Azure Key Vault: Deploy, Access, Firewall, Defender for Key…

Key Vault: the place secrets are supposed to live

Simple explanation

Azure Key Vault is Microsoft’s managed store for the things you must not put in code or config files — secrets (API keys, passwords, connection strings), cryptographic keys (used by applications and Azure services for encryption), and certificates (TLS certs you might also import or auto-renew).

For SC-500, the things that show up over and over are:

How is access controlled? RBAC (recommended) or legacy access policies — pick wisely.
Who can reach the vault over the network? Anyone on the internet, only selected networks, or only private endpoints?
What happens when something is deleted? Soft delete keeps the item recoverable for a configurable period; purge protection prevents an admin from forcing immediate purge.
How do you detect attacks on the vault? Defender for Key Vault watches for unusual access patterns.
How do you find rogue secrets across your subscriptions? Defender Cloud Security Posture Management (Defender CSPM) scans for plaintext secrets at rest in storage, VMs, and code.

Authorisation: RBAC vs access policies

Key Vault authorisation models — RBAC is the SC-500 default; access policies show up only in 'migrate from legacy' questions
Feature	Azure RBAC (recommended)	Vault access policies (legacy)
Authorisation model	Azure Resource Manager role assignments at vault or item scope	Per-principal entry on the vault listing data-plane permissions
Granularity	Built-in and custom RBAC roles; scope to vault, key, secret, or certificate	Coarser — list of allowed actions per principal at vault level
PIM support	Yes — eligible/just-in-time assignment via Microsoft Entra PIM	No — assignments are standing
Audit + management	Standard Azure RBAC view, role assignment APIs, Privileged Access reports	Per-vault list with no unified directory or RBAC-aware tooling
Defender CSPM scoring	Higher CSPM secure score for vaults using RBAC	Lower CSPM secure score; flagged as a recommendation
Microsoft direction	Recommended and required for several modern integrations	Supported for backward compatibility, no new investment
Common roles to know	`Key Vault Administrator`, `Key Vault Secrets Officer`, `Key Vault Secrets User`, `Key Vault Crypto Officer`, `Key Vault Crypto User`, `Key Vault Certificates Officer`, `Key Vault Reader`	Get/List/Set/Delete on Secrets, Get/List/Update/Create on Keys, etc.

Network access patterns

A new Key Vault is reachable from the public internet by default. For production workloads, lock that down:

Public access disabled + Private Endpoint — the highest-assurance pattern. Vault is reachable only over a private IP in a customer virtual network, via private DNS. Requires private DNS zone privatelink.vaultcore.azure.net configured for the consuming VNets (and connected hubs).
Selected virtual networks + IP rules — vault firewall enforces VNet service endpoints and explicit public IP CIDRs. Lower assurance than Private Endpoint but sufficient for many.
Allow trusted Microsoft services — toggle that lets certain Azure first-party services (App Service Environment, Disk Encryption, Backup, etc.) reach the vault even when public access is disabled.

The 'managed identity sees Key Vault from the internet' trap

A common exam trap: “Esme enabled a managed identity on App Service and granted it Key Vault Secrets User, but secrets requests return Forbidden from the Key Vault.” The reader is expected to spot that the vault has the firewall enabled with no allowance for the App Service outbound network.

The right answer depends on the App Service’s network configuration:

If App Service has VNet integration → add the integration subnet to the vault’s selected virtual networks list (with Microsoft.KeyVault service endpoint on the subnet), or move the vault behind a Private Endpoint reachable from the integration subnet.
If App Service has no VNet integration → its outbound traffic uses shared Azure IPs that you generally cannot allowlist by IP. Enabling ‘trusted Microsoft services’ is the documented bypass — App Service is on that list for Premium tier scenarios; for general App Service, VNet integration or Private Endpoint is the right answer.

The exam likes to test whether you can reason about identity + network together. Both must allow the request.

Data protection: soft delete + purge protection

Key Vault has two features that protect against accidental and malicious deletion:

Soft delete — when a vault, key, secret, or certificate is deleted, it enters a “soft deleted” state for a configurable retention period (7–90 days, default 90 for new vaults). A privileged caller can recover the item during that period. Soft delete is mandatory for new vaults — you cannot disable it.
Purge protection — when enabled, no one (not even a tenant admin) can purge a soft-deleted item before the retention period expires. Recovery is the only path forward. Purge protection is a one-way switch — once enabled, you cannot disable it. This is intentional: the protection only matters if it can’t be undone by the same insider you’re protecting against.

For regulated workloads, purge protection is almost always required. The combination of soft delete + purge protection means even a malicious admin can’t permanently destroy keys protecting encryption-at-rest until retention has elapsed — giving you time to detect and respond.

Key, secret, and certificate management

Secrets — opaque binary values up to 25 KB. Versioned automatically. Each version has its own URI; an unversioned URI returns the current version. Expiry and “not before” times can be set; expired secrets fail retrieval. No native rotation — rotation is an external process (Logic App, Functions, or third-party automation) that creates a new version.
Keys — cryptographic keys (RSA, EC, AES, OCT). Software- or HSM-protected (Premium tier). Used for envelope encryption (BYOK, customer-managed keys for Storage / SQL / Cosmos / etc.). Key rotation policies can auto-rotate keys at a defined cadence with no application change (apps reference the unversioned key URI). Defender CSPM flags long-lived keys without rotation policies.
Certificates — managed X.509 certs with their private keys. Can be created via an integrated issuer (DigiCert, GlobalSign — needs publisher account configured) or imported. Auto-renewal is supported when configured with an integrated issuer. Each cert is also exposed as a key (for the private key) and a secret (for the full PFX) — relevant when granting permissions and when retrieving the cert from a workload.

Defender for Key Vault — threat protection

Defender for Key Vault is a Defender for Cloud workload protection plan that monitors Key Vault for:

Unusual access patterns (volume, geography, identity)
Suspicious application access (known-bad client IDs)
Anomalous key/secret access by managed identities or service principals
Defender XDR correlation with broader incidents (e.g. a compromised identity that then accessed Key Vault)

Alerts surface in Defender for Cloud and (when integrated) in Microsoft Sentinel for SOC response. The plan is per-subscription and per-resource billing.

Defender CSPM — secret scanning

Defender Cloud Security Posture Management (Defender CSPM) includes agentless secret scanning for plaintext secrets stored outside Key Vault:

VM disks (looking for credential files, config files with embedded secrets)
Storage accounts (config files, source backups, exposed connection strings)
Code repositories (when Defender for DevOps is configured)

Found secrets are surfaced as Defender for Cloud recommendations with attack-path context — “this VM holds a plaintext SQL connection string and is internet-facing” — so you can prioritise remediation. The fix path is always: move the secret to Key Vault, replace the on-disk reference with a managed-identity-based retrieval.

Scenario: Esme deploys Northwind Bank’s payments-app Key Vault

Esme’s new payments app needs to store: a third-party payment-processor API key, the cryptographic key wrapping customer PII in the database, and the TLS certificate for the public API.

Her hardened deployment:

Create a Premium-tier Key Vault (kv-payments-prod-aue1) so keys can be HSM-protected. Soft delete on (mandatory), retention 90 days, purge protection ON (one-way — accepted).
Authorisation: Azure RBAC. Disable legacy access policies. Assign:
- Esme + 2 senior security engineers: Key Vault Administrator via PIM-eligible (just-in-time).
- Payments app’s user-assigned managed identity: Key Vault Secrets User (read secrets) and Key Vault Crypto User (use the wrapping key).
- PKI ops team: Key Vault Certificates Officer (manage TLS cert renewal).
Network: Private Endpoint only. Public network access disabled. Private endpoint in the payments-app VNet; private DNS zone privatelink.vaultcore.azure.net linked to that VNet. App Service for the payments app has regional VNet integration, so it resolves the vault by private IP.
Key wrapping key. RSA 2048 HSM key, with a rotation policy rotating annually with a 30-day grace period (old version retained for 30 days post-rotation).
Certificate. Configured with DigiCert integrated issuer; auto-renew 30 days before expiry.
Defender for Key Vault: enabled via Defender for Cloud’s Key Vault plan on the subscription. Alerts routed to Sentinel via the Defender for Cloud connector. Slack-equivalent severity-high pager rules.
Defender CSPM: enabled on the subscription so secret scanning flags any plaintext leak in adjacent VMs or storage.

The vault is reachable only from the payments app’s VNet, only by PIM-active admins and the app’s MI, with HSM-protected keys, soft delete + purge protection, threat detection, and discovery of any plaintext-secret backsliding elsewhere in the subscription.