Status: OUT
Azure identity model choices constrain cryptographic key protection scope: the Entra identity-to-authorization chain determines Key Vault data-plane access, while Key Vault's network-isolated defense-in-depth lifecycle provides tiered FIPS protection — the identity topology (system vs user-assigned MI, app registration across tenants) bounds what key protection levels are reachable.