Cyber Intelligence
Compute, Storage & Data · 25% of exam

L12. Azure Key Vault

Course outlineLesson 12 of 18

Key Vault stores secrets, keys, and certificates: the AZ-500 exam treats them as three distinct resource types with different access patterns. Understand soft delete, purge protection, access policies vs RBAC, and the HSM tier.

Secrets vs Keys vs Certificates

TypeWhat It StoresWho Uses It
SecretsPasswords, connection strings, API keysApplications that retrieve and use the secret value
KeysCryptographic keys (RSA, EC)Applications that encrypt/decrypt using Key Vault: the key never leaves the vault
CertificatesX.509 certificates plus private keysApplications that need TLS certs; Key Vault handles renewal
Key difference: When you use a Key, the cryptographic operation happens inside Key Vault. Your application sends data to Key Vault and receives the result: the key material never leaves. With a Secret, the value is returned to your application.

Access Models: Vault Access Policies vs RBAC

ModelGranularityRecommended
Vault access policiesPer-vault, per-principal; can grant secret plus key plus cert in one policyLegacy
Azure RBACStandard Azure roles on the vault or individual secretsRecommended
Azure RBAC roles for Key Vault: Key Vault Secrets Officer (read/write secrets), Key Vault Secrets User (read-only), Key Vault Administrator (full control), Key Vault Crypto User (use keys for operations), Key Vault Crypto Officer (manage keys). Exam tip: Azure RBAC and vault access policies cannot both be enabled on the same vault: you must choose one.

Soft Delete and Purge Protection

  • Soft delete: Deleted objects are retained for 7 to 90 days (configurable). They can be recovered. Enabled by default on new vaults.
  • Purge protection: Prevents hard deletion during the soft-delete retention period. Once enabled, it cannot be disabled. Required for vaults used with Customer-Managed Keys (CMK).

Premium Tier: HSM-Backed Keys

Premium Key Vault uses FIPS 140-2 Level 2 hardware security modules to protect key material. Key operations never leave the HSM. Use for regulatory requirements mandating hardware key protection.

Exam Focus Points
  • Key operations happen inside Key Vault: key material never leaves. Secrets are returned to the caller
  • Azure RBAC and vault access policies are mutually exclusive: pick one per vault
  • Soft delete: retains deleted objects 7 to 90 days. Purge protection: prevents hard delete during retention
  • Purge protection cannot be disabled once enabled: required for Customer-Managed Keys (CMK) scenarios
  • Premium tier uses FIPS 140-2 Level 2 HSMs: use when regulations mandate hardware key protection
Knowledge Check

1. What is the key difference between Key Vault 'secrets' and Key Vault 'keys'?

2. Azure Key Vault soft-delete is enabled. An administrator accidentally deletes a secret. What is the correct recovery procedure?

3. You need fine-grained per-secret access control in Key Vault. Which permission model should you use?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available