Azure Key Vault — Solving Microsoft 365

Azure Key Vault is Microsoft's cloud key, secret, and certificate management service. For Microsoft 365 admins, Key Vault matters as the storage layer for Customer Key (customer-controlled encryption keys for Microsoft 365 service encryption), Bring Your Own Key (BYOK) scenarios in Purview Information Protection, and any custom integrations that need secret management. Three vault tiers: Standard (software-protected keys), Premium (HSM-protected keys with FIPS 140-2 Level 2 / 3 attestation), and Managed HSM (dedicated HSM-as-a-service). For Microsoft 365 Customer Key, two Key Vaults in two geographic regions are required for resilience. Access is gated by Entra ID identity with granular RBAC.