🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-305 Domain 1
Domain 1 — Module 5 of 7 71%
5 of 30 overall

AZ-305 Study Guide

Domain 1: Design Identity, Governance, and Monitoring Solutions

  • Monitoring & Logging Design
  • Choosing Authentication Methods
  • Designing Identity Management
  • Authorizing Access to Resources
  • Secrets, Keys & Certificates
  • Governance at Scale
  • Compliance & Identity Governance

Domain 2: Design Data Storage Solutions

  • Relational Data: Choosing Your SQL Platform
  • Database Performance & Scalability
  • Database Security & Compliance
  • Cosmos DB & Semi-Structured Data
  • Blob, Data Lake & Azure Files
  • Data Integration & Analytics

Domain 3: Design Business Continuity Solutions

  • Recovery Objectives: RPO, RTO & SLA Free
  • Backup & Recovery for Compute Free
  • Backup for Databases & Unstructured Data Free
  • High Availability for Compute Free
  • High Availability for Data Free

Domain 4: Design Infrastructure Solutions

  • Compute Design: VMs & When to Use Them
  • Container Solutions: AKS, ACI & Container Apps
  • Serverless & Batch Processing
  • Messaging Architecture
  • Event-Driven Architecture
  • API Integration & Caching
  • App Configuration & Automated Deployment
  • Migration Strategy & Assessment
  • Executing Migrations
  • Network Connectivity: Internet & Hybrid
  • Network Security & Performance
  • Load Balancing & Routing

AZ-305 Study Guide

Domain 1: Design Identity, Governance, and Monitoring Solutions

  • Monitoring & Logging Design
  • Choosing Authentication Methods
  • Designing Identity Management
  • Authorizing Access to Resources
  • Secrets, Keys & Certificates
  • Governance at Scale
  • Compliance & Identity Governance

Domain 2: Design Data Storage Solutions

  • Relational Data: Choosing Your SQL Platform
  • Database Performance & Scalability
  • Database Security & Compliance
  • Cosmos DB & Semi-Structured Data
  • Blob, Data Lake & Azure Files
  • Data Integration & Analytics

Domain 3: Design Business Continuity Solutions

  • Recovery Objectives: RPO, RTO & SLA Free
  • Backup & Recovery for Compute Free
  • Backup for Databases & Unstructured Data Free
  • High Availability for Compute Free
  • High Availability for Data Free

Domain 4: Design Infrastructure Solutions

  • Compute Design: VMs & When to Use Them
  • Container Solutions: AKS, ACI & Container Apps
  • Serverless & Batch Processing
  • Messaging Architecture
  • Event-Driven Architecture
  • API Integration & Caching
  • App Configuration & Automated Deployment
  • Migration Strategy & Assessment
  • Executing Migrations
  • Network Connectivity: Internet & Hybrid
  • Network Security & Performance
  • Load Balancing & Routing
Domain 1: Design Identity, Governance, and Monitoring Solutions Premium ⏱ ~15 min read

Secrets, Keys & Certificates

Azure Key Vault is the architect's answer to 'where do we put the secrets?' Learn when to use Key Vault, Managed HSM, and certificate management — and when managed identities make secrets unnecessary.

Why secrets management design matters

☕ Simple explanation

Secrets are like car keys — you need them to go anywhere, but leaving them on the dashboard is asking for trouble.

Azure Key Vault is a secure vault (literally) for storing three types of sensitive data: secrets (passwords, connection strings, API keys), keys (encryption keys for protecting data), and certificates (TLS/SSL certificates for secure communication).

The architect’s job is designing WHERE secrets live, WHO can access them, and HOW to avoid needing them in the first place (managed identities).

Secrets management architecture involves several design decisions:

  • Key Vault topology: One vault per app? Per environment? Per region? How many is too many?
  • Key Vault vs Managed HSM: Software-protected keys vs FIPS 140-2 Level 3 hardware security modules
  • Access model: Vault access policy (legacy) vs Azure RBAC (recommended)
  • Certificate lifecycle: Auto-renewal, CA integration, certificate rotation
  • Eliminate secrets where possible: Managed identities, workload identity federation, Azure RBAC for data plane

Well-Architected Framework (Security): “Protect secrets” is a Zero Trust principle. The best secret is one that doesn’t exist — design with managed identities first, Key Vault second.

Key Vault design patterns

Vault topology

PatternDescriptionBest For
Per applicationEach app gets its own vaultStrong isolation between apps, clear ownership
Per environmentDev, staging, production vaultsPrevent dev secrets leaking to production
Per regionVault in each deployment regionLow-latency access, regional compliance
CombinedApp + environment + regionEnterprise standard: kv-appname-prod-aue

🏦 Elena’s design: FinSecure Bank uses the combined pattern:

  • kv-riskengine-prod-westeurope — production risk engine secrets in EU
  • kv-riskengine-dev-westeurope — dev environment (different access policies)
  • kv-shared-prod-westeurope — shared certificates (TLS wildcards)

Design principle: Don’t put all secrets in one vault. Key Vault has throttling limits (several thousand transactions per 10 seconds). Multiple apps hitting one vault can cause 429 errors. Separate vaults per app also reduce blast radius if a vault is compromised.

Key Vault access models

Key Vault Access Policy vs Azure RBAC
FactorVault Access Policy (legacy)Azure RBAC (recommended)
GranularityAll-or-nothing per object type (secrets, keys, certs)Per-operation (read, write, delete, backup, etc.)
ScopeVault level onlyVault, secret, key, or certificate level
IntegrationStandalone policy per vaultUnified with Azure RBAC — same portal, same tools
Conditional AccessNot supportedSupported — add context-aware policies
AuditSeparate audit mechanismStandard Azure RBAC audit logs
Best forLegacy deployments — migrate awayAll new deployments
💡 Exam tip: Always recommend Azure RBAC for Key Vault

Microsoft recommends Azure RBAC over vault access policies for all new deployments. If an exam scenario doesn’t specify a constraint, recommend RBAC. Key built-in roles:

  • Key Vault Administrator: Full management of all vault content
  • Key Vault Secrets Officer: Manage secrets only
  • Key Vault Secrets User: Read secrets only (ideal for applications)
  • Key Vault Crypto Officer: Manage keys
  • Key Vault Certificates Officer: Manage certificates

Key Vault vs Managed HSM

For encryption key management, the choice depends on your compliance requirements:

Key Vault (Standard/Premium) vs Managed HSM
FactorKey Vault StandardKey Vault PremiumManaged HSM
Key protectionSoftware-protectedHSM-protected (shared HSM pool)Dedicated FIPS 140-2 Level 3 HSM
Key typesRSA, ECRSA, EC (HSM-backed)RSA, EC, AES (full HSM control)
ComplianceGeneral useMost regulationsFIPS 140-2 Level 3 — for orgs requiring dedicated HSM hardware
PerformanceGoodGoodHigh — dedicated HSM capacity
CostLowestMediumHighest — dedicated hardware
Best forDev, non-regulated appsMost production workloadsFinancial services, government, high-security

🏦 Elena’s decision: FinSecure Bank uses Managed HSM for customer encryption keys (their internal security policy requires FIPS 140-2 Level 3 dedicated hardware) and Key Vault Premium for application secrets and TLS certificates (HSM-protected but shared pool is fine for secrets).

Certificate management design

Certificate sources

SourceDescriptionAuto-Renewal
Key Vault generatedKey Vault acts as CA client, requests from integrated CAsYes — automatic before expiry
Self-signed (KV generated)Key Vault creates self-signed certsYes — automatic rotation
ImportedUpload existing PFX/PEM certificatesNo — manual replacement
App Service Managed CertificatesFree TLS certs for App Service custom domainsYes — auto-renewed by Azure

🚀 Marcus’s strategy: NovaSaaS uses:

  • App Service Managed Certificates for customer-facing domains (free, auto-renewed)
  • Key Vault integrated certificates (DigiCert CA) for API mutual TLS (auto-renewed, stored centrally)
  • Self-signed for dev/test only (never production)
ℹ️ Design decision: Certificate rotation and zero-downtime

When designing certificate management, plan for rotation:

  • Key Vault + App Service integration: App Service can reference a Key Vault certificate. When the cert is renewed in Key Vault, App Service picks it up automatically (within 24 hours).
  • Key Vault + Application Gateway: Similar integration — cert updates propagate automatically.
  • Key Vault + custom apps: Use Key Vault SDK with certificate version “latest” to always get the current cert on app restart.

Anti-pattern: Don’t hard-code certificate thumbprints in application config. When the cert rotates, your app breaks.

The secret elimination hierarchy

Before adding a secret to Key Vault, ask: can I eliminate it entirely?

PriorityApproachExample
1Managed identityApp Service → Storage (no connection string needed)
2Workload identity federationGitHub Actions → Azure (no stored secret)
3Certificate-based authService principal with certificate instead of secret
4Key Vault secretThird-party API keys that can’t use managed identity
5Connection stringLast resort — stored in Key Vault, referenced by app

🏛️ David’s rule for government clients: “If you’re putting a secret in Key Vault, you should first explain why a managed identity won’t work. Every secret is an operational liability — it can expire, leak, or be misconfigured. The fewer secrets you manage, the more secure and reliable your architecture.”

Knowledge check

Question

What's the recommended access model for Azure Key Vault?

Click or press Enter to reveal answer

Answer

Azure RBAC (not vault access policies). RBAC provides per-operation granularity (read vs write vs delete), works at individual secret/key/certificate scope, integrates with Conditional Access, and uses the same audit logs as all Azure RBAC.

Click to flip back
Question

When should you recommend Managed HSM over Key Vault Premium?

Click or press Enter to reveal answer

Answer

When the organisation requires FIPS 140-2 Level 3 compliance (dedicated HSM hardware). Managed HSM provides a dedicated HSM pool with full key control, required for financial services (PCI DSS), government, and high-security workloads. Key Vault Premium uses a shared HSM pool — sufficient for most regulations but not Level 3.

Click to flip back
Question

What's the top priority before adding a secret to Key Vault?

Click or press Enter to reveal answer

Answer

Ask: can I use a managed identity instead? The best secret is one that doesn't exist. Managed identities eliminate credential management entirely for Azure-to-Azure service communication. Only store secrets in Key Vault when managed identity isn't possible (e.g., third-party API keys).

Click to flip back
Knowledge Check

🏦 FinSecure Bank needs to store encryption keys for customer data. Their compliance framework (PCI DSS) requires FIPS 140-2 Level 3 hardware protection. They also need to store TLS certificates and application secrets. Which combination should Elena recommend?
Knowledge Check

🚀 Marcus's team is building a new microservice that needs to access Azure Cosmos DB and Azure Storage. What should Marcus recommend as the FIRST approach for authentication?

🎬 Video coming soon

Next up: Individual access is designed — now let’s think bigger. How do you govern hundreds of subscriptions? — Governance at Scale.

← Previous

Authorizing Access to Resources

Next →

Governance at Scale

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.