Configure a security-hardened Azure Key Vault for enterprise workloads. Apply soft delete and purge protection, enforce least-privilege RBAC access with just-in-time activation, and secure the network perimeter using firewall rules and private endpoints.
After completing this module, you'll be able to:
- Deploy Azure Key Vault with security controls enforced at creation time
- Configure role-based access control and just-in-time privilege for Key Vault operations
- Secure Key Vault network access using firewall rules, virtual network service endpoints, and private endpoints
Manage the security lifecycle of cryptographic keys and secrets in Azure Key Vault. Configure HSM-backed keys, implement BYOK, automate key rotation, and build zero-downtime secret rotation using dual-credential patterns.
After completing this module, you'll be able to:
- Create and manage cryptographic keys, including HSM-protected and BYOK scenarios
- Configure automated key rotation policies to minimize cryptographic exposure risk
- Build zero-downtime secret rotation using dual-credential and automated rotation patterns
Manage certificate lifecycle in Azure Key Vault through integrated CA issuance and autorenewal, and enable diagnostic logging to create an investigation-ready audit trail for security operations.
After completing this module, you'll be able to:
- Manage certificate issuance, renewal, and lifecycle through integrated certificate authorities
- Configure Key Vault lifetime actions and certificate contacts for automated renewal and notification
- Enable Key Vault diagnostic logging to support security investigation and compliance requirements
Protect Azure Key Vault with Microsoft Defender for Cloud. Use Defender Cloud Security Posture Management (CSPM) agentless secret scanning to discover exposed credentials, enable Microsoft Defender for Key Vault to detect malicious access patterns, and respond effectively to Key Vault security alerts.
After completing this module, you're able to:
- Use Defender CSPM agentless scanning to discover secrets exposed on virtual machines and cloud deployments
- Enable Microsoft Defender for Key Vault and identify its threat detection capabilities
- Investigate and respond to Microsoft Defender for Key Vault security alerts

Syllabus

Configure and secure Azure Key Vault
- Introduction
- Deploy Azure Key Vault with security controls
- Configure access to Azure Key Vault
- Configure Key Vault firewall and network settings
- Knowledge check
- Summary
Manage keys and secrets in Azure Key Vault
- Introduction
- Manage cryptographic keys in Azure Key Vault
- Manage secrets in Azure Key Vault
- Knowledge check
- Summary
Manage certificates and monitor Azure Key Vault
- Introduction
- Manage certificates in Azure Key Vault
- Enable Key Vault audit logging
- Knowledge check
- Summary
Protect Azure Key Vault with Microsoft Defender for Cloud
- Introduction
- Scan for exposed secrets using Defender Cloud Security Posture Management (CSPM)
- Enable Microsoft Defender for Key Vault
- Investigate and respond to Defender for Key Vault alerts
- Knowledge check
- Summary