delete: retains deleted objects 7 to 90 days. Purge protection: prevents hard delete during retention
- ✓Purge protection cannot be disabled once enabled: required for Customer-Managed Keys (CMK) scenarios
- ✓Premium tier uses FIPS 140-2 Level 2 HSMs: use when regulations mandate hardware key protection
1. What is the key difference between Key Vault 'secrets' and Key Vault 'keys'?
2. Azure Key Vault soft-delete is enabled. An administrator accidentally deletes a secret. What is the correct recovery procedure?
3. You need fine-grained per-secret access control in Key Vault. Which permission model should you use?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.