Location for storing connection strings, x509 certificates and other application secrets. Permissions by default are restricted. To modify from ARM, permissions will need to be applied implicitly and can be done on Key Vault creation.
Each key vault has its own usage metrics to see who and what applications have accessed an individual secret.
Using ARM deployment we can reference any secrets using parameters to provide the Reference Id of the Key Vault and the Secret’s name.
The Key Vaults main features are to limit access to sensitive data (by keeping them away from the source code) and audit access for those that do.