Merge pull request #49579 from lootle1/MR79

Technical Review 1037325: Configure and manage secrets in Azure Key V…

Author: Stacyrch140

learn-pr/azure/configure-and-manage-azure-key-vault/1-introduction.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Introduction
   description: Introduction
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/2-key-vault-usage.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Guidelines for using Azure Key Vault
   description: Guidelines for using Azure Key Vault
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/3-manage-access-and-permissions-to-secrets.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Manage access to secrets, certificates, and keys
   description: Manage access to secrets, certificates, and keys
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/4-store-secrets-in-akv.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Exercise - store secrets in Azure Key Vault
   description: Exercise - store secrets in Azure Key Vault
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/5-manage-certificates.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Manage certificates
   description: Manage certificates
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/6-summary.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Summary
   description: Summary
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/includes/1-introduction.md

@@ -1,4 +1,4 @@
-PetDash is an online pet food delivery company that provides store-to-door service for all their customer's pet needs. They take online orders, store credit cards and personal details in their SQL database, and have a secure website running on Azure App Service to interact with customers. They've been in business a little over a year and Steve, one of the website admins, noticed that their website certificate for the **petdash.com** domain has expired. Steve quickly renews the certificate and gets it installed on the server, and begins to explore ways to ensure that this problem never happens again. The investigation reveals that Azure Key Vault supports certificate management. Even better, Key Vault can communicate with App Service to provide the certification _and_ renew it automatically if necessary.
+PetDash is an online pet food delivery company that provides store-to-door service for all their customer's pet needs. They take online orders, store credit cards and personal details in their SQL database, and have a secure website running on Azure App Service to interact with customers. They've been in business a little over a year. Steve, one of the website admins, noticed that their website certificate for the **petdash.com** domain has expired. Steve quickly renews the certificate, gets it installed on the server, and begins to explore ways to ensure that this problem never happens again. The investigation reveals that Azure Key Vault supports certificate management. Even better, Key Vault can communicate with App Service to provide the certification _and_ renew it automatically if necessary.
 
 **Azure Key Vault** helps safeguard cryptographic keys and secrets that cloud applications and services use. Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. Developers can create keys for development and testing in minutes, and then migrate them to production keys. Security administrators can grant (and revoke) permission to keys, as needed.
 

learn-pr/azure/configure-and-manage-azure-key-vault/includes/2-key-vault-usage.md

@@ -24,32 +24,32 @@ New-AzKeyVault -Name <your-unique-vault-name> -ResourceGroupName <resource-group
 
 ## Keys
 
-Keys are the central actor in the Azure Key Vault service. A given key in a key vault is a cryptographic asset destined for a particular use. Examples are, the asymmetric master key of Microsoft Azure RMS, or the asymmetric keys used for SQL Server TDE (Transparent Data Encryption), CLE (Column Level Encryption) and Encrypted backup.
+Keys are the central actor in the Azure Key Vault service. A given key in a key vault is a cryptographic asset destined for a particular use. Examples are, the asymmetric master key of Microsoft Azure RMS, or the asymmetric keys used for SQL Server TDE (Transparent Data Encryption), CLE (Column Level Encryption), and Encrypted backup.
 
 Microsoft and your apps don't have access to the stored keys directly once a key is created or added to a key vault. Applications must use your keys by calling cryptography methods on the Key Vault service. The Key Vault service performs the requested operation within its hardened boundary. The application never has direct access to the keys.
 
-Keys can be single instanced (only one key exists), or be versioned. In the versioned case, a key is an object with a primary (active) key, and a collection of zero, one or more secondary (archived) keys created when keys are rolled (renewed). Key Vault supports asymmetric keys (RSA 2048). Your applications may use these keys for encryption or digital signatures.
+Keys can be single instanced (only one key exists) or be versioned. In the versioned case, a key is an object with a primary (active) key, and a collection of zero, one, or more secondary (archived) keys created when keys are rolled (renewed). Key Vault supports asymmetric keys (RSA 2048). Your applications may use these keys for encryption or digital signatures.
 
-There are two variations on keys in Key Vault: hardware-protected, and software-protected.
+There are two variations on keys in Key Vault: hardware-protected and software-protected.
 
 ### Hardware-protected keys
 
 The Key Vault service supports using hardware security modules (HSMs) that provide a hardened, tamper-resistant environment for cryptographic processing and key generation. Azure has dedicated HSMs validated to FIPS 140-2 Level 2 that Key Vault uses to generate or store keys. These HSM-backed keys are always locked to the boundary of the HSM. When you query the Key Vault service to decrypt or sign with a key, the operation is performed inside an HSM.
 
-You can import keys from your own HSMs, and transfer them to Key Vault without leaving the HSM boundary. This scenario is often referred to as _bring your own key_, or BYOK. More details about generating your own HSM-protected key and then transferring it to Azure Key Vault is available in the summary of this module. You can also use these Azure HSMs directly through the Microsoft Azure Dedicated Hardware Security Module (HSM) service if you need to migrate HSM-protected apps or maintain a high security compliance requirement.
+You can import keys from your own HSMs, and transfer them to Key Vault without leaving the HSM boundary. This scenario is often referred to as _bring your own key_ or BYOK. More details about generating your own HSM-protected key and then transferring it to Azure Key Vault is available in the summary of this module. You can also use these Azure HSMs directly through the Microsoft Azure Dedicated Hardware Security Module (HSM) service if you need to migrate HSM-protected apps or maintain a high security compliance requirement.
 
 ### Software-protected keys
 
 Key Vault can also generate and protect keys using software-based RSA and ECC algorithms. In general, software-protected keys offer most of the features as HSM-protected keys except the FIPS 140-2 Level 2 assurance:
 
-- Your key is still isolated from the application (and Microsoft) in a container that you manage
-- It's stored _at rest_ encrypted with HSMs
-- You can monitor usage using Key Vault logs
+- Your key is still isolated from the application (and Microsoft) in a container that you manage.
+- It's stored _at rest_ encrypted with HSMs.
+- You can monitor usage using Key Vault logs.
 
-The primary difference (besides price) with a software-protected key, is that cryptographic operations are performed in software using Azure compute services. With HSM-protected keys, the cryptographic operations are performed within the HSM.
+The primary difference (besides price) with a software-protected key is that cryptographic operations are performed in software using Azure compute services. With HSM-protected keys, the cryptographic operations are performed within the HSM.
 
 > [!TIP]
-> For production use, it's recommended to use HSM-protected keys and use software-protected keys in only test/pilot scenarios. There is an additional charge for HSM-backed keys per-month if the key is used in that month. The summary page has a link to the pricing details for Azure Key Vault.
+> For production use, it's recommended to use HSM-protected keys and use software-protected keys in only test/pilot scenarios. There's an additional charge for HSM-backed keys per-month if the key is used in that month. The summary page has a link to the pricing details for Azure Key Vault.
 
 You determine the key generation type when you create the key. For example, the Azure PowerShell command `Add-AzureKeyVaultKey` has a `Destination` parameter that can be set to either `Software` or `HSM`:
 
@@ -65,9 +65,9 @@ Secrets are small (less than 10K) data blobs protected by a HSM-generated key cr
 
 With these three elements, an Azure Key Vault helps address the following issues:
 
-- **Secrets management**. Azure Key Vault can securely store (with HSMs) and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
-- **Key management**. Azure Key Vault is a cloud-based key management solution, making it easier to create and control the encryption keys used to encrypt your data. Azure services such as App Service integrate directly with Azure Key Vault and can decrypt secrets without knowledge of the encryption keys.
-- **Certificate management**. Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with Azure and your internal connected resources. It can also request and renew TLS certificates through partnerships with certificate authorities, providing a robust solution for certificate lifecycle management.
+- **Secrets management:** Azure Key Vault can securely store (with HSMs) and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
+- **Key management:** Azure Key Vault is a cloud-based key management solution, making it easier to create and control the encryption keys used to encrypt your data. Azure services such as App Service integrate directly with Azure Key Vault and can decrypt secrets without knowledge of the encryption keys.
+- **Certificate management:** Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with Azure and your internal connected resources. It can also request and renew TLS certificates through partnerships with certificate authorities, providing a robust solution for certificate lifecycle management.
 
 > [!IMPORTANT]
 > **Key Vault is designed to store configuration secrets for server applications.** It's not intended for storing data belonging to your app's users, and it shouldn't be used in the client-side part of an app. This is reflected in its performance characteristics, API, and cost model.
@@ -81,7 +81,7 @@ Here are some security best practices for using Azure Key Vault.
 | Best practice | Solution |
 |---------------|----------|
 | Grant access to users, groups, and applications at a specific scope.| Use RBAC's predefined roles. For example, to grant access to a user to manage key vaults, you would assign the predefined role Key Vault Contributor to this user at a specific scope. The scope, in this case, would be a subscription, a resource group, or just a specific key vault. If the predefined roles don't fit your needs, you can define your own roles. |
-| Control what users have access to.| Access to a key vault is controlled through two separate interfaces: management plane, and data plane. The management plane and data plane access controls work independently. Use RBAC to control what users have access to. For example, if you want to grant an application the rights to use keys in a key vault, you only need to grant data plane access permissions using key vault access policies. No management plane access is needed for this application. Conversely, if you want a user to be able to read vault properties and tags but not have any access to keys, secrets, or certificates. You can use RBAC to grant read access to the management plane. No access to the data plane is required. |
+| Control what users have access to.| Access to a key vault is controlled through two separate interfaces: management plane and data plane. The management plane and data plane access controls work independently. Use RBAC to control what users have access to. For example, if you want to grant an application the rights to use keys in a key vault, you only need to grant data plane access permissions using key vault access policies. No management plane access is needed for this application. Conversely, if you want a user to be able to read vault properties and tags but not have any access to keys, secrets, or certificates. You can use RBAC to grant read access to the management plane. No access to the data plane is required. |
 | Store certificates in your key vault.| Azure Resource Manager can securely deploy certificates stored in Azure Key Vault to Azure VMs when the VMs are deployed. By setting appropriate access policies for the key vault, you also control who gets access to your certificate. Another benefit is that you manage all your certificates in one place in Azure Key Vault. |
 | Ensure that you can recover a deletion of key vaults or key vault objects.| Deletion of key vaults or key vault objects can be either inadvertent or malicious. Enable the soft delete and purge protection features of Key Vault, particularly for keys that are used to encrypt data at rest. Deletion of these keys is equivalent to data loss, so you can recover deleted vaults and vault objects if needed. Practice Key Vault recovery operations regularly. |
 

learn-pr/azure/configure-and-manage-azure-key-vault/includes/3-manage-access-and-permissions-to-secrets.md

@@ -1,4 +1,4 @@
-Key Vault access has two facets: the management of the Key Vault itself, and accessing the data contained in the Key Vault. Documentation refers to these facets as  the *management plane* and the *data plane*.
+Key Vault access has two facets: the management of the Key Vault itself, and accessing the data contained in the Key Vault. Documentation refers to these facets as the *management plane* and the *data plane*.
 
 These two areas are separated because the creation of the Key Vault is a management operation, while storing and retrieving a secret stored in the Key Vault is a different type of role. To access a key vault all users or apps must have proper *authentication* to identify the caller and *authorization* to determine the operations the caller can perform.
 
@@ -8,20 +8,20 @@ Azure Key Vault uses Microsoft Entra ID to authenticate users and apps that try
 
 ## Authorization
 
-Management operations (creating a new Azure Key Vault) use role-based access control (RBAC). There's a built-in role **Key Vault Contributor** that provides access to management features of key vaults, but doesn't allow access to the key vault data. This role is the recommended role to use. There's also a **Contributor** role that includes full administration rights - including the ability to grant access to the data plane.
+Management operations (creating a new Azure Key Vault) use role-based access control (RBAC). There's a built-in role **Key Vault Contributor** that provides access to management features of key vaults, but it doesn't allow access to the key vault data. This role is the recommended role to use. There's also a **Contributor** role that includes full administration rights - including the ability to grant access to the data plane.
 
 Reading and writing data in the Key Vault uses a separate Key Vault *access policy*. A Key Vault access policy is a permission set assigned to a user or managed identity to read, write, and/or delete secrets and keys. You can create an access policy using the CLI, REST API, or Azure portal as follows.
 
 :::image type="content" source="../media/3-add-key-vault-policy.png" alt-text="Screenshot showing the Add KeyVault policy screen in the Azure portal.":::
 
-The system has a list of predefined management options that define the permissions allowed for this policy - here we've selected **Key, Secret, & Certificate Management** which is appropriate to manage secrets in the Key Vault. You can then customize the permissions as desired by changing the **Key permissions** entries. For example, we could adjust the permissions to only allow *read* operations:
+The system has a list of predefined management options that define the permissions allowed for this policy. Here we've selected **Key, Secret, & Certificate Management**, which is appropriate to manage secrets in the Key Vault. You can then customize the permissions as desired by changing the **Key permissions** entries. For example, we could adjust the permissions to only allow *read* operations:
 
 :::image type="content" source="../media/3-permissions.png" alt-text="Screenshot showing the permission list cut down to read only in the Azure portal.":::
 
 Developers only need `Get` and `List` permissions to a development-environment vault. A lead or senior developer needs full permissions to the vault to change and add secrets when necessary. Full permissions to production-environment vaults are typically reserved for senior operations staff. Apps only require `Get` permissions as they often only need to retrieve secrets.
 
 ## Restrict network access
 
-Another point to consider with Azure Key Vault is what services in your network can access the vault. In most cases, the network endpoints don't need to be open to the Internet. You should determine the minimum network access required. For example, you can restrict Key Vault endpoints to specific Azure Virtual Network subnets, specific IP addresses, or trusted Microsoft services. Including, Azure SQL, Azure App Service, and various data and storage services that use encryption keys.
+Another point to consider with Azure Key Vault is what services in your network can access the vault. In most cases, the network endpoints don't need to be open to the Internet. You should determine the minimum network access required. For example, you can restrict Key Vault endpoints to specific Azure Virtual Network subnets, specific IP addresses, or trusted Microsoft services. Services include Azure SQL, Azure App Service, and various data and storage services that use encryption keys.
 
 :::image type="content" source="../media/3-network-rules.png" alt-text="Screenshot showing the network rules for a KeyVault in the Azure portal.":::