>_SkillsHub

> azure-key-vault

Expert knowledge for Azure Key Vault development including troubleshooting, best practices, decision making, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when building, debugging, or optimizing Azure Key Vault applications. Not for Azure Information Protection (use azure-information-protection), Azure Attestation (use azure-attestation), Azure Dedicated HSM (use azure-dedicated-hsm), Azure Cloud Hsm (use azure-cloud-hsm).

fetch
$curl "https://skillshub.wtf/MicrosoftDocs/Agent-Skills/azure-key-vault?format=md"
SKILL.mdazure-key-vault

Azure Key Vault Skill

This skill provides expert guidance for Azure Key Vault. Covers troubleshooting, best practices, decision making, limits & quotas, security, configuration, integrations & coding patterns, and deployment. It combines local quick-reference content with remote documentation fetching capabilities.

How to Use This Skill

IMPORTANT for Agent: Use the Category Index below to locate relevant sections. For categories with line ranges (e.g., L35-L120), use read_file with the specified lines. For categories with file links (e.g., [security.md](security.md)), use read_file on the linked reference file

IMPORTANT for Agent: If metadata.generated_at is more than 3 months old, suggest the user pull the latest version from the repository. If mcp_microsoftdocs tools are not available, suggest the user install it: Installation Guide

This skill requires network access to fetch documentation content:

  • Preferred: Use mcp_microsoftdocs:microsoft_docs_fetch with query string from=learn-agent-skill. Returns Markdown.
  • Fallback: Use fetch_webpage with query string from=learn-agent-skill&accept=text/markdown. Returns Markdown.

Category Index

CategoryLinesDescription
TroubleshootingL36-L45Diagnosing and fixing Key Vault issues: certificate problems, access policy and Azure Policy failures, Private Link misconfig, and interpreting REST/API error codes.
Best PracticesL46-L56Best practices for securing keys/secrets, using soft-delete, disaster recovery for Managed HSM, and automating single/dual-credential secret rotation in Azure Key Vault.
Decision MakingL57-L63Guidance on migrating Key Vault keys and access control (access policies to RBAC) and planning capacity, performance, and scaling for Azure Managed HSM deployments.
Limits & QuotasL64-L74Key Vault and Managed HSM limits: throttling, quotas, size/storage constraints, logging behavior, soft-delete rules, and firewall/network configuration.
SecurityL75-L102Securing Azure Key Vault and Managed HSM: auth/RBAC vs access policies, network/firewall/Private Link, HSM/BYOK and attestation, backups, and role/permission management.
ConfigurationL103-L127Configuring Key Vault and Managed HSM for auth, logging, monitoring, alerts, key types/import/rotation, secure key release, governance, and managing secrets/storage keys.
Integrations & Coding PatternsL128-L160Code samples and patterns for integrating Key Vault/Managed HSM with apps and services: client libraries, JS key/secret ops, Event Grid/Logic Apps, DigiCert, TLS offload, and SAS retrieval.
DeploymentL161-L172How to deploy and provision Azure Key Vault and Managed HSM (vaults, keys, secrets) using ARM templates, Bicep, Terraform, Azure CLI, and PowerShell

Troubleshooting

TopicURL
Troubleshoot common Azure Key Vault certificate issueshttps://learn.microsoft.com/en-us/azure/key-vault/certificates/faq
Understand common Azure Key Vault error codeshttps://learn.microsoft.com/en-us/azure/key-vault/general/common-error-codes
Diagnose and fix Key Vault Private Link configuration issueshttps://learn.microsoft.com/en-us/azure/key-vault/general/private-link-diagnostics
Interpret Azure Key Vault REST API error codeshttps://learn.microsoft.com/en-us/azure/key-vault/general/rest-error-codes
Troubleshoot Azure Policy enforcement on Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/general/troubleshoot-azure-policy-for-key-vault
Troubleshoot Azure Key Vault access policy issueshttps://learn.microsoft.com/en-us/azure/key-vault/general/troubleshooting-access-issues

Best Practices

TopicURL
Use and manage Azure Key Vault soft-delete safelyhttps://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
Security best practices for Azure Key Vault keyshttps://learn.microsoft.com/en-us/azure/key-vault/keys/secure-keys
Disaster recovery procedure for Azure Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/disaster-recovery-guide
Apply security best practices to Azure Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/secure-managed-hsm
Apply security best practices for Key Vault secretshttps://learn.microsoft.com/en-us/azure/key-vault/secrets/secure-secrets
Automate rotation of single-credential secrets in Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation
Automate rotation for dual-credential secrets in Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual

Decision Making

TopicURL
Decide how to migrate Azure Key Vault key workloadshttps://learn.microsoft.com/en-us/azure/key-vault/general/migrate-key-workloads
Migrate Key Vault from access policies to RBAChttps://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration
Plan capacity and scaling for Azure Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/scaling-guidance

Limits & Quotas

TopicURL
Configure and interpret Azure Key Vault logging behaviorhttps://learn.microsoft.com/en-us/azure/key-vault/general/logging
Understand and handle Azure Key Vault throttling limitshttps://learn.microsoft.com/en-us/azure/key-vault/general/overview-throttling
Review Azure Key Vault and Managed HSM service limitshttps://learn.microsoft.com/en-us/azure/key-vault/general/service-limits
Configure Managed HSM firewall and networkinghttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/configure-network-security
Review Azure Managed HSM service limits and quotashttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/service-limits
Understand soft-delete behavior and constraints in Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/soft-delete-overview
Understand Azure Key Vault secret size and storage behaviorhttps://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets

Security

TopicURL
Apply security best practices for Key Vault certificateshttps://learn.microsoft.com/en-us/azure/key-vault/certificates/secure-certificates
Enable Key Vault access from behind a firewallhttps://learn.microsoft.com/en-us/azure/key-vault/general/access-behind-firewall
Prepare for Azure Key Vault RBAC default accesshttps://learn.microsoft.com/en-us/azure/key-vault/general/access-control-default
Assign Azure Key Vault access policies via CLIhttps://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy
Configure authentication to Azure Key Vault with Entra IDhttps://learn.microsoft.com/en-us/azure/key-vault/general/authentication
Configure network security and firewalls for Azure Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/general/network-security
Secure Key Vault access with virtual network service endpointshttps://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints
Integrate Azure Key Vault with Private Link endpointshttps://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service
Choose Azure RBAC vs access policies for Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy
Grant Key Vault access to apps using Azure RBAChttps://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide
Apply security best practices to Azure Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/general/secure-key-vault
Plan and use HSM-protected keys in Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys
Implement BYOK HSM-protected keys in Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-byok
Legacy nCipher BYOK import for Azure Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-ncipher
Manage access control and authorization for Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/access-control
Authorize Azure Resource Manager for Managed HSM key operationshttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/authorize-azure-resource-manager
Back up and restore Azure Managed HSM contentshttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/backup-restore
Use Managed HSM built-in local RBAC roleshttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/built-in-roles
Configure secure access and RBAC for Azure Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/how-to-secure-access
Implement BYOK for Azure Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/hsm-protected-keys-byok
Use key attestation to validate Managed HSM keyshttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/key-attestation
Configure network security and firewall for Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/network-security
Configure Managed HSM private endpoints with Private Linkhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/private-link
Manage Managed HSM roles and role assignmentshttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/role-management

Configuration

TopicURL
Configure health and throttling alerts for Azure Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/general/alert
Configure authentication and REST requests for Azure Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/general/authentication-requests-and-responses
Integrate Azure Key Vault governance with Azure Policyhttps://learn.microsoft.com/en-us/azure/key-vault/general/azure-policy
Enable and configure Azure Key Vault logginghttps://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging
Configure monitoring for Azure Key Vault with Azure Monitorhttps://learn.microsoft.com/en-us/azure/key-vault/general/monitor-key-vault
Reference for Azure Key Vault monitoring metrics and logshttps://learn.microsoft.com/en-us/azure/key-vault/general/monitor-key-vault-reference
Use supported key types and algorithms in Azure Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details
Implement BYOK key import specification for Azure Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/keys/byok-specification
Configure Azure Key Vault key auto-rotationhttps://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation
Author secure key release policies in Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/keys/policy-grammar
Configure health and performance alerts for Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/configure-alerts
Set up key auto-rotation in Azure Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/key-rotation
Enable and use Azure Managed HSM logginghttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/logging
Monitor Azure Managed HSM with Azure Monitorhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/logging-azure-monitor
Configure multi-region replication for Azure Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/multi-region-replication
Author secure key release policies for Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/policy-grammar
Configure soft-delete and purge protection in Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/recovery
Integrate Managed HSM logs with Microsoft Sentinelhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/sentinel
Store multiline secrets in Azure Key Vault via CLI and PowerShellhttps://learn.microsoft.com/en-us/azure/key-vault/secrets/multiline-secrets
Manage storage account keys with Key Vault using Azure CLIhttps://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys
Manage storage account keys with Key Vault using PowerShellhttps://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys-powershell

Integrations & Coding Patterns

TopicURL
Integrate Azure Key Vault with DigiCert CAhttps://learn.microsoft.com/en-us/azure/key-vault/certificates/how-to-integrate-certificate-authority
Use Azure Key Vault client libraries across languageshttps://learn.microsoft.com/en-us/azure/key-vault/general/client-libraries
Send email on Key Vault secret changes with Logic Appshttps://learn.microsoft.com/en-us/azure/key-vault/general/event-grid-logicapps
Integrate Azure Key Vault events with Azure Event Gridhttps://learn.microsoft.com/en-us/azure/key-vault/general/event-grid-overview
Handle Key Vault notifications using Azure Event Gridhttps://learn.microsoft.com/en-us/azure/key-vault/general/event-grid-tutorial
Back up, delete, and restore keys in JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/keys/javascript-developer-guide-backup-delete-restore-key
Create and rotate Key Vault keys in JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/keys/javascript-developer-guide-create-update-rotate-key
Enable or disable Key Vault keys in JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/keys/javascript-developer-guide-enable-disable-key
Encrypt and decrypt with Key Vault keys in JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/keys/javascript-developer-guide-encrypt-decrypt-key
Retrieve Azure Key Vault keys in JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/keys/javascript-developer-guide-get-key
Connect to Azure Key Vault keys with JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/keys/javascript-developer-guide-get-started
Import keys into Azure Key Vault with JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/keys/javascript-developer-guide-import-key
List Azure Key Vault keys using JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/keys/javascript-developer-guide-list-key-version
Sign and verify with Key Vault keys in JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/keys/javascript-developer-guide-sign-verify-key
Use Azure Key Vault keys with Go SDKhttps://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-go
Use Azure Key Vault keys with Java SDKhttps://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-java
Use Azure Key Vault keys client library for .NEThttps://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-net
Use Azure Key Vault keys client library for JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-node
Use Azure Key Vault Python client library to manage keyshttps://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-python
Manage keys within Azure Managed HSMhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/key-management
Integrate Managed HSM TLS Offload library with F5 and Nginxhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/tls-offload-library
Back up and restore Key Vault secrets in JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/secrets/javascript-developer-guide-backup-secrets
Delete and purge Key Vault secrets with JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/secrets/javascript-developer-guide-delete-secret
Enable or disable Key Vault secrets using JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/secrets/javascript-developer-guide-enable-disable-secret
List and find Key Vault secrets using JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/secrets/javascript-developer-guide-find-secret
Retrieve Azure Key Vault secrets with JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/secrets/javascript-developer-guide-get-secret
Connect to Key Vault secrets from JavaScript applicationshttps://learn.microsoft.com/en-us/azure/key-vault/secrets/javascript-developer-guide-get-started
Create, update, and rotate Key Vault secrets with JavaScripthttps://learn.microsoft.com/en-us/azure/key-vault/secrets/javascript-developer-guide-set-update-rotate-secret
Use .NET code to fetch SAS tokens from Key Vaulthttps://learn.microsoft.com/en-us/azure/key-vault/secrets/storage-keys-sas-tokens-code

Deployment

TopicURL
Deploy Azure Key Vault using ARM templateshttps://learn.microsoft.com/en-us/azure/key-vault/general/vault-create-template
Deploy Key Vault and key using Bicephttps://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-bicep
Deploy Key Vault and key with ARM templatehttps://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-template
Provision Key Vault and key using Terraformhttps://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-terraform
Provision and activate Managed HSM using Azure CLIhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/quick-create-cli
Provision and activate Managed HSM with PowerShellhttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/quick-create-powershell
Deploy Azure Managed HSM using ARM templatehttps://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/quick-create-template
Deploy Key Vault and secrets using Bicep templateshttps://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-bicep
Deploy Key Vault and secrets with ARM templateshttps://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-template

> related_skills --same-repo

> azure-well-architected

Expert guidance for designing, assessing, and optimizing Azure workloads using Azure Well Architected. Covers design review checklists, recommendations, design principles, tradeoffs, service guides, workload patterns, and assessment questions. Use when architecting new solutions, reviewing existing workloads, or applying Well-Architected principles.

> azure-web-pubsub

Expert knowledge for Azure Web PubSub development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when building, debugging, or optimizing Azure Web PubSub applications. Not for Azure SignalR Service (use azure-signalr-service), Azure Event Hubs (use azure-event-hubs), Azure Service Bus (use azure-service-bus), Azure Relay (use azure-relay).

> azure-web-application-firewall

Expert knowledge for Azure Web Application Firewall development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when building, debugging, or optimizing Azure Web Application Firewall applications. Not for Azure Application Gateway (use azure-application-gateway), Azure Front Door (use azure-front-door), Azure Firewall (use azure-firewall), Azure DDos Protectio

> azure-vpn-gateway

Expert knowledge for Azure VPN Gateway development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when building, debugging, or optimizing Azure VPN Gateway applications. Not for Azure Virtual Network (use azure-virtual-network), Azure Virtual WAN (use azure-virtual-wan), Azure ExpressRoute (use azure-expressroute), Azure Application Gateway (use azure-applica

┌ stats

installs/wk0
░░░░░░░░░░
github stars425
██████████
first seenMar 17, 2026
└────────────

┌ repo

MicrosoftDocs/Agent-Skills
by MicrosoftDocs
└────────────

┌ tags

#azure#security#testing
└────────────