Best practices to use Key Vault

Use separate Key Vaults

Our recommendation is to use a vault per application per environment (Development, Pre-Production and Production). This helps you not share secrets across environments and also reduces the threat in case of a breach.

Control Access to your vault

Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, you need to secure access to your key vaults by allowing only authorized applications and users. This article provides an overview of the Key Vault access model. It explains authentication and authorization, and describes how to secure access to your key vaults.

Suggestions while controlling access to your vault are as follows:

  1. Lock down access to your subscription, resource group and Key Vaults (Azure RBAC)
  2. Create Access policies for every vault
  3. Use least privilege access principal to grant access
  4. Turn on Firewall and VNET Service Endpoints


Make sure you take regular back ups of your vault on update/delete/create of objects within a Vault.

Azure PowerShell Backup Commands

Azure CLI Backup Commands

Turn on Logging

Turn on logging for your Vault. Also set up alerts.

Turn on recovery options

  1. Turn on Soft Delete.
  2. Turn on purge protection if you want to guard against force deletion of the secret / vault even after soft-delete is turned on.