Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
5.1.2. Azure Key Vault Security
💡 First Principle: Key Vault centralizes secrets, keys, and certificates. Security requires controlling who can access the vault, what they can do, and how the vault is accessed over the network.
Access Control Models
| Model | Description | Recommendation |
|---|---|---|
| Vault access policy | Per-vault permission assignment | Legacy, fine-grained control |
| Azure RBAC | Role assignments at vault scope | Recommended, consistent with Azure |
Key Vault RBAC Roles
| Role | Capabilities |
|---|---|
| Key Vault Administrator | Full management, no data access |
| Key Vault Secrets Officer | All secret operations |
| Key Vault Secrets User | Read secrets |
| Key Vault Crypto Officer | All key operations |
| Key Vault Crypto User | Cryptographic operations |
| Key Vault Certificates Officer | All certificate operations |
⚠️ Exam Trap: Assigning Key Vault Secrets Officer when Crypto Officer is needed. For key management (read/write keys), use Key Vault Crypto Officer. Secrets Officer manages secrets, not keys.
Key Vault Network Security
- Firewall: Restrict access to specific IP ranges
- Virtual network rules: Allow access from specific subnets
- Private endpoint: Access via private IP in your VNet
Key Rotation and Backup
- Key rotation: Supported for keys and secrets
- Backup/Restore: Export encrypted backup, restore to same geography
- Soft delete: Recover deleted items (mandatory)
- Purge protection: Prevent permanent deletion during retention period
Key Decision: For keys that cannot be permanently deleted for 60 days, enable both soft delete and purge protection on a software-protected key vault (HSM is not required and is more expensive).
Written byAlvin Varughese
Founder•15 professional certifications