{"results":[{"id":"appservice-keyvault-reference-syntax","text":"Azure App Service Key Vault references use syntax `@Microsoft.KeyVault(SecretUri=https://<vault>.vault.azure.net/secrets/<secret>)` in app settings","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-keyvault-secure-configuration","text":"App Service integrates with Key Vault for a zero-secret-in-code configuration pipeline: Key Vault references inject secrets into app settings via `@Microsoft.KeyVault(SecretUri=...)` syntax, certificates stored as Key Vault certificate objects enable autorotation, and user-assigned managed identity provides credential-free vault authentication — eliminating secrets from both application code and deployment configuration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-policy-rp-modes-fully-supported","text":"Fully supported Resource Provider modes for Azure Policy: `Microsoft.Kubernetes.Data`, `Microsoft.KeyVault.Data`, `Microsoft.Network.Data`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-policy-rp-modes-kubernetes-keyvault-network","text":"Fully supported Resource Provider modes for Azure Policy: Microsoft.Kubernetes.Data, Microsoft.KeyVault.Data, Microsoft.Network.Data; RP modes use only audit, deny, and disabled effects.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"entra-identity-keyvault-secrets-lifecycle-integration","text":"Azure identity and secrets management form an integrated lifecycle that must be designed together: Entra's dual-model identity system provides authentication (app registrations for multi-tenant, managed identities for Azure-native), while Key Vault's defense-in-depth lifecycle (tiered FIPS + layered deletion protection) secures the cryptographic material accessed via those identities.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-best-practice-one-vault-per-app","text":"Best practice is one Key Vault per application per environment (Dev, Pre-Prod, Prod) to reduce blast radius.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-cert-access-control-separate","text":"Access control for Key Vault certificates is separate from access control for keys and secrets in the same vault.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-cert-creates-key-and-secret","text":"Creating a Key Vault certificate automatically creates an addressable key and an addressable secret with the same name.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-cert-issuer-vault-scoped","text":"Certificate issuer objects in Key Vault are vault-scoped and cannot be shared across vaults.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-certificates-as-certificate-objects","text":"Certificates should be stored as Key Vault certificate objects (not secrets) to enable autorotation","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-certificates-as-certificate-objects-not-secrets","text":"Certificates should be stored as Key Vault certificate objects (not secrets) to enable autorotation","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-certificates-store-as-certificate-objects","text":"Certificates should be stored as Key Vault certificate objects (not secrets) to enable autorotation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-contributor-no-data-access","text":"Key Vault Contributor role is control plane only and does NOT grant access to keys, secrets, or certificates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-control-plane-endpoint","text":"Key Vault control plane endpoint is `management.azure.com:443`; data plane endpoint is `<vault-name>.vault.azure.net:443`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-crypto-user-cannot-delete-keys","text":"Key Vault Crypto User role can create new keys but cannot delete them","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-crypto-user-create-not-delete","text":"Key Vault Crypto User role can create new keys but cannot delete them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-custom-roles-use-dataactions","text":"Custom roles for Key Vault data plane operations use `DataActions` (not `Actions`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-data-access-admin-cannot-change-permission-model","text":"Key Vault Data Access Administrator can add/remove Key Vault role assignments with ABAC constraints but cannot change the permission model (requires Owner or User Access Administrator).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-data-plane-multitenant","text":"The Key Vault data plane is multitenant — multiple customer vaults can share the same public IP address.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"keyvault-data-plane-multitenant-shared-ip","text":"The Key Vault data plane is multitenant — multiple customer vaults can share the same public IP address.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":93,"limit":20,"offset":0}