MicrosoftDocs
diff --git a/‎articles/key-vault/general/about-keys-secrets-certificates.md‎
Lines changed: 3 additions & 3 deletions b/‎articles/key-vault/general/about-keys-secrets-certificates.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/key-vault/general/access-control-default.md‎
Lines changed: 4 additions & 4 deletions b/‎articles/key-vault/general/access-control-default.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/key-vault/general/apps-api-keys-secrets.md‎
Lines changed: 29 additions & 29 deletions b/‎articles/key-vault/general/apps-api-keys-secrets.md‎
Lines changed: 29 additions & 29 deletions
diff --git a/‎articles/key-vault/general/assign-access-policy.md‎
Lines changed: 2 additions & 2 deletions b/‎articles/key-vault/general/assign-access-policy.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/key-vault/general/authentication-requests-and-responses.md‎
Lines changed: 10 additions & 10 deletions b/‎articles/key-vault/general/authentication-requests-and-responses.md‎
Lines changed: 10 additions & 10 deletions
@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: overview
-ms.date: 01/08/2026
+ms.date: 03/26/2026
 ms.author: mbaldwin
 ---
 
@@ -23,10 +23,10 @@ For more information, see [Authentication, requests, and responses](authenticati
 An object identifier has the following general format (depending on container type):  
 
 - **For Vaults**:
-`https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}`  
+`https://<vault-name>.vault.azure.net/<object-type>/<object-name>/<object-version>`  
 
 - **For Managed HSM pools**:
-`https://{hsm-name}.managedhsm.azure.net/{object-type}/{object-name}/{object-version}`  
+`https://<hsm-name>.managedhsm.azure.net/<object-type>/<object-name>/<object-version>`  
 
 > [!NOTE]
 > See [Object type support](#object-types) for types of objects supported by each container type.
 
@@ -6,7 +6,7 @@ ms.author: mbaldwin
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: how-to
-ms.date: 03/24/2026
+ms.date: 03/26/2026
 ms.custom: devx-track-azurepowershell, devx-track-azurecli, sfi-image-nochange
 
 #customer intent: As an Azure Key Vault administrator, I want to migrate from access policies to Azure RBAC so that I can improve security and simplify access management.
@@ -53,7 +53,7 @@ After checking your configuration:
 1. Use the [az keyvault show](/cli/azure/keyvault#az-keyvault-show) command to retrieve vault details:
 
    ```azurecli
-   az keyvault show --name <KeyVaultName> --resource-group <ResourceGroupName>
+   az keyvault show --name <vault-name> --resource-group <resource-group>
    ```
 
 1. Check the **Enabled for RBAC Authorization** property (`enableRbacAuthorization`) for the key vault.
@@ -78,7 +78,7 @@ Use the [az keyvault list](/cli/azure/keyvault#az-keyvault-list) command to list
 
 ```azurecli
 # List all key vaults in the resource group and check Azure RBAC status
-az keyvault list --resource-group <ResourceGroupName> --query "[].{name:name, rbacEnabled:properties.enableRbacAuthorization}" --output table
+az keyvault list --resource-group <resource-group> --query "[].{name:name, rbacEnabled:properties.enableRbacAuthorization}" --output table
 ```
 
 # [PowerShell](#tab/azure-powershell)
@@ -113,7 +113,7 @@ az keyvault list --resource-group <ResourceGroupName> --query "[].{name:name, rb
 1. Name the resource group you want to run your function for:
 
    ```azurepowershell
-   $resourceGroupName = "<ResourceGroupName>"
+   $resourceGroupName = "<resource-group>"
    ```
 
 1. Call function `Get-KeyVaultsFromResourceGroup` to see which vaults in the resource group from step 2 have access policies vs Azure RBAC enabled.
 
@@ -6,7 +6,7 @@ author: orin-thomas
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: overview
-ms.date: 11/19/2025
+ms.date: 03/26/2026
 ms.author: orthomas
 ---
 
@@ -36,9 +36,9 @@ The following uses the Azure CLI [az keyvault secret set](/cli/azure/keyvault/se
 
 ```azurecli
 az keyvault secret set \
-    --vault-name "<YourKeyVaultName>" \
+    --vault-name "<vault-name>" \
     --name "MyApiKey" \
-    --value "<YourSecretValue>"
+    --value "<secret-value>"
     --expires "$(date -u -d '+180 days' +'%Y-%m-%dT%H:%M:%SZ')"
 ```
 
@@ -47,8 +47,8 @@ az keyvault secret set \
 The following uses the Azure PowerShell [Set-AzKeyVaultSecret](/powershell/module/az.keyvault/set-azkeyvaultsecret) cmdlet to add a secret named MyApiKey to the keyvault and sets the secret to expire after 180 days:
 
 ```powershell
-$secret = ConvertTo-SecureString -String "<YourSecretValue>" -AsPlainText -Force
-Set-AzKeyVaultSecret -VaultName "<YourKeyVaultName>" -Name "MyApiKey" -SecretValue $secret -Expires (Get-Date).AddDays(180)
+$secret = ConvertTo-SecureString -String "<secret-value>" -AsPlainText -Force
+Set-AzKeyVaultSecret -VaultName "<vault-name>" -Name "MyApiKey" -SecretValue $secret -Expires (Get-Date).AddDays(180)
 ```
 
 ---
@@ -66,7 +66,7 @@ To do this configure an Azure role-based access control (Azure RBAC) role using
 ```azurecli
 az role assignment create --role "Key Vault Secrets User" \
   --assignee <object-id-of-app-or-user> \
-  --scope /subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<key-vault-name>
+  --scope /subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>
 ```
 
 # [Azure PowerShell](#tab/azure-powershell)
@@ -76,7 +76,7 @@ To do this configure an Azure role-based access control (Azure RBAC) role using
 ```powershell
 New-AzRoleAssignment -RoleDefinitionName "Key Vault Secrets User" `
     -ObjectId <object-id-of-app-or-user> `
-    -Scope "/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<key-vault-name>"
+    -Scope "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>"
 ```
 
 ---
@@ -92,9 +92,9 @@ To enable Azure Key Vault Logging and Alerts, use the Azure CLI [az monitor diag
 ```azurecli
 az monitor diagnostic-settings create \
     --name myDiagnosticSettings \
-    --resource {key-vault-resource-id} \
+    --resource <key-vault-resource-id> \
     --logs '[{"category": "AuditEvent","enabled": true}]' \
-    --workspace {log-analytics-workspace-id}
+    --workspace <log-analytics-workspace-id>
 ```
 
 # [Azure PowerShell](#tab/azure-powershell)
@@ -103,8 +103,8 @@ To enable Azure Key Vault Logging and Alerts, use the Azure PowerShell [Set-AzDi
 
 ```powershell
 Set-AzDiagnosticSetting -Name "myDiagnosticSettings" `
-    -ResourceId {key-vault-resource-id} `
-    -WorkspaceId {log-analytics-workspace-id} `
+    -ResourceId <key-vault-resource-id> `
+    -WorkspaceId <log-analytics-workspace-id> `
     -Category "AuditEvent" `
     -Enabled $true
 ```
@@ -120,8 +120,8 @@ You can run the Azure CLI [az monitor scheduled-query create](/cli/azure/monitor
 ```azurecli
 az monitor scheduled-query create \
     --name "Suspicious Access Alert" \
-    --resource-group myResourceGroup \
-    --scopes {log-analytics-workspace-resource-id} \
+    --resource-group <resource-group> \
+    --scopes <log-analytics-workspace-resource-id> \
     --condition "AzureDiagnostics | where ResourceType == 'VAULTS' | where OperationName == 'SecretGet' | where ResultSignature == 'Unauthorized'"
 ```
 
@@ -130,14 +130,14 @@ az monitor scheduled-query create \
 You can run the Azure PowerShell [New-AzScheduledQueryRule](/powershell/module/az.monitor/new-azscheduledqueryrule) cmdlet to monitor logs in the specified Log Analytics workspace for unauthorized access attempts to Azure Key Vault secrets and trigger an alert if any matching unauthorized access attempt is detected:
 
 ```powershell
-New-AzScheduledQueryRule -ResourceGroupName "myResourceGroup" `
+New-AzScheduledQueryRule -ResourceGroupName "<resource-group>" `
     -Location "eastus" `
     -Action `
         (New-AzScheduledQueryRuleAction -Severity 3 -Trigger `
             (New-AzScheduledQueryRuleTriggerCondition -ThresholdOperator GreaterThan -Threshold 0 -MetricTrigger `
-                (New-AzScheduledQueryRuleMetricTrigger -MetricName "UnauthorizedAccess" -MetricResourceId {log-analytics-workspace-resource-id} -TimeAggregation "Count" -Operator "GreaterThan" -Threshold 0))) `
+                (New-AzScheduledQueryRuleMetricTrigger -MetricName "UnauthorizedAccess" -MetricResourceId <log-analytics-workspace-resource-id> -TimeAggregation "Count" -Operator "GreaterThan" -Threshold 0))) `
     -Source `
-        (New-AzScheduledQueryRuleSource -Query "AzureDiagnostics | where ResourceType == 'VAULTS' | where OperationName == 'SecretGet' | where ResultSignature == 'Unauthorized'" -DataSourceId {log-analytics-workspace-resource-id}) `
+        (New-AzScheduledQueryRuleSource -Query "AzureDiagnostics | where ResourceType == 'VAULTS' | where OperationName == 'SecretGet' | where ResultSignature == 'Unauthorized'" -DataSourceId <log-analytics-workspace-resource-id>) `
     -Schedule `
         (New-AzScheduledQueryRuleSchedule -FrequencyInMinutes 5 -TimeWindowInMinutes 5) `
     -Description "Alert for unauthorized access attempts to Key Vault secrets"
@@ -159,41 +159,41 @@ You can create a private endpoint using the Azure CLI [az network private-endpoi
 ```azurecli
 az network private-endpoint create \
     --name myPrivateEndpoint \
-    --resource-group myResourceGroup \
+    --resource-group <resource-group> \
     --vnet-name myVNet \
     --subnet mySubnet \
-    --private-connection-resource-id /subscriptions/{subscription}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/{key-vault-name} \
+    --private-connection-resource-id /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name> \
     --group-id vault \
     --connection-name myConnection
 
 You can create firewall rules on the Azure Key Vault instance using the Azure CLI [az keyvault network-rule add](/cli/azure/keyvault/network-rule#az-keyvault-network-rule-add) command, substituting the appropriate key vault names, resource groups, subnet, and subnet mask information:
 
 ```azurecli
 az keyvault network-rule add \
-    --name {key-vault-name} \
-    --resource-group myResourceGroup \
-    --ip-address {trusted-ip-address}/32
+    --name <vault-name> \
+    --resource-group <resource-group> \
+    --ip-address <trusted-ip-address>/32
 ```
 
 # [Azure PowerShell](#tab/azure-powershell)
 You can create a private endpoint using the Azure PowerShell [New-AzPrivateEndpoint](/powershell/module/az.network/new-azprivateendpoint) cmdlet:
 
 ```powershell
 $privateEndpoint = New-AzPrivateEndpoint -Name "myPrivateEndpoint" `
-    -ResourceGroupName "myResourceGroup" `
+    -ResourceGroupName "<resource-group>" `
     -Location "eastus" `
-    -SubnetId "/subscriptions/{subscription}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet-name}/subnets/{subnet-name}" `
+    -SubnetId "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>" `
     -PrivateLinkServiceConnection `
         (New-AzPrivateLinkServiceConnection -Name "myConnection" `
-            -PrivateLinkServiceId "/subscriptions/{subscription}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/{key-vault-name}" `
+            -PrivateLinkServiceId "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>" `
             -GroupId "vault")
 ```
 You can create firewall rules on the Azure Key Vault instance using the Azure PowerShell [Add-AzKeyVaultNetworkRule](/powershell/module/az.keyvault/add-azkeyvaultnetworkrule) cmdlet, substituting the appropriate key vault names, resource groups, subnet, and subnet mask information:
 
 ```powershell
-Add-AzKeyVaultNetworkRule -VaultName {key-vault-name} `
-    -ResourceGroupName myResourceGroup `
-    -IPAddress {trusted-ip-address}/32
+Add-AzKeyVaultNetworkRule -VaultName <vault-name> `
+    -ResourceGroupName <resource-group> `
+    -IPAddress <trusted-ip-address>/32
 ```
 
 ---
@@ -215,9 +215,9 @@ You can use the Azure Identity and Azure Key Vault Secrets client library to man
 from azure.keyvault.secrets import SecretClient
 from azure.identity import DefaultAzureCredential
 
-key_vault_name = "<your-key-vault-name>"
+key_vault_name = "<vault-name>"
 KVUri = f"https://{key_vault_name}.vault.azure.net"
-secret_name = "<your-secret-name>"
+secret_name = "<secret-name>"
 
 credential = DefaultAzureCredential()
 client = SecretClient(vault_url=KVUri, credential=credential)
 
@@ -8,7 +8,7 @@ ms.custom: devx-track-azurecli, has-azure-ad-ps-ref, sfi-image-nochange
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: how-to
-ms.date: 04/15/2025
+ms.date: 03/26/2026
 ms.author: mbaldwin
 #Customer intent: As someone new to Key Vault, I'm trying to learn basic concepts that can help me understand Key Vault documentation.
 ---
@@ -152,7 +152,7 @@ Determine the object ID of the application, group, or user to which you want to
 Use the [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy) cmdlet to assign the access policy:
 
 ```azurepowershell-interactive
-Set-AzKeyVaultAccessPolicy -VaultName <key-vault-name> -ObjectId <Id> -PermissionsToSecrets <secrets-permissions> -PermissionsToKeys <keys-permissions> -PermissionsToCertificates <certificate-permissions    
+Set-AzKeyVaultAccessPolicy -VaultName <vault-name> -ObjectId <object-id> -PermissionsToSecrets <secrets-permissions> -PermissionsToKeys <keys-permissions> -PermissionsToCertificates <certificate-permissions    
 ```
 
 You need only include `-PermissionsToSecrets`, `-PermissionsToKeys`, and `-PermissionsToCertificates` when assigning permissions to those particular types. The allowable values for `<secret-permissions>`, `<key-permissions>`, and `<certificate-permissions>` are given in the [Set-AzKeyVaultAccessPolicy - Parameters](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy#parameters) documentation.
 
@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: concept-article
-ms.date: 04/16/2025
+ms.date: 03/26/2026
 ms.author: mbaldwin
 
 ---
@@ -18,8 +18,8 @@ Azure Key Vault provides two types of containers to store and manage secrets for
 
 |Container type|Supported object types|Data-plane endpoint|
 |--|--|--|
-| **Vaults**|<ul><li>Software-protected keys</li><li>HSM-protected keys (with Premium SKU)</li><li>Certificates</li><li>Storage account keys</li></ul> | https://{vault-name}.vault.azure.net
-|**Managed HSM** |<ul><li>HSM-protected keys</li></ul> | https://{hsm-name}.managedhsm.azure.net
+| **Vaults**|<ul><li>Software-protected keys</li><li>HSM-protected keys (with Premium SKU)</li><li>Certificates</li><li>Storage account keys</li></ul> | `https://<vault-name>.vault.azure.net`
+|**Managed HSM** |<ul><li>HSM-protected keys</li></ul> | `https://<hsm-name>.managedhsm.azure.net`
 
 Here are the suffixes of the URLs used to access each type of object
 
@@ -43,16 +43,16 @@ For clients that cannot support specific HTTP verbs, Azure Key Vault allows usin
 
  To work with objects in the Azure Key Vault, the following are example URLs:  
 
-- To CREATE a key called TESTKEY in a Key Vault use - `PUT /keys/TESTKEY?api-version=<api_version> HTTP/1.1`  
+- To CREATE a key called TESTKEY in a Key Vault use - `PUT /keys/TESTKEY?api-version=<api-version> HTTP/1.1`  
 
-- To IMPORT a key called IMPORTEDKEY into a Key Vault use - `POST /keys/IMPORTEDKEY/import?api-version=<api_version> HTTP/1.1`  
+- To IMPORT a key called IMPORTEDKEY into a Key Vault use - `POST /keys/IMPORTEDKEY/import?api-version=<api-version> HTTP/1.1`  
 
-- To GET a secret called MYSECRET in a Key Vault use - `GET /secrets/MYSECRET?api-version=<api_version> HTTP/1.1`  
+- To GET a secret called MYSECRET in a Key Vault use - `GET /secrets/MYSECRET?api-version=<api-version> HTTP/1.1`  
 
-- To SIGN a digest using a key called TESTKEY in a Key Vault use - `POST /keys/TESTKEY/sign?api-version=<api_version> HTTP/1.1`  
+- To SIGN a digest using a key called TESTKEY in a Key Vault use - `POST /keys/TESTKEY/sign?api-version=<api-version> HTTP/1.1`  
 
 - The authority for a request to a Key Vault is always as follows,
-  - For vaults: `https://{keyvault-name}.vault.azure.net/`
+  - For vaults: `https://<vault-name>.vault.azure.net/`
   - For Managed HSMs: `https://{HSM-name}.managedhsm.azure.net/`
   Keys are always stored under the /keys path, while Secrets are always stored under the /secrets path.  
 
@@ -115,8 +115,8 @@ For more information on registering your application and authenticating to use A
 Access tokens must be sent to the service using the HTTP Authorization header:  
 
 ```
-PUT /keys/MYKEY?api-version=<api_version>  HTTP/1.1  
-Authorization: Bearer <access_token>  
+PUT /keys/MYKEY?api-version=<api-version>  HTTP/1.1  
+Authorization: Bearer <access-token>  
 
 ```