3.5 Secrets, Certificates & Key Management Design
Key Takeaways
- Key Vault stores three distinct object types — secrets, keys, and certificates — with Standard (software-protected) and Premium (HSM-protected) tiers, plus a separate single-tenant Managed HSM offering.
- As of Key Vault API version 2026-02-01, new vaults default to the Azure RBAC authorization model over legacy access policies, which is also Microsoft's security recommendation.
- A vault uses exactly one authorization model at a time; access policies allow any principal with vault-write permission to self-grant data access, a known privilege-escalation risk RBAC closes.
- System-assigned managed identities are tied 1:1 to one resource's lifecycle; user-assigned managed identities are standalone, reusable resources that Microsoft recommends for most enterprise scenarios.
- Soft-delete (default, non-optional) retains deleted items for a recovery window (typically 90 days); purge protection additionally blocks permanent purging during that window, even for an Owner.
Why Secrets Management Design Matters
An architecture that authenticates users correctly but stores a database connection string or an API key in application configuration files has not solved the security problem — it has just moved it. AZ-305 tests whether you can design a secrets, certificate, and key management solution that eliminates hard-coded credentials entirely, using Azure Key Vault and managed identities together as the standard pattern.
Azure Key Vault: Three Object Types
Key Vault stores three distinct object types, and the exam expects you to distinguish them:
| Object type | What it holds | Typical use |
|---|---|---|
| Secrets | Arbitrary small blobs of sensitive data (connection strings, passwords, API tokens) | Application configuration values that must never appear in source control |
| Keys | Cryptographic keys used for encrypt/decrypt or sign/verify operations | Encrypting data at rest with customer-managed keys, application-level cryptography |
| Certificates | X.509 certificates, with Key Vault managing the private key and enabling automatic renewal | TLS/SSL certificates for App Service, Front Door, Application Gateway |
Key Vault comes in two tiers: Standard (software-protected keys) and Premium (hardware security module, or HSM-protected keys, for workloads with regulatory requirements for HSM-backed key material). A separate offering, Managed HSM, provides a single-tenant, FIPS 140-2 Level 3 validated HSM pool for the highest-assurance key management needs, distinct from the multi-tenant Key Vault Premium tier.
Access Model: RBAC vs. Access Policies
Key Vault has historically supported two separate authorization models, and choosing correctly is now a scored design decision:
- Access policies (legacy model) — permissions are configured directly on the vault itself, at the whole-vault level (keys, secrets, certificates as broad categories). A serious weakness: any principal with
Microsoft.KeyVault/vaults/writepermission (including Contributor) can edit a vault's access policy and grant themselves data access — a privilege-escalation path. - Azure RBAC (recommended model) — permissions use the same Azure RBAC system as every other resource, restrict permission management to Owner and User Access Administrator roles, support scoping down to an individual secret/key/certificate, and integrate with Conditional Access.
As of Key Vault API version 2026-02-01, new vaults default to the Azure RBAC authorization model. Existing vaults still using access policies should be migrated deliberately — documenting current permissions, creating equivalent RBAC role assignments (e.g., Key Vault Secrets User for read-only secret access, Key Vault Administrator for full management), and testing before cutover. A vault uses exactly one model at a time; a design cannot mix RBAC and access policies on the same vault.
Managed Identities: Eliminating Hard-Coded Credentials
A managed identity is an identity Entra ID manages automatically for an Azure resource (a VM, App Service, Function App, and others), letting that resource authenticate to Key Vault (or any Entra-ID-protected service) without any credential stored in code or configuration.
| Type | Lifecycle | Reuse across resources |
|---|---|---|
| System-assigned | Created and deleted with the resource; a resource can have exactly one | No — tied 1:1 to a single resource |
| User-assigned | Created as a standalone Azure resource with its own lifecycle | Yes — the same identity can be assigned to many resources, and role assignments can be prepared in advance |
Microsoft's guidance favors user-assigned managed identities for most enterprise scenarios: because the identity and its role assignments exist independently of any single resource, teams can provision RBAC access in advance, reuse one identity across a scale set or a fleet of Function Apps, and avoid re-granting access every time a resource is recreated. System-assigned identities remain the simpler choice for a single, long-lived resource where reuse is not needed.
Soft-Delete and Purge Protection
Key Vault enables soft-delete by default (and it cannot be disabled on new vaults), retaining a deleted vault or object for a configurable period — 90 days by default — during which it can be recovered. Purge protection is a separate, stronger setting that prevents anyone, including a subscription Owner, from permanently purging a vault or its contents before the retention period elapses, protecting against both accidental and malicious permanent deletion. A design for a regulated workload (financial services, healthcare) should explicitly enable purge protection rather than relying on soft-delete alone.
Exam Scenario
A web application running on Azure App Service needs to read a database connection string at startup without any secret ever appearing in application settings, source control, or a deployment pipeline variable. The correct design: enable a system-assigned managed identity on the App Service instance, grant that identity the Key Vault Secrets User RBAC role scoped to the specific Key Vault (or the specific secret), and have the application call the Key Vault SDK or use a Key Vault reference in App Service configuration to retrieve the secret at runtime. No credential is ever stored — the App Service's own platform-issued identity is the credential.
Common Traps
- Recommending access policies for a new vault when the scenario has no stated legacy constraint — RBAC is now the default and the more secure choice.
- Forgetting that Contributor-level access on a vault using the access-policy model can be a privilege-escalation path; this is precisely why RBAC restricts permission changes to Owner/User Access Administrator.
- Choosing system-assigned managed identity for a scenario that clearly needs the same identity reused across many resources (e.g., an entire VM scale set) — user-assigned is the correct fit there.
- Assuming soft-delete alone protects against malicious deletion — only purge protection prevents permanent purging during the retention window.
- Mixing RBAC and access-policy permissions on one vault — a vault operates under exactly one authorization model at a time.
A team is provisioning a new Azure Key Vault using the current default API version and has no legacy access-policy requirement. Which authorization model will the vault use by default, and why is it preferred?
A design calls for the same identity to be assigned to an entire Azure Virtual Machine Scale Set so every instance can authenticate to Key Vault with pre-provisioned role assignments, and the identity must persist independently of any single VM instance's lifecycle. Which managed identity type fits this requirement?
What is the key difference between Key Vault soft-delete and purge protection?