Fix security best practice accuracy and model practices in procedural content

msmbaldwin · Copilot · msmbaldwin · commit 3ecb7e5c2790 · 2026-04-10T12:48:54.000-07:00
Accuracy fixes in secure-*.md best practice articles:
- secure-keys.md: Fix key rotation interval from 'annually' to 'every two years'
  to match source of truth (how-to-configure-key-rotation.md line 19)
- secure-keys.md: Replace unsourced BYOK FIPS level claim with link to
  supported HSM vendor list
- secure-secrets.md: Replace unsourced '60 days' rotation mandate with
  guidance to follow org security policy (60-90 days as example)
- secure-secrets.md: Replace unsourced '8 hours' cache mandate with
  general caching guidance linked to throttling article
- secure-keys.md, secure-secrets.md: Remove deprecated tags: metadata
- secure-certificates.md: Update ms.date

Security practice compliance in procedural content:
- keys/quick-create-bicep.md: Add enablePurgeProtection: true (was missing
  despite being a documented best practice)
- keys/quick-create-template.md: Add enablePurgeProtection: true
- secrets/quick-create-bicep.md: Add IMPORTANT note that external template
  uses legacy access policies; link to RBAC-compliant template
- secrets/quick-create-template.md: Same RBAC warning note added

Metadata cleanup:
- Remove deprecated tags: field from 5 files (tutorial-rotation,
  tutorial-rotation-dual, quick-create-template, how-to-configure-key-rotation)
- Update ms.date on all modified files

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/articles/key-vault/certificates/secure-certificates.md b/articles/key-vault/certificates/secure-certificates.md
@@ -6,7 +6,7 @@ ms.service: azure-key-vault
 ms.subservice: certificates
 ms.topic: best-practice
 ms.custom: horz-security
-ms.date: 11/10/2025
+ms.date: 04/10/2026
 ms.author: mbaldwin
 ai-usage: ai-assisted
 # Customer intent: As a developer using Key Vault certificates, I want to implement certificate-specific security best practices.
diff --git a/articles/key-vault/keys/how-to-configure-key-rotation.md b/articles/key-vault/keys/how-to-configure-key-rotation.md
@@ -3,12 +3,11 @@ title: Configure cryptographic key auto-rotation in Azure Key Vault
 description: Use this guide to learn how to configure automated the rotation of a key in Azure Key Vault
 services: key-vault
 author: msmbaldwin
-tags: 'rotation'
 ms.custom: devx-track-arm-template, sfi-image-nochange, copilot-scenario-highlight
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: how-to
-ms.date: 04/09/2026
+ms.date: 04/10/2026
 ms.author: mbaldwin
 ---
 
diff --git a/articles/key-vault/keys/quick-create-bicep.md b/articles/key-vault/keys/quick-create-bicep.md
@@ -8,7 +8,7 @@ ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: quickstart
 ms.author: mbaldwin
-ms.date: 04/09/2026
+ms.date: 04/10/2026
 #Customer intent: As a security admin who is new to Azure, I want to use Key Vault to securely store keys and passwords in Azure.
 ---
 
@@ -77,6 +77,7 @@ resource vault 'Microsoft.KeyVault/vaults@2024-11-01' = {
     enableRbacAuthorization: true
     enableSoftDelete: true
     softDeleteRetentionInDays: 90
+    enablePurgeProtection: true
     enabledForDeployment: false
     enabledForDiskEncryption: false
     enabledForTemplateDeployment: false
diff --git a/articles/key-vault/keys/quick-create-template.md b/articles/key-vault/keys/quick-create-template.md
@@ -3,12 +3,11 @@ title: Azure Quickstart - Create an Azure key vault and a key by using Azure Res
 description: Quickstart showing how to create Azure key vaults, and add key to the vaults by using Azure Resource Manager template (ARM template).
 services: key-vault
 author: msmbaldwin
-tags: azure-resource-manager
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: quickstart
 ms.custom: mvc, subject-armqs, mode-arm, devx-track-arm-template
-ms.date: 04/09/2026
+ms.date: 04/10/2026
 
 ms.author: mbaldwin
 #Customer intent: As a security admin who is new to Azure, I want to use Key Vault to securely store keys and passwords in Azure.
@@ -115,6 +114,7 @@ To complete this article:
         "enableRbacAuthorization": true,
         "enableSoftDelete": true,
         "softDeleteRetentionInDays": "90",
+        "enablePurgeProtection": true,
         "enabledForDeployment": false,
         "enabledForDiskEncryption": false,
         "enabledForTemplateDeployment": false,
diff --git a/articles/key-vault/keys/secure-keys.md b/articles/key-vault/keys/secure-keys.md
@@ -2,12 +2,11 @@
 title: Secure your Azure Key Vault keys
 description: Learn how to secure Azure Key Vault keys, with best practices specific to cryptographic key management.
 author: msmbaldwin
-tags: azure-key-vault
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: best-practice
 ms.custom: horz-security
-ms.date: 04/09/2026
+ms.date: 04/10/2026
 ms.author: mbaldwin
 ai-usage: ai-assisted
 # Customer intent: As a developer using Key Vault keys, I want to implement key-specific security best practices.
@@ -48,7 +47,7 @@ For more information about key operations, see [Key operations in Key Vault](abo
 Implement regular key rotation to limit exposure from compromised keys:
 
 - **Enable automatic key rotation**: Configure automatic rotation policies to rotate keys without application downtime. See [Configure key autorotation](how-to-configure-key-rotation.md)
-- **Set rotation frequency**: Rotate encryption keys at least annually, or more frequently based on compliance requirements
+- **Set rotation frequency**: Rotate encryption keys at least every two years, or more frequently based on compliance requirements
 - **Use key versioning**: Key Vault automatically versions keys, allowing seamless rotation without breaking existing encrypted data
 - **Plan for re-encryption**: For long-term data, implement strategies to re-encrypt data with new key versions
 
@@ -67,7 +66,7 @@ Protect against data loss by implementing proper backup and recovery procedures:
 
 When importing your own keys into Key Vault, follow security best practices:
 
-- **Use secure key generation**: Generate keys in FIPS 140-2 Level 2 or higher HSMs
+- **Use secure key generation**: Generate keys in a [supported on-premises HSM](hsm-protected-keys.md) that meets your compliance requirements
 - **Protect keys during transfer**: Use Key Vault's BYOK process to securely transfer keys. See [Import HSM-protected keys to Key Vault (BYOK)](hsm-protected-keys-byok.md)
 - **Validate key import**: Verify key attributes and permissions after import
 - **Maintain key provenance**: Document the origin and transfer method of imported keys
diff --git a/articles/key-vault/secrets/quick-create-bicep.md b/articles/key-vault/secrets/quick-create-bicep.md
@@ -7,7 +7,7 @@ ms.service: azure-key-vault
 ms.subservice: secrets
 ms.topic: quickstart
 ms.custom: mvc, subject-armqs, mode-arm, devx-track-bicep
-ms.date: 03/30/2026
+ms.date: 04/10/2026
 
 ms.author: mbaldwin
 #Customer intent: As a security admin who is new to Azure, I want to use Key Vault to securely store keys and passwords in Azure.
@@ -48,6 +48,9 @@ ms.author: mbaldwin
 
 ## Review the Bicep file
 
+> [!IMPORTANT]
+> This quickstart uses an external template that creates a vault with legacy access policies. For production deployments, use Azure RBAC authorization instead. See [Create an Azure key vault and a key by using Bicep](../keys/quick-create-bicep.md) for a Bicep template that uses `enableRbacAuthorization: true`, or see [Secure your Azure Key Vault](../general/secure-key-vault.md) for comprehensive security guidance.
+
 The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/key-vault-create/).
 
 :::code language="bicep" source="~/quickstart-templates/quickstarts/microsoft.keyvault/key-vault-create/main.bicep":::
diff --git a/articles/key-vault/secrets/quick-create-template.md b/articles/key-vault/secrets/quick-create-template.md
@@ -3,12 +3,11 @@ title: Azure Quickstart - Create an Azure key vault and a secret by using Azure
 description: Quickstart showing how to create Azure key vaults, and add secrets to the vaults by using Azure Resource Manager template.
 services: key-vault
 author: msmbaldwin
-tags: azure-resource-manager
 ms.service: azure-key-vault
 ms.subservice: secrets
 ms.topic: quickstart
 ms.custom: mvc, subject-armqs, mode-arm, devx-track-arm-template, sfi-image-nochange
-ms.date: 12/03/2025
+ms.date: 04/10/2026
 ms.author: mbaldwin
 #Customer intent: As a security admin who is new to Azure, I want to use Key Vault to securely store keys and passwords in Azure.
 ---
@@ -54,6 +53,9 @@ To complete this article:
 
 ## Review the template
 
+> [!IMPORTANT]
+> This quickstart uses an external template that creates a vault with legacy access policies. For production deployments, use Azure RBAC authorization instead. See [Create a key vault using an ARM template](../general/vault-create-template.md) for a template that uses `enableRbacAuthorization: true`, or see [Secure your Azure Key Vault](../general/secure-key-vault.md) for comprehensive security guidance.
+
 The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/key-vault-create/).
 
 :::code language="json" source="~/quickstart-templates/quickstarts/microsoft.keyvault/key-vault-create/azuredeploy.json":::
diff --git a/articles/key-vault/secrets/secure-secrets.md b/articles/key-vault/secrets/secure-secrets.md
@@ -2,12 +2,11 @@
 title: Secure your Azure Key Vault secrets
 description: Learn how to secure Azure Key Vault secrets, with best practices specific to secrets management.
 author: msmbaldwin
-tags: azure-key-vault
 ms.service: azure-key-vault
 ms.subservice: secrets
 ms.topic: best-practice
 ms.custom: horz-security
-ms.date: 11/10/2025
+ms.date: 04/10/2026
 ms.author: mbaldwin
 ai-usage: ai-assisted
 # Customer intent: As a developer using Key Vault secrets, I want to implement secrets-specific security best practices.
@@ -50,7 +49,7 @@ When storing secrets in Key Vault, follow these formatting best practices:
 
 Secrets stored in application memory or configuration files persist for the entire application lifecycle, increasing exposure risk. Implement regular secret rotation to minimize compromise risk:
 
-- **Rotate secrets regularly**: Rotate secrets at least every 60 days, or more frequently for high-security scenarios
+- **Rotate secrets regularly**: Rotate secrets frequently based on your organization's security policy and the sensitivity of the credential. Shorter rotation intervals (for example, 60-90 days) reduce exposure risk from compromised secrets.
 - **Automate rotation**: Use Azure Key Vault's rotation capabilities to automate the rotation process
 - **Use dual credentials**: For zero-downtime rotation, implement resources with two sets of authentication credentials
 
@@ -62,12 +61,10 @@ For more information about secrets rotation, see:
 
 Key Vault enforces service limits to prevent abuse. To optimize secrets access while maintaining security:
 
-- **Cache secrets in memory**: Cache secrets in your application for at least 8 hours to reduce Key Vault API calls
+- **Cache secrets in memory**: Cache secrets in your application to reduce Key Vault API calls and avoid throttling. Reuse cached values whenever possible and refresh them when secrets are rotated. For more information, see [Azure Key Vault throttling guidance](../general/overview-throttling.md).
 - **Implement retry logic**: Use exponential back-off retry logic to handle transient failures and throttling
 - **Refresh on rotation**: Update cached values when secrets are rotated to ensure applications use current credentials
 
-For more information about throttling, see [Azure Key Vault throttling guidance](../general/overview-throttling.md).
-
 ## Secrets monitoring
 
 Enable monitoring to track secret access patterns and detect potential security issues:
diff --git a/articles/key-vault/secrets/tutorial-rotation-dual.md b/articles/key-vault/secrets/tutorial-rotation-dual.md
@@ -3,11 +3,10 @@ title: Rotation tutorial for resources with two sets of credentials
 description: Use this tutorial to learn how to automate the rotation of a secret for resources that use two sets of authentication credentials.
 services: key-vault
 author: msmbaldwin
-tags: 'rotation'
 ms.service: azure-key-vault
 ms.subservice: secrets
 ms.topic: tutorial
-ms.date: 03/26/2026
+ms.date: 04/10/2026
 
 ms.author: mbaldwin
 ms.custom: devx-track-azurepowershell, devx-track-azurecli, sfi-image-nochange, copilot-scenario-highlight
diff --git a/articles/key-vault/secrets/tutorial-rotation.md b/articles/key-vault/secrets/tutorial-rotation.md
@@ -3,12 +3,11 @@ title: Rotation tutorial for resources with one set of authentication credential
 description: Use this tutorial to learn how to automate the rotation of a secret for resources that use one set of authentication credentials.
 services: key-vault
 author: msmbaldwin
-tags: 'rotation'
 
 ms.service: azure-key-vault
 ms.subservice: secrets
 ms.topic: tutorial
-ms.date: 03/26/2026
+ms.date: 04/10/2026
 
 ms.author: mbaldwin
 ms.devlang: csharp
