Get startedGet started for free

Advanced Key vault settings

1. Advanced Key vault settings

We’ve seen what Azure Key Vault is and how it stores secrets, keys, and certificates. Now, let’s dive deeper into how it works behind the scenes.

2. Entra ID powers Key vault authentication

When a user or app wants to access Azure Key Vault, the first step is authentication which means proving who they are. Azure handles this using Microsoft Entra ID.

3. Identity types in Key vault

There are three identity types: First, a user who is a real person. Next, a group which is a collection of users. Then, a service principal which is a digital identity for an app or service.

4. App authentication methods

For apps, there are two authentication paths Most apps use a Managed Identity. Azure creates and manages it, so there are no credentials to handle. Alternatively, developers can register the app manually, but that requires managing secrets.

5. Authorization in Key vault

Once a user or app is authenticated, the next step is authorization. This defines what they’re allowed to do in Key Vault. Azure offers two models for this: Access Policies and Azure RBAC.

6. Access policies (legacy)

First, Access Policies, the older method. These only control the data plane meaning actions like reading a secret or creating a key. They don’t cover the management plane, which includes settings like who can delete or modify the vault itself. This approach is simple and works well for isolated environments, like development or single use apps.

7. RBAC: Role-Based Access Control (recommended)

On the other hand, Azure RBAC is the recommended model. It offers unified access control across Azure and covers both the management and data plane. It also supports features like Privileged Identity Management, Multi-Factor Authentication, and Conditional Access, making it ideal for secure, enterprise-grade setups.

8. Soft delete

Imagine a secret powering your production app gets deleted by mistake or by an attacker. That could cause major disruption. but If Soft Delete is enabled, that data isn’t lost. Instead, it moves into a recoverable state, where you can bring it back.

9. Where soft delete applies?

This applies to the vault itself and everything inside it like keys, secrets, and certificates.

10. Soft delete configuration

The deleted items stay recoverable for a configurable period between 7 and 90 days. Soft Delete is enabled by default for new vaults and can’t be turned off once configured.

11. Purge protection

Soft Delete lets you recover deleted items, but what if someone tries to purge them? Purge means permanently deleting, with no recovery. Purge Protection stops that. It blocks permanent deletion during the retention period, even if the user has full permissions

12. Where purge protection applies?

It applies to both the vault and its contents.

13. Purge protection configuration

Recovery is always possible during the configured 7 to 90 days. Soft Delete must be enabled first, and once Purge Protection is turned on, it can’t be disabled.

14. Best practices

Now, let’s wrap up with best practices for securing your Key Vaults. First, isolate secrets by creating a separate vault for each app and environment. Next, lock down access to only what’s truly needed. Turn on Soft Delete, Purge Protection, and back up after critical changes. And finally, enable diagnostic logging. Send logs to Azure Monitor or Microsoft Sentinel to detect suspicious activity and maintain a full audit trail.

15. Let's practice!

Now that you know the advanced vault settings, let’s put it into action.

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.