Share via


Microsoft.KeyVault vaults

Remarks

For guidance on using key vaults for secure values, see Manage secrets by using Bicep.

For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.

For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.

Bicep resource definition

The vaults resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.KeyVault/vaults@2025-05-01' = {
  scope: resourceSymbolicName or scope
  location: 'string'
  name: 'string'
  properties: {
    accessPolicies: [
      {
        applicationId: 'string'
        objectId: 'string'
        permissions: {
          certificates: [
            'string'
          ]
          keys: [
            'string'
          ]
          secrets: [
            'string'
          ]
          storage: [
            'string'
          ]
        }
        tenantId: 'string'
      }
    ]
    createMode: 'string'
    enabledForDeployment: bool
    enabledForDiskEncryption: bool
    enabledForTemplateDeployment: bool
    enablePurgeProtection: bool
    enableRbacAuthorization: bool
    enableSoftDelete: bool
    networkAcls: {
      bypass: 'string'
      defaultAction: 'string'
      ipRules: [
        {
          value: 'string'
        }
      ]
      virtualNetworkRules: [
        {
          id: 'string'
          ignoreMissingVnetServiceEndpoint: bool
        }
      ]
    }
    provisioningState: 'string'
    publicNetworkAccess: 'string'
    sku: {
      family: 'string'
      name: 'string'
    }
    softDeleteRetentionInDays: int
    tenantId: 'string'
    vaultUri: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property Values

Microsoft.KeyVault/vaults

Name Description Value
location The supported Azure location where the key vault should be created. string (required)
name The resource name string (required)
properties Properties of the vault VaultProperties (required)
scope Use when creating a resource at a scope that is different than the deployment scope. Set this property to the symbolic name of a resource to apply the extension resource.
tags Resource tags Dictionary of tag names and values. See Tags in templates

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required)

IPRule

Name Description Value
value An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). string (required)

NetworkRuleSet

Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. 'AzureServices'
'None'
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. 'Allow'
'Deny'
ipRules The list of IP address rules. IPRule[]
virtualNetworkRules The list of virtual network rules. VirtualNetworkRule[]

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'getrotationpolicy'
'import'
'list'
'purge'
'recover'
'release'
'restore'
'rotate'
'setrotationpolicy'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

Sku

Name Description Value
family SKU family name 'A' (required)
name SKU name to specify whether the key vault is a standard vault or a premium vault. 'premium'
'standard' (required)

VaultCreateOrUpdateParametersTags

Name Description Value

VaultProperties

Name Description Value
accessPolicies An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. AccessPolicyEntry[]
createMode The vault's create mode to indicate whether the vault need to be recovered or not. 'default'
'recover'
enabledForDeployment Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. bool
enabledForDiskEncryption Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. bool
enabledForTemplateDeployment Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. bool
enablePurgeProtection Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. bool
enableRbacAuthorization Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. bool
networkAcls Rules governing the accessibility of the key vault from specific network locations. NetworkRuleSet
provisioningState Provisioning state of the vault. 'RegisteringDns'
'Succeeded'
publicNetworkAccess Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. string
sku SKU details Sku (required)
softDeleteRetentionInDays softDelete data retention days. It accepts >=7 and <=90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required)
vaultUri The URI of the vault for performing operations on keys and secrets. string

VirtualNetworkRule

Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)
ignoreMissingVnetServiceEndpoint Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. bool

Usage Examples

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module Description
Key Vault AVM Resource Module for Key Vault

Azure Quickstart Samples

The following Azure Quickstart templates contain Bicep samples for deploying this resource type.

Bicep File Description
AKS Cluster with a NAT Gateway and an Application Gateway This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Application Gateway with internal API Management and Web App Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.
Azure AI Foundry basic setup This set of templates demonstrates how to set up Azure AI Foundry with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Foundry basic setup This set of templates demonstrates how to set up Azure AI Foundry with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Foundry Network Restricted This set of templates demonstrates how to set up Azure AI Foundry with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Foundry with Microsoft Entra ID Authentication This set of templates demonstrates how to set up Azure AI Foundry with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage.
Azure AI Studio basic setup This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio Network Restricted This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure Function app and an HTTP-triggered function This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key.
Azure Machine Learning end-to-end secure setup This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy) This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Storage Account Encryption with customer-managed key This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault.
Basic Agent Setup Identity This set of templates demonstrates how to set up Azure AI Agent Service with the basic setup using managed identity authetication for the AI Service/AOAI connection. Agents use multi-tenant search and storage resources fully managed by Microsoft. You won’t have visibility or control over these underlying Azure resources.
Create a Key Vault and a list of secrets This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create a network security perimeter This template creates a network security perimeter and it's associated resource for protecting an Azure key vault.
Create an AKS compute target with a Private IP address This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Create an API Management service with SSL from KeyVault This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create an Azure Key Vault and a secret This template creates an Azure Key Vault and a secret.
Create an Azure Key Vault with RBAC and a secret This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets
Create an Azure Machine Learning service workspace This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning.
Create an Azure Machine Learning service workspace (CMK) This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys.
Create an Azure Machine Learning service workspace (CMK) This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key.
Create an Azure Machine Learning service workspace (legacy) This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create an Azure Machine Learning service workspace (vnet) This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create Application Gateway with Certificates This template shows how to generate Key Vault self-signed certificates, then reference from Application Gateway.
Create Key Vault with logging enabled This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Create key vault, managed identity, and role assignment This template creates a key vault, managed identity, and role assignment.
Creates a Cross-tenant Private Endpoint resource This template allows you to create Priavate Endpoint resource within the same or cross-tenant environment and add dns zone configuration.
Creates a Dapr pub-sub servicebus app using Container Apps Create a Dapr pub-sub servicebus app using Container Apps.
Deploy Secure AI Foundry with a managed virtual network This template creates a secure Azure AI Foundry environment with robust network and identity security restrictions.
Deploy the Sports Analytics on Azure Architecture Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role.
FinOps hub This template creates a new FinOps hub instance, including Data Explorer, Data Lake storage, and Data Factory.
Network Secured Agent with User Managed Identity This set of templates demonstrates how to set up Azure AI Agent Service with virtual network isolation using User Managed Identity authetication for the AI Service/AOAI connection and private network links to connect the agent to your secure data.
Standard Agent Setup This set of templates demonstrates how to set up Azure AI Agent Service with the standard setup, meaning with managed identity authentication for project/hub connections and public internet access enabled. Agents use customer-owned, single-tenant search and storage resources. With this setup, you have full control and visibility over these resources, but you will incur costs based on your usage.
Testing environment for Azure Firewall Premium This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering

ARM template resource definition

The vaults resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults resource, add the following JSON to your template.

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2025-05-01",
  "name": "string",
  "location": "string",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": "string",
        "objectId": "string",
        "permissions": {
          "certificates": [ "string" ],
          "keys": [ "string" ],
          "secrets": [ "string" ],
          "storage": [ "string" ]
        },
        "tenantId": "string"
      }
    ],
    "createMode": "string",
    "enabledForDeployment": "bool",
    "enabledForDiskEncryption": "bool",
    "enabledForTemplateDeployment": "bool",
    "enablePurgeProtection": "bool",
    "enableRbacAuthorization": "bool",
    "enableSoftDelete": "bool",
    "networkAcls": {
      "bypass": "string",
      "defaultAction": "string",
      "ipRules": [
        {
          "value": "string"
        }
      ],
      "virtualNetworkRules": [
        {
          "id": "string",
          "ignoreMissingVnetServiceEndpoint": "bool"
        }
      ]
    },
    "provisioningState": "string",
    "publicNetworkAccess": "string",
    "sku": {
      "family": "string",
      "name": "string"
    },
    "softDeleteRetentionInDays": "int",
    "tenantId": "string",
    "vaultUri": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property Values

Microsoft.KeyVault/vaults

Name Description Value
apiVersion The api version '2025-05-01'
location The supported Azure location where the key vault should be created. string (required)
name The resource name string (required)
properties Properties of the vault VaultProperties (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.KeyVault/vaults'

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required)

IPRule

Name Description Value
value An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). string (required)

NetworkRuleSet

Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. 'AzureServices'
'None'
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. 'Allow'
'Deny'
ipRules The list of IP address rules. IPRule[]
virtualNetworkRules The list of virtual network rules. VirtualNetworkRule[]

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'getrotationpolicy'
'import'
'list'
'purge'
'recover'
'release'
'restore'
'rotate'
'setrotationpolicy'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

Sku

Name Description Value
family SKU family name 'A' (required)
name SKU name to specify whether the key vault is a standard vault or a premium vault. 'premium'
'standard' (required)

VaultCreateOrUpdateParametersTags

Name Description Value

VaultProperties

Name Description Value
accessPolicies An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. AccessPolicyEntry[]
createMode The vault's create mode to indicate whether the vault need to be recovered or not. 'default'
'recover'
enabledForDeployment Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. bool
enabledForDiskEncryption Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. bool
enabledForTemplateDeployment Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. bool
enablePurgeProtection Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. bool
enableRbacAuthorization Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. bool
networkAcls Rules governing the accessibility of the key vault from specific network locations. NetworkRuleSet
provisioningState Provisioning state of the vault. 'RegisteringDns'
'Succeeded'
publicNetworkAccess Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. string
sku SKU details Sku (required)
softDeleteRetentionInDays softDelete data retention days. It accepts >=7 and <=90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required)
vaultUri The URI of the vault for performing operations on keys and secrets. string

VirtualNetworkRule

Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)
ignoreMissingVnetServiceEndpoint Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. bool

Usage Examples

Azure Quickstart Templates

The following Azure Quickstart templates deploy this resource type.

Template Description
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
App Service Environment with Azure SQL backend

Deploy to Azure
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment.
Application Gateway with internal API Management and Web App

Deploy to Azure
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.
Azure AI Foundry basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Foundry with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Foundry basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Foundry with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Foundry Network Restricted

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Foundry with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Foundry with Microsoft Entra ID Authentication

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Foundry with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage.
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio Network Restricted

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure Function app and an HTTP-triggered function

Deploy to Azure
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key.
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning Workspace

Deploy to Azure
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging
Azure Storage Account Encryption with customer-managed key

Deploy to Azure
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault.
Basic Agent Setup Identity

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Agent Service with the basic setup using managed identity authetication for the AI Service/AOAI connection. Agents use multi-tenant search and storage resources fully managed by Microsoft. You won’t have visibility or control over these underlying Azure resources.
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets

Deploy to Azure
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create a KeyVault

Deploy to Azure
This module creates a KeyVault resource with apiVersion 2019-09-01.
Create a network security perimeter

Deploy to Azure
This template creates a network security perimeter and it's associated resource for protecting an Azure key vault.
Create a new encrypted windows vm from gallery image

Deploy to Azure
This template creates a new encrypted windows vm using the server 2k12 gallery image.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Create AML workspace with multiple Datasets & Datastores

Deploy to Azure
This template creates Azure Machine Learning workspace with multiple datasets & datastores.
Create an AKS compute target with a Private IP address

Deploy to Azure
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create an Application Gateway V2 with Key Vault

Deploy to Azure
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Create an Azure Key Vault and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret.
Create an Azure Key Vault with RBAC and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets
Create an Azure Machine Learning service workspace

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key.
Create an Azure Machine Learning service workspace (legacy)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create an Azure Machine Learning service workspace (vnet)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create and encrypt a new Windows VMSS with jumpbox

Deploy to Azure
This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses.This template enables encryption on the VM Scale Set of Windows VMs.
Create Application Gateway with Certificates

Deploy to Azure
This template shows how to generate Key Vault self-signed certificates, then reference from Application Gateway.
Create Key Vault with logging enabled

Deploy to Azure
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Create key vault, managed identity, and role assignment

Deploy to Azure
This template creates a key vault, managed identity, and role assignment.
Create new encrypted managed disks win-vm from gallery image

Deploy to Azure
This template creates a new encrypted managed disks windows vm using the server 2k12 gallery image.
Creates a Cross-tenant Private Endpoint resource

Deploy to Azure
This template allows you to create Priavate Endpoint resource within the same or cross-tenant environment and add dns zone configuration.
Creates a Dapr pub-sub servicebus app using Container Apps

Deploy to Azure
Create a Dapr pub-sub servicebus app using Container Apps.
Deploy Secure AI Foundry with a managed virtual network

Deploy to Azure
This template creates a secure Azure AI Foundry environment with robust network and identity security restrictions.
Deploy the Sports Analytics on Azure Architecture

Deploy to Azure
Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role.
Enable encryption on a running Windows VM

Deploy to Azure
This template enables encryption on a running windows vm.
FinOps hub

Deploy to Azure
This template creates a new FinOps hub instance, including Data Explorer, Data Lake storage, and Data Factory.
Network Secured Agent with User Managed Identity

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Agent Service with virtual network isolation using User Managed Identity authetication for the AI Service/AOAI connection and private network links to connect the agent to your secure data.
Standard Agent Setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Agent Service with the standard setup, meaning with managed identity authentication for project/hub connections and public internet access enabled. Agents use customer-owned, single-tenant search and storage resources. With this setup, you have full control and visibility over these resources, but you will incur costs based on your usage.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
This template encrypts a running Windows VMSS

Deploy to Azure
This template enables encryption on a running Windows VM Scale Set

Terraform (AzAPI provider) resource definition

The vaults resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.KeyVault/vaults@2025-05-01"
  name = "string"
  parent_id = "string"
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    properties = {
      accessPolicies = [
        {
          applicationId = "string"
          objectId = "string"
          permissions = {
            certificates = [
              "string"
            ]
            keys = [
              "string"
            ]
            secrets = [
              "string"
            ]
            storage = [
              "string"
            ]
          }
          tenantId = "string"
        }
      ]
      createMode = "string"
      enabledForDeployment = bool
      enabledForDiskEncryption = bool
      enabledForTemplateDeployment = bool
      enablePurgeProtection = bool
      enableRbacAuthorization = bool
      enableSoftDelete = bool
      networkAcls = {
        bypass = "string"
        defaultAction = "string"
        ipRules = [
          {
            value = "string"
          }
        ]
        virtualNetworkRules = [
          {
            id = "string"
            ignoreMissingVnetServiceEndpoint = bool
          }
        ]
      }
      provisioningState = "string"
      publicNetworkAccess = "string"
      sku = {
        family = "string"
        name = "string"
      }
      softDeleteRetentionInDays = int
      tenantId = "string"
      vaultUri = "string"
    }
  }
}

Property Values

Microsoft.KeyVault/vaults

Name Description Value
location The supported Azure location where the key vault should be created. string (required)
name The resource name string (required)
parent_id The ID of the resource to apply this extension resource to. string (required)
properties Properties of the vault VaultProperties (required)
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.KeyVault/vaults@2025-05-01"

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required)

IPRule

Name Description Value
value An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). string (required)

NetworkRuleSet

Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. 'AzureServices'
'None'
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. 'Allow'
'Deny'
ipRules The list of IP address rules. IPRule[]
virtualNetworkRules The list of virtual network rules. VirtualNetworkRule[]

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'getrotationpolicy'
'import'
'list'
'purge'
'recover'
'release'
'restore'
'rotate'
'setrotationpolicy'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

Sku

Name Description Value
family SKU family name 'A' (required)
name SKU name to specify whether the key vault is a standard vault or a premium vault. 'premium'
'standard' (required)

VaultCreateOrUpdateParametersTags

Name Description Value

VaultProperties

Name Description Value
accessPolicies An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. AccessPolicyEntry[]
createMode The vault's create mode to indicate whether the vault need to be recovered or not. 'default'
'recover'
enabledForDeployment Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. bool
enabledForDiskEncryption Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. bool
enabledForTemplateDeployment Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. bool
enablePurgeProtection Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. bool
enableRbacAuthorization Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. bool
networkAcls Rules governing the accessibility of the key vault from specific network locations. NetworkRuleSet
provisioningState Provisioning state of the vault. 'RegisteringDns'
'Succeeded'
publicNetworkAccess Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. string
sku SKU details Sku (required)
softDeleteRetentionInDays softDelete data retention days. It accepts >=7 and <=90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required)
vaultUri The URI of the vault for performing operations on keys and secrets. string

VirtualNetworkRule

Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)
ignoreMissingVnetServiceEndpoint Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. bool

Usage Examples

Terraform Samples

A basic example of deploying Key Vault.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
    azurerm = {
      source = "hashicorp/azurerm"
    }
  }
}

provider "azurerm" {
  features {
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "location" {
  type    = string
  default = "westeurope"
}

data "azurerm_client_config" "current" {
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}

resource "azapi_resource" "vault" {
  type      = "Microsoft.KeyVault/vaults@2021-10-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    properties = {
      accessPolicies = [
        {
          objectId = data.azurerm_client_config.current.object_id
          permissions = {
            certificates = [
              "ManageContacts",
            ]
            keys = [
              "Create",
            ]
            secrets = [
              "Set",
            ]
            storage = [
            ]
          }
          tenantId = data.azurerm_client_config.current.tenant_id
        },
      ]
      createMode                   = "default"
      enableRbacAuthorization      = false
      enableSoftDelete             = true
      enabledForDeployment         = false
      enabledForDiskEncryption     = false
      enabledForTemplateDeployment = false
      publicNetworkAccess          = "Enabled"
      sku = {
        family = "A"
        name   = "standard"
      }
      softDeleteRetentionInDays = 7
      tenantId                  = data.azurerm_client_config.current.tenant_id
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module Description
Key Vault AVM Resource Module for Key Vault