Create an Azure Key Vault

Updated on June 30, 2026

An Azure Key Vault is used manage secrets such as API keys, passwords, and other sensitive information. An Azure subscription is required, but anyone can sign up for a free subscription to create a key vault.

Once your key vault is created, you can make it accessible to humans (so they can fetch passwords and keys manually), or to programs (so they can call an API to fetch the information automatically).

Where to create your key vault

You must decide the region (physical location) of the key vault service at the time of creation, and you cannot change it later. If you need a different region in the future, you must create a new vault and migrate all secrets manually. For this reason, select your region carefully to avoid disruption in the future.

View the list of Azure regions on Microsoft Learn (opens in new tab)

When deciding a location:

  1. Follow data residency requirements. For example, you may be legally required to store your data in a specific location such as the United States or Europe. If so, make sure you know the rules and select a compliant location.
  2. Follow any requirements for services using the key vault. If you are using other Azure services that connect to the key vault through an API, make sure you understand any service-specific requirements. A few Azure services require the vault to be stored in the same region, e.g., Azure Disk Encryption.
  3. Otherwise keep your vault close to the users and services. Use the closest region to minimize latency and avoid cross-region dependencies. For example, if your services are located in US West 2, put your key vault there for minimum latency.

“I just want to securely store my passwords”

If you don’t have data residency or technical requirements, you don’t need to overthink the region. The key vault service is accessible globally. However, you should still try to use a region that is close to your users. Review the list of regions and select the one closest to your team (or most of your team).

Instructions

  1. Sign into the Azure portal

    – Go to https://portal.azure.com.
    – Sign in with your Azure account.
    – If you don’t have an account yet, sign up for free.

  2. Open the Key Vault Service

    – In the top search bar, type “Key Vault”.
    – Click on Key Vaults from the search results.
    – Click + Create to start a new Key Vault.

  3. Click +Create to create a new vault

    If you haven’t created any vaults yet, there will be a prominent button to create your first vault. Otherwise look for the + Create button.
    Screenshot of Azure showing there are no key vaults to display. In addition to the message, there is a button with the label + Create, along with a Learn more link.

  4. Specify or create a resource group

    A resource group is container, similar to a folder, for organizing Azure resources such as key vaults and virtual machines. You can put all resources into the same resource group, or you can organize them for other purposes such as per-department. When creating your key vault, you must select an existing one or create a new one.

    💡 You can move the key vault to a different resource group later.

  5. Select your subscription that owns the key vault


    💡 You can move the vault to a different subscription later, if necessary.

  6. Specify the name of the key vault

    The name must consist of letters, numbers, and dashes. It cannot start with a number. Use a name that will be descriptive for the people using it, e.g., “plugin-keys”.

    ⚠️ The name of the key vault cannot be changed later.

  7. Specify the region where the key vault is stored (typically close to you)

    Generally, you should select the region closest to you or the services that will be using the resource. Be sure to consider other factors such as compliance (e.g., European services should be in Europe) and technical dependences (e.g., Azure Disk Encryption needs to be in the same region).

    ⚠️ The region cannot be changed later.

  8. Specify the pricing tier (typically Standard)

    Stick with Standard unless you have a specific need for Premium. The Standard tier is free for basic use. You pay only if you exceed the free limits, which is unlikely for individuals and small teams.

  9. Specify the days to retain deleted vaults (typically 90)

    The retention period is the number of days the vault sticks around after it has been deleted. During the retention period, the vault can be restored or purged (unless you block purging, see next step). You can select between 7 and 90 days, which cannot be changed later.

    ⚠️ You cannot change the retention period later.

  10. Specify whether to enable purge protection (typically disabled)

    If you wish, you can prevent the permanent deletion of the key vault during its retention period. This prevents anyone including Microsoft from purging the key vault until the retention period has elapsed.

  11. Click Review + create to review your selections

    Or click Next if you want to review advanced settings like network access. Most users do not need the advanced settings

  12. Wait for the Create button to enable

    ⌛ It may take a while for Azure to validate your settings and enable the Create button.

  13. Click the Create button to create the Azure key vault

    ⌛ It may take a while for Azure to create your Azure key vault.
    When you see “Your deployment is complete” you can start using the vault.

  14. Click the Go to resource button to browse into the vault

Next steps

Next, make sure the right people can access the vault. And obviously, start saving your secrets in the vault.

Reference

License

Licensed under CC BY 4.0 You are free to share and adapt this content for any purpose as long as you give appropriate credit in a reasonable manner.

No affiliate links

We do not participate in affiliate marketing, and we are not paid to mention products.

Leave a Reply

Your email address will not be published. Required fields are marked *