TTechclick ⚡ XP 0% All lessons
Azure · Secrets · Key VaultInteractive · L1 / L2 / L3

Azure Key Vault: — Getting Secrets, Keys and Certs Out of Your Code

A database password sitting in appsettings.json is one git push away from the whole internet. Azure Key Vault is the managed locker that holds secrets, keys and certificates — and the trick is that an app proves WHO it is (a managed identity) instead of carrying a shared password. This lesson builds that mental model from the ground up.

📅 2026-06-11 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Azure Key Vault for L1/L2 engineers and AZ-500: get secrets/keys/certs out of code, RBAC vs access policies, managed identity + Key Vault references, soft-delete, purge protection and logging.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The secrets problem

Why a password in code is already a breach.

 2

Access models

RBAC vs access policy; identity, not a shared key.

 3

Keys, certs, lifecycle

HSM keys, rotation, soft-delete, purge, logging.

 4

App integration

Managed identity + reference, done right.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Your app needs a DB password. Where is the SAFEST place to keep it?

Answered in The secrets problem.

2. Who should be able to grant another user read access to your vault's secrets?

Answered in Keys, certs, lifecycle.

3. Someone deletes a production vault by mistake. With the right setting on, what happens?

Answered in Access models.

Most engineers think…

Most engineers first hear "Key Vault" and think it's just "a fancy place to paste my passwords, then I copy them into my app's config." So they store the secret in the vault AND in appsettings.json, and call it secure.

Wrong — copying the secret back into your config defeats the entire point. Key Vault's actual move is identity, not a shared password: your app gets a managed identity that Microsoft Entra ID trusts, you grant that identity a least-privilege role (Key Vault Secrets User, read-only), and the app fetches the secret at runtime over TLS. The secret never touches your code, image, repo or logs — and when you rotate it, nothing redeploys. The locker is the easy part; the no-credential access is the whole idea.

① The secrets-in-code problem — and what Key Vault actually is

Meet Sneha, an L1 cloud engineer at Infosys. On her second day she opens a teammate's web app and finds this in appsettings.json: "ConnectionString": "Server=...;Password=Sup3r!". That one line is the most common security mistake in the cloud. The moment it is committed, the password lives in Git history forever, gets baked into the container image, and shows up in stack traces and CI logs. Rotating it means a code change and a redeploy across every environment.

This is not a hypothetical. Public Git scanners find tens of thousands of live cloud credentials a year, and most real breaches start not with a clever exploit but with a leaked key sitting in a repo or a log file. A hard-coded secret is a single shared password — once anyone sees it, everyone who can reach your database does too.

👉 So far: a secret in code is already a leak waiting to happen. Next: what Key Vault is, and why it stores three different kinds of thing.

Azure Key Vault is the managed locker that fixes this. It stores three object types, and knowing the difference matters because the exam and the job both test it. A secret is any sensitive string — a DB password, an API key, a connection string. A key is a cryptographic key (RSA or EC) used for encrypt/decrypt, sign/verify or wrap/unwrap; in the Premium tier these are HSM-backed so the private key never leaves the hardware. A certificate is an X.509 cert plus its private key, with lifecycle management on top (auto-renewal from an integrated CA).

Figure 1 — Secret in code vs secret in Key Vault
A secret in your code is one git push away from the whole internet; a secret in Key Vault is reached by identity, not a shared password A two-column architecture comparison for the same web app. Left, in red, the database password is hard-coded in appsettings.json, which gets committed to a Git repo, baked into a container image and printed in logs, so anyone with the repo or image has the secret. Right, in green, the password lives only in Azure Key Vault; the App Service has a managed identity that Microsoft Entra ID trusts, the identity is granted the Key Vault Secrets User role, and the app reads the secret at runtime over TLS with no credential stored anywhere. Red marks leaked or untrusted paths, green marks the identity-governed path, amber marks the access decision. Secret in code vs secret in Key Vault — same app, two blast radii Secret hard-coded in config appsettings.json: "Db":"...;Password=Sup3r!" ✗ committed → lives in Git history forever ✗ baked into the container image layer ✗ echoed into stack traces & CI logs Git repo attacker one leaked repo = one shared password = full DB Secret in Key Vault, reached by identity App Servicemanaged identity Key Vaultsecrets · keys · certs Entra ID checks: identity → role? ✓ nothing secret in code, image or logs ✓ role = Key Vault Secrets User (read only) ✓ rotate the secret → no redeploy leak the repo → attacker still has no secret untrusted / leakedtrusted identityaccess decisionkey insightallowed
Read both columns for the same app. Left (red): the password is in config, so a leaked repo or image hands an attacker the whole DB. Right (green): the secret lives only in Key Vault and the app reaches it by identity — leak the repo and the attacker still has nothing.

The four leak paths a hard-coded secret rides

Tap each card — these are the exact paths a password in code escapes to people who shouldn't have it.

🗂️
Git history
tap to flip

Commit it once and it's in history forever; a later 'delete' commit doesn't remove it. So: anyone who clones the repo has it.

📦
Container image
tap to flip

A config secret becomes a permanent image layer. So: every pull of that image — including from a public registry — leaks it.

📜
Logs & traces
tap to flip

Connection strings get printed in stack traces and CI output. So: your log store quietly becomes a password store.

🔁
Rotation pain
tap to flip

Changing a hard-coded secret needs a code change + redeploy everywhere. So: nobody rotates, and old secrets live for years.

Daily-life analogy — the society gate-pass register

A hard-coded password is like writing your flat's door key number on the society gate-pass register that every visitor signs. Anyone who flips back a few pages has it. Key Vault is the building's access-card system instead: the gate doesn't hold a shared key, it checks who you are against a list and opens only for you. Lose your card and the guard revokes just that card — nobody has to re-key every door.

Quick check · Q1 of 10

Rahul at TCS says: "I moved the DB password into Key Vault, but I also left a copy in appsettings.json so the app still works." What's wrong with this?

Correct: b. Key Vault only helps once the secret leaves your code. A copy in appsettings.json still rides every leak path (Git, image, logs). Key Vault absolutely stores passwords (they're 'secrets'); and an environment variable baked into the image leaks just as badly.

Pause & Predict

Predict: if a secret is committed to Git, then deleted in the very next commit, is it safe? Why or why not? Type your guess.

Answer: No. Git keeps full history — the secret is still recoverable from the earlier commit by anyone with the repo. The only safe response is to treat it as compromised and ROTATE the secret (change the actual password/key), not just delete the line. This is exactly why secrets belong in Key Vault, never in a file under version control.

② Access models — RBAC vs access policy, managed identity & network controls

Now the part that decides whether your vault is actually secure: who can read what. Key Vault separates two distinct surfaces. The control plane manages the vault resource (create it, set firewall rules). The data plane is the data inside — reading a secret, using a key. Mixing these up is the #1 confusion on AZ-500, so keep them separate in your head: control plane = the locker; data plane = what's inside it.

For the data plane, Key Vault gives you two authorisation models, and the choice is not cosmetic. Vault access policies are the legacy model: a flat list on the vault granting operations like get/list secrets. Azure RBAC is the modern, recommended model — and starting with Key Vault API version 2026-02-01 it is the default for new vaults, matching the portal. The reason to prefer RBAC is concrete: with access policies, anyone holding Microsoft.KeyVault/vaults/write (such as a Contributor) can add themselves to the policy and read every secret. That is privilege escalation by design.

RBAC fixes that with granular built-in roles you scope at the vault or even a single secret: Key Vault Secrets User (read secret values — what an app needs), Key Vault Secrets Officer (manage secrets), Key Vault Crypto User/Officer (keys), Key Vault Certificate Officer (certs), and Key Vault Administrator (everything — give it to almost nobody). Crucially, granting access now requires Owner or User Access Administrator, so reading and granting are different powers. RBAC also plugs into PIM for time-limited access.

Figure 2 — Vault access policy vs Azure RBAC
Access policies let a Contributor grant themselves data access; Azure RBAC splits that power and is the model Microsoft now defaults to A decision comparison between the two Key Vault access-control models. Left, the legacy Vault access policy model: permissions are a flat per-vault list, anyone with the Microsoft.KeyVault vaults write permission such as a Contributor can add themselves to the access policy and read every secret, and there is no Privileged Identity Management. Right, the Azure RBAC data-plane model, marked recommended and the default from API version 2026-02-01: granular built-in roles like Key Vault Secrets User scoped at the vault or even a single secret, separation between who can grant access and who can read, and integration with PIM for time-limited just-in-time access. A centre arrow shows the migration direction from access policies to RBAC. Vault access policy vs Azure RBAC — which guards your secrets Legacy: Vault access policies ✗ flat per-vault permission list ✗ scope is the whole vault, not one secret ✗ a Contributor can add itself to the policy has Microsoft.KeyVault/vaults/write →grant self get/list secrets → reads all ✗ no PIM / just-in-time access privilege escalation by design still supported — but not the safe default Recommended: Azure RBAC ✓ granular built-in roles Secrets User (read) · Secrets Officer (manage)Crypto User · Certificate Officer · Administrator ✓ scope at vault OR a single secret ✓ granting access needs Owner / UAA ✓ PIM = time-limited, just-in-time read ≠ grant — powers are split default for new vaults from API 2026-02-01 migratepolicy → RBAC escalation riskdecision pointkey insightrecommended
Look at the escalation arrow on the left: a Contributor can grant itself data access under access policies. On the right, RBAC splits 'read' from 'grant' and scopes down to a single secret — the model Microsoft now defaults to.

So how does an app authenticate without a credential to store? With a managed identity. Azure gives your App Service or VM its own identity in Entra ID; you grant that identity the Key Vault Secrets User role; at runtime the platform fetches a short-lived token for it. There is no password, no certificate, nothing for you to keep safe — the credential you would otherwise leak simply does not exist.

▶ Watch an app read a secret with zero stored credentials

An App Service at Flipkart needs the DB password. Follow the token and the authorisation decision step by step — notice no password is ever sent. Press Play for the healthy path, then Break it to see the failure.

① Ask for tokenApp Service (managed identity) → Entra ID: token for vault.azure.net
② Get tokenEntra ID returns a short-lived OAuth token — no password involved
③ Call vaultapp → Key Vault GET /secrets/db-password over TLS, presenting the token
④ AuthoriseKey Vault checks RBAC: does this identity hold Key Vault Secrets User? then firewall
Press Play to step through the healthy path. Then press Break it.
Azure CLI — grant an App Service's managed identity read-only access via RBAC
# get the app's managed-identity principal id
PID=$(az webapp identity show -g rg-shop -n shop-api --query principalId -o tsv)

# scope the role to THIS vault only (least privilege)
az role assignment create \
  --assignee "$PID" \
  --role "Key Vault Secrets User" \
  --scope "/subscriptions/aaaa1111-2222-3333-4444-bbbb55556666/resourceGroups/rg-shop/providers/Microsoft.KeyVault/vaults/kv-shop-prod"
Expected output
{
  "principalId": "7f3c9d2e-1a4b-4c8e-9f0a-2b6d1e8c4a90",
  "roleDefinitionId": ".../4633458b-17de-408a-b874-0445c86b69e6",
  "roleDefinitionName": "Key Vault Secrets User",
  "scope": ".../vaults/kv-shop-prod"
}
Common mistake — "works on my laptop, 403 Forbidden in App Service"

Symptom: your code reads the secret fine locally (you're signed in as yourself) but in App Service you get 403 (Forbidden) ForbiddenByRbac or AKV10032 invalid issuer. Cause: the App Service's managed identity is turned on but has no role on the vault — your laptop succeeded because your account had access, not the app's. Fix: enable the system-assigned identity (Portal → App Service → Identity → System assigned → On) and assign it Key Vault Secrets User scoped to the vault. The role can take a few minutes to propagate.

Identity is half the story; the other half is the network. A vault on the public internet, even with perfect RBAC, is still reachable by every IP on earth to attempt access. Lock the door with the vault firewall, a private endpoint (so traffic stays on your VNet), or service endpoints, and then set public network access = Disabled. One real gotcha: disabling public access also locks you out of the portal unless you keep a management IP allowed or route through the private endpoint.

Quick check · Q2 of 10

Priya at Wipro must give a new web app read-only access to one secret, and ensure a Contributor on the resource group can't quietly grant themselves the same access. Which approach fits?

Correct: c. RBAC scopes the app to read-only (Secrets User) and separates 'grant' from 'read' — a Contributor can't add itself to data access the way it could under access policies. Administrator is far too broad; access policies are exactly the model that allows the self-grant escalation; env vars put the secret back in the leak path.

Pause & Predict

Predict: under Vault access policies, why is a user with the 'Key Vault Contributor' role a privilege-escalation risk even if they were never granted data access? Type your guess.

Answer: Because Key Vault Contributor (and anything with Microsoft.KeyVault/vaults/write) can MODIFY the access policy on the vault. So they can simply add their own identity to the policy with get/list secret permissions and then read everything — no one needs to grant them data access; they grant it to themselves. Azure RBAC closes this: changing role assignments requires Owner or User Access Administrator, which is a separate, higher bar.

③ Keys, certs & lifecycle — HSM, rotation, soft-delete, purge & logging

Secrets are just strings; keys and certificates are where Key Vault earns the 'vault' in its name. A key in the Standard tier is software-protected (types RSA, EC, oct). In the Premium tier you get HSM-backed keys (RSA-HSM, EC-HSM, oct-HSM) — the private key is created inside, and never leaves, the hardware module. You'd pick HSM keys for customer-managed encryption keys, compliance mandates, or anything where 'the key can't be exported, even by an admin' is a hard requirement.

Long-lived secrets are a liability, so Key Vault automates rotation. Keys support an automatic rotation policy (rotate N days after creation or before expiry; minimum interval 7 days), and you can also rotate on demand with az keyvault key rotate. Microsoft's baseline is to rotate encryption keys at least every two years, more often for sensitive workloads. Key Vault versions every object automatically, so a new version doesn't break data already encrypted with the old one.

Certificates get the most automation. Create a cert with an integrated CA (DigiCert or GlobalSign) and Key Vault handles end-to-end renewal — by default it auto-renews at 80% of the certificate's lifetime, configurable in the Issuance Policy as a 'Lifetime Action Type'. Services like App Service, Application Gateway and Front Door then pick up the new version automatically (usually within 24 hours, no restart). The classic outage this prevents: a TLS cert silently expiring on a Friday and taking the site down.

👉 So far: software vs HSM keys, and automatic rotation/renewal. Next: the two settings that decide whether a deleted secret is recoverable — and whether an attacker can destroy it.

Two safety nets you must understand cold for AZ-500. Soft-delete is ON by default and cannot be disabled; the retention window is 7–90 days (default 90) and is fixed at vault creation. Purge protection is the stronger sibling: with it on, a soft-deleted object cannot be purged early by anyone — admin or attacker — until retention elapses. Purge protection is not on by default, and once you enable it you can't turn it back off. That irreversibility is the point: it stops a 'delete then purge' ransom/destruction attack.

Figure 3 — How a managed identity reads a secret, and where it's logged
A managed identity gets a token from Entra ID, then Key Vault checks the role before it ever hands back the secret A request-and-decision flow for an App Service reading a secret. Step 1 the app, using its system-assigned managed identity, asks Microsoft Entra ID for an access token scoped to vault.azure.net. Step 2 Entra ID returns a short-lived OAuth token. Step 3 the app calls the Key Vault data plane GET secret over TLS, presenting the token. Step 4 Key Vault authorises against Azure RBAC, checking whether that identity holds the Key Vault Secrets User role at vault scope, then checks the firewall and private endpoint rules. Step 5 if allowed, the secret value is returned; the access is written to the AuditEvent log and flows to Microsoft Sentinel. An amber diamond marks the authorisation decision, where over-broad RBAC or an open firewall would be the weak link. No password sent — a token is, and the role decides App Servicemanaged identity, no creds Microsoft Entra IDissues OAuth token Key Vaultdata plane (TLS) 1· token please (scope vault.azure.net) 2· short-lived OAuth token 3· GET /secrets/db-password + token (TLS) 4· RBAC?Secrets User role + firewall / private endpoint check 5· allowed → secret value returnedapp builds the DB connection in memory every GET is loggedAuditEvent → Log Analytics → Sentinel untrusted / attackertrusted / TLSaccess decisionkey insightallowed
Follow the numbered arrows: the app gets a token (1–2), calls the vault with it (3), Key Vault authorises against RBAC + network (4), then returns the secret and writes the access to the audit log (5). The amber diamond is where over-broad RBAC would bite.
Azure CLI — turn a soft-deleted vault from 'gone' into 'recoverable', and harden it
# soft-delete is already ON by default; recover a vault someone deleted
az keyvault recover --name kv-shop-prod

# make destruction impossible until retention elapses (one-way switch)
az keyvault update --name kv-shop-prod -g rg-shop --enable-purge-protection true

# stream every secret/key/cert access to Log Analytics for Sentinel
az monitor diagnostic-settings create --name kv-audit \
  --resource $(az keyvault show -n kv-shop-prod --query id -o tsv) \
  --logs '[{"category":"AuditEvent","enabled":true}]' \
  --workspace law-soc-prod
Expected output
{
  "name": "kv-shop-prod",
  "properties": {
    "enableSoftDelete": true,
    "softDeleteRetentionInDays": 90,
    "enablePurgeProtection": true
  }
}
Prove the vault is actually hardened, not just 'created'

Three quick checks before you call a vault production-ready. 1) az keyvault show -n <vault> --query "properties.enablePurgeProtection" returns true. 2) --query "properties.enableRbacAuthorization" returns true (RBAC, not legacy policies). 3) A diagnostic setting with category AuditEvent exists and points at your Log Analytics workspace — without it, you have no record of who read which secret when, and Sentinel sees nothing.

Karthik at ICICI faces this

Karthik, an L1 on the cloud SOC, gets an alert: a production Key Vault was deleted at 02:14. Panic — it held the certs for the payments API.

Likely cause

A misfired Terraform destroy removed the vault. But soft-delete is ON by default (90-day retention), so the vault and its contents are not actually gone — they're in a soft-deleted state, recoverable.

Diagnosis

He confirms the vault is recoverable rather than purged, and checks whether purge protection would have blocked an attacker from finishing the job.

Azure Portal → Key Vaults → Manage deleted vaults (or CLI: az keyvault list-deleted)
Fix

Recover the vault with az keyvault recover --name kv-pay-prod; the certificates and their versions come back intact. Then turn ON purge protection so a future delete can't be followed by an early purge.

Verify

az keyvault show -n kv-pay-prod returns the vault; the payments cert versions are listable again; enablePurgeProtection is now true, so the same incident can't end in permanent loss.

Quick check · Q3 of 10

Meera is asked: "An attacker with admin rights deletes our vault AND tries to purge it so we can't recover. Which single setting stops the permanent destruction?"

Correct: d. Soft-delete makes the delete recoverable, but on its own a privileged attacker can PURGE the soft-deleted vault immediately and destroy it. Purge protection is what removes that early-purge ability entirely until retention expires. Backups and RBAC help broadly but don't specifically block the purge step.

Pause & Predict

Predict: you enabled purge protection on a test vault, then want to delete the vault and immediately reuse its exact name for a new one. Why might that fail? Type your guess.

Answer: Because purge protection means the deleted vault stays in soft-deleted state for the full retention window and you can't purge it early to free the name. Vault names are globally unique, so until retention elapses (or you recover it), the name is taken. This is a real gotcha in CI/CD that spins up and tears down vaults — use unique names or a vault you don't purge, and never enable purge protection casually on throwaway test vaults.

④ App integration done right — managed identity, references, gotchas & the cheat-sheet

Time to put it together the way you'll actually ship it. A web app needs a database password. The wrong way you've now seen. The right way has three moves: (1) store the password as a secret in Key Vault, (2) give the App Service a managed identity with the Key Vault Secrets User role, and (3) point the app's config at the vault with a Key Vault reference. The app code reads the same app setting it always did — but the value now comes from the vault.

The reference syntax is the one string to memorise: @Microsoft.KeyVault(SecretUri=https://kv-shop-prod.vault.azure.net/secrets/db-password/). Drop that as the value of an app setting (say DB_PASSWORD) and App Service resolves it from the vault using the app's managed identity — your code just reads DB_PASSWORD like any environment variable, never knowing it came from Key Vault. The big payoff: rotate the secret in the vault and the app picks up the new value with no redeploy (leave off the version in the URI so it always tracks 'latest').

🖥️ Step 1 — create the secret. Azure Portal → Key Vaults → kv-shop-prod → Objects → Secrets → + Generate/Import. (Recreated for clarity — your console matches this.)
portal.azure.com · Key Vault · Secrets · Create a secret
1
Upload options
Manual
2
Name
db-password
3
Secret value
•••••••••••• (paste; never typed in code)
Content type (optional)
text/db-connection
Set activation date
(off)
4
Set expiration date
2027-06-11
Enabled
Yes
Create
🖥️ Step 2 — grant access the RBAC way. Key Vault → Access control (IAM) → + Add → Add role assignment, then assign to the app's managed identity. (Recreated for clarity.)
portal.azure.com · Key Vault · Access control (IAM) · Add role assignment
1
Role
Key Vault Secrets User
2
Assign access to
Managed identity
3
Members
shop-api (App Service)
4
Scope
This resource (kv-shop-prod)
Review + assign
Azure CLI — create the secret + wire the App Service reference (no secret in code)
# 1) put the password in the vault
az keyvault secret set --vault-name kv-shop-prod \
  --name db-password --value 'P@ss-from-secure-source'

# 2) app reads it via a Key Vault reference (resolved by managed identity)
az webapp config appsettings set -g rg-shop -n shop-api --settings \
  DB_PASSWORD='@Microsoft.KeyVault(SecretUri=https://kv-shop-prod.vault.azure.net/secrets/db-password/)'
Expected output
[
  {
    "name": "DB_PASSWORD",
    "value": "@Microsoft.KeyVault(SecretUri=https://kv-shop-prod.vault.azure.net/secrets/db-password/)",
    "slotSetting": false
  }
]
# Portal shows a green 'Key Vault Reference' resolved tick once the role propagates
Common mistake — the reference shows a red 'X' / the app still can't read it

Symptom: in App Service → Configuration the setting shows Key Vault Reference with a red error, and the app falls back to an empty value. Three usual causes, in order: (1) the managed identity isn't turned on; (2) it has no Key Vault Secrets User role on that vault; (3) the vault firewall blocks App Service (you set public access = Disabled but never added the app's outbound IPs or a private endpoint / 'trusted services' exception). Fix them in that order and the tick goes green.

Figure 4 — Azure Key Vault — the cheat-sheet
Azure Key Vault on one card — the three object types, RBAC vs policy, soft-delete and purge, the App Service reference, and the first CLI commands A nine-tile cheat sheet for Azure Key Vault. Tiles cover the three object types secrets keys and certificates, the RBAC versus access-policy choice, managed identity access, the App Service Key Vault reference syntax, software versus HSM keys, soft-delete and purge protection, network controls, the secure-vault checklist, and the first Azure CLI commands. Each tile carries a one-line takeaway. Azure Key Vault — your one-glance card 3 object typessecrets (strings) · keys (crypto)certificates (X.509 + private key)one store, governed by identity RBAC > access policyRBAC = granular, PIM, per-secretpolicy = flat, escalation riskRBAC default from API 2026-02-01 Managed identityapp gets a token, no stored credsrole: Key Vault Secrets User (read)least privilege, not Administrator App Service reference@Microsoft.KeyVault(SecretUri=https://kv.vault.azure.net/secrets/db/)no secret in code; rotate w/o redeploy Software vs HSM keysStandard = software (RSA/EC/oct)Premium = HSM (RSA-HSM…)HSM keys never leave the boundary Soft-delete + purgesoft-delete ON, 7–90d (default 90)purge protection = can't destroyonce on, can't be turned off Network controlsfirewall + private endpointdisable public network accesskeep one mgmt IP or you lock out Secure-vault checklistRBAC · least-priv role · MIpurge ON · private net · logs onexpiry + rotation on every object First CLI commandsaz keyvault secret setaz role assignment createaz keyvault update --enable-purge…
Your one-card map of this whole lesson — the three object types, RBAC vs policy, managed identity, the App Service reference string, software vs HSM keys, soft-delete + purge, network controls, the secure-vault checklist, and the first CLI commands. Keep it open in week one and before any AZ-500 question on Key Vault.

For your certification path, this lesson maps straight onto AZ-500 (Microsoft Azure Security Technologies) — specifically the 'Secure data and applications' area, objective 'configure and manage Azure Key Vault': access (RBAC vs access policies), managing secrets/keys/certificates, key rotation, soft-delete and purge protection, and backup/recovery. Nail the RBAC-vs-policy distinction and the soft-delete/purge pair and you've covered the highest-frequency Key Vault questions on the exam. Career-wise, this is daily bread for any Azure security or cloud-support role in India.

RBAC role vs the job it does — match them fast

Tap each card — interviewers love asking 'which role would you give X?' Least privilege means picking the smallest one that works.

📖
Secrets User
tap to flip

Read secret VALUES — exactly what an app's managed identity needs. So: the default for workloads, nothing more.

✏️
Secrets Officer
tap to flip

Create/update/delete secrets. So: for the human or pipeline that MANAGES secrets, not the app that reads them.

🔐
Crypto User
tap to flip

Use keys (sign/wrap/decrypt) but not manage them. So: for an app doing crypto, not key administration.

🚫
Administrator
tap to flip

Full data-plane control over everything. So: give to almost nobody — it's the broadest blast radius.

Prove you own Key Vault

Cold, in 45 seconds: name the three object types (secrets, keys, certs); say why RBAC beats access policies (granular, per-secret scope, read≠grant, PIM, no Contributor self-grant); explain how an app reads a secret with no stored credential (managed identity + Key Vault reference); and state what soft-delete vs purge protection each guarantee. If you can do that without notes, you're ready for the next lesson and the AZ-500 Key Vault objective.

Related: Azure NSGs vs Azure FirewallNext: GCP IAM — least privilege the Google way
Quick check · Q4 of 10

An interviewer asks Arjun: "How does your web app get its DB password at runtime without any secret in the code or pipeline?" Best answer?

Correct: a. Managed identity + Key Vault reference means the secret lives only in the vault and resolves at runtime — nothing secret in code, image, repo or pipeline, and rotation needs no redeploy. Encrypting still ships ciphertext (and the key) in config; a pipeline variable still injects the value into config/logs; restricting the repo doesn't stop image/log leaks.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Azure docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In Azure Key Vault, which RBAC role gives an application's managed identity the least privilege it needs to READ a secret value and nothing more?

Correct: b. Key Vault Secrets User grants read access to secret values — exactly what a workload needs, nothing more. Administrator is full data-plane control (too broad); Key Vault Contributor is a control-plane/management role (and under access policies a self-grant risk); Owner can manage everything including access — all violate least privilege.
Q6 · Apply

A web app at Zomato must read its DB password from Key Vault with no secret in the code or pipeline, and rotating the password must not require a redeploy. What do you configure?

Correct: a. Managed identity + unversioned Key Vault reference keeps the secret only in the vault and tracks 'latest', so rotation needs no redeploy. Encrypting still ships ciphertext+key in config; a deploy-time variable bakes the value into config; Administrator wildly over-privileges the app.
Q7 · Apply

You're creating a production vault and must ensure a deleted secret is recoverable AND that an attacker with admin rights can't permanently destroy it before retention ends. Which two settings do you rely on?

Correct: d. Soft-delete makes the delete recoverable for the retention window; purge protection removes the ability to purge it early, so even a privileged attacker can't finish the destruction. Backups/locks help generally but don't block the purge step; access policies aren't a deletion safeguard; a service endpoint is a network control, not a recovery one.
Q8 · Analyze

Under the legacy Vault access policy model, a user holds only the 'Key Vault Contributor' role and was never granted data access. Why are they still a privilege-escalation risk, and how does Azure RBAC remove it?

Correct: c. Key Vault Contributor can modify the access policy (vaults/write), so the user can grant themselves get/list and read everything — escalation without anyone granting them access. RBAC fixes this by making role assignment a separate, higher privilege (Owner/UAA). Contributor doesn't itself include data get/list; and the issue is self-grant, not purge.
Q9 · Analyze

An App Service reads a secret fine when you run the code locally signed in as yourself, but in Azure it returns 403 ForbiddenByRbac. RBAC is enabled on the vault. What's the most likely root cause?

Correct: b. Local success used your user account's access; in Azure the app authenticates as its managed identity, which needs its own role assignment. No identity or no Secrets User role → 403. Expiry would give a different error; purge protection only affects deletion, not reads; region difference doesn't cause an RBAC 403.
Q10 · Evaluate

Two designs for an app to get its DB password: (A) encrypt the password and commit the ciphertext plus the decryption key in the repo's config; (B) store the password in Key Vault and read it via a managed identity with Key Vault Secrets User and an unversioned Key Vault reference. Which is stronger and why?

Correct: d. B removes the secret from every leak path and authenticates by identity, not a stored credential; a leaked repo/image gives an attacker nothing usable, and rotation is decoupled from deploys. A commits both ciphertext AND the decryption key, so the repo leak hands over everything — encryption you can decrypt with a co-located key is not protection.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, how does a web app read a database password from Key Vault without any secret living in its code, image or pipeline? Then compare to the expert version.

Expert version: It uses a managed identity (an Entra-managed credential Azure rotates and you never store) granted the Key Vault Secrets User role, plus a Key Vault reference app setting (@Microsoft.KeyVault(SecretUri=...)) that App Service resolves at runtime — so the password exists only in the vault and is fetched on demand over TLS.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Azure Key Vault
Managed store for secrets, keys and certificates, with access governed by Microsoft Entra identity rather than a shared password.
Secret
Any sensitive string an app needs at runtime — DB password, API key, connection string. Stored and versioned in Key Vault.
Key
A cryptographic key (RSA/EC/oct) for encrypt, sign or wrap operations. HSM-backed in the Premium tier.
Certificate
An X.509 certificate plus its private key, with lifecycle management (auto-renewal from an integrated CA) on top.
Managed identity
An identity Azure creates and manages for a resource; its credential is auto-rotated and never stored by you. Used to authenticate to Key Vault with no password.
Azure RBAC
Role-based access control: granular built-in roles assigned at a scope. The recommended Key Vault data-plane model; default for new vaults from API 2026-02-01.
Vault access policy
Legacy authorization model — a flat per-vault permission list. Carries a privilege-escalation risk because a Contributor can self-grant data access.
Key Vault Secrets User
Built-in RBAC role that grants read access to secret values — the least-privilege role an app's managed identity should hold.
Key Vault reference
An app-setting value @Microsoft.KeyVault(SecretUri=...) that App Service/Functions resolves from Key Vault at runtime, so the real value never sits in config.
Soft-delete
Deleting an object/vault only marks it deleted; it stays recoverable for 7–90 days (default 90). ON by default, can't be disabled.
Purge protection
While on, a soft-deleted object/vault can't be purged early by anyone — admin or attacker — until retention elapses. Optional and irreversible once enabled.
HSM-backed key
A key generated and held inside a FIPS 140-3 Level 3 hardware module (Premium tier); the private key never leaves the hardware in plaintext.
Integrated CA
A Certificate Authority (DigiCert or GlobalSign) partnered with Key Vault so it can request and auto-renew TLS certs for you.
Private endpoint
A private IP for the vault inside your VNet so data-plane traffic never crosses the public internet — the strongest network control.

📚 Sources

  1. Microsoft Learn — "Azure RBAC vs. access policies" (RBAC is the recommended Key Vault authorization model; access-policy escalation risk via Microsoft.KeyVault/vaults/write; granting needs Owner/User Access Administrator; PIM integration). learn.microsoft.com/azure/key-vault/general/rbac-access-policy
  2. Microsoft Learn — "Prepare for Key Vault API version 2026-02-01 and later — Azure RBAC as default" + "Azure Key Vault soft-delete" (RBAC default for new vaults; soft-delete ON by default, 7–90 day retention default 90, set at creation; purge protection optional, not default, irreversible). learn.microsoft.com/azure/key-vault/general/access-control-default · learn.microsoft.com/azure/key-vault/general/soft-delete-overview
  3. Microsoft Learn — "Use Key Vault references as app settings (App Service)" + "Authenticate to Azure Key Vault" (reference syntax @Microsoft.KeyVault(SecretUri=...); managed identity needs Key Vault Secrets User; no credential stored; rotation without redeploy). learn.microsoft.com/azure/app-service/app-service-key-vault-references
  4. Microsoft Learn — "About Azure Key Vault" + "Configure cryptographic key auto-rotation" + "Configure certificate autorotation" (Standard software vs Premium HSM keys RSA-HSM/EC-HSM, FIPS 140-3 Level 3; key rotation policy min 7 days; cert auto-renew at 80% lifetime via DigiCert/GlobalSign Issuance Policy). learn.microsoft.com/azure/key-vault/general/overview · learn.microsoft.com/azure/key-vault/certificates/tutorial-rotate-certificates
  5. Microsoft Community Hub / Microsoft Defender for Cloud blog — "Protecting Your Azure Key Vault: Why Azure RBAC Is Critical for Security" + "Cloud forensics: why enabling Azure Key Vault logs matters" (real-world access-policy self-grant escalation, identity-chaining via over-broad managed-identity roles, AuditEvent diagnostic logs to Log Analytics/Sentinel). techcommunity.microsoft.com/blog/microsoftdefendercloudblog/protecting-your-azure-key-vault-why-azure-rbac-is-critical-for-security/4407848
  6. Microsoft Learn — Exam AZ-500: Microsoft Azure Security Technologies study guide ("Secure data and applications" → configure and manage Azure Key Vault: access RBAC vs policies, secrets/keys/certs, key rotation, soft-delete, purge protection, backup/recovery). learn.microsoft.com/credentials/certifications/resources/study-guides/az-500

What's next?

You've seen how Azure proves WHO an app is and gives it least-privilege access to secrets. Google Cloud solves the same problem with a different mental model — members, roles and resource-hierarchy inheritance. Next we translate least privilege into GCP IAM, where a single over-broad role on a project can quietly expose everything beneath it.

Next · GCP IAM: Least Privilege the Google Cloud Way → Practice on exam.techclick.in →