AZ-500 Microsoft Azure Security Technologies Exam
Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!
Practice Test
Expert
Practice Test
ExpertPerform backup and recovery of certificates, secrets, and keys
Configure and Validate Key Vault Backup and Restore Operations
Enabling soft-delete and purge protection on an Azure Key Vault is the first step to ensure certificates, secrets, and keys are never lost permanently. You must enable soft-delete to allow a recoverable period (typically 90 days) and enable purge protection to block permanent deletion until explicitly purged. These settings can be applied via Azure CLI or PowerShell. For example, use:
- az keyvault update --enable-soft-delete true --enable-purge-protection true
- Enable-AzKeyVaultSoftDelete and Enable-AzKeyVaultPurgeProtection
Performing manual backups gives you a point-in-time export of your Key Vault objects into secure storage. Before backing up, ensure the vault’s managed identity has Get, Backup, and Restore permissions in either RBAC or access policies. To back up items, run commands such as:
- az keyvault backup
- Backup-AzKeyVaultKey
- Backup-AzKeyVaultSecret
Restoration is just as simple with az keyvault restore or Restore-AzKeyVaultKey/Restore-AzKeyVaultSecret, pointing to the backup file or folder.
Automating backups reduces human error and enforces organizational compliance standards without manual intervention. You can deploy an ARM template or create an Azure Automation runbook to schedule recurring backups. A typical ARM template snippet might include:
- a backupPolicy defining frequency and retention
- a system-assigned managed identity for executing backup jobs
- encrypted storage settings using a customer-managed key (CMK)
This automation ensures backups occur consistently and meet governance requirements.
Cross-region restores validate your disaster recovery readiness and data integrity across different geographies. To test, deploy a new Key Vault in the target region using an ARM template, then restore using your backup artifacts. After restoration, reapply all access policies, private endpoints, and encryption settings, including soft-delete and purge protection. This exercise confirms that your vault can be fully recovered under a different resource group and region.
Validation and verification are critical steps that prove your recovery process works as intended. After the restore, use Get-AzKeyVaultSecret or Get-AzKeyVaultKey against the new vault to confirm that the correct versions, tags, and attributes are intact. Monitor the restore process through Azure Monitor, review audit logs for any errors, and perform a test retrieval of each secret or certificate. These checks ensure your backup strategy supports operational continuity and complies with governance policies.
Conclusion
In this section, you learned how to enable soft-delete and purge protection to guard against accidental or malicious deletions. You explored manual backup and restore operations using Azure CLI and PowerShell, and you saw how to automate these tasks with ARM templates or Azure Automation. You also practiced cross-region restore techniques to verify disaster recovery capabilities and performed thorough validation steps using Azure Monitor and audit logs. By mastering these procedures, you ensure that your certificates, secrets, and keys remain secure and recoverable under any scenario.