Secrets in Key Vault
Secrets aren't secrets if they're shared with everyone. Storing confidential items like connection strings, security tokens, certificates, and passwords in your code is just inviting someone to take them and use them for something other than what you intended them for. Even storing this sort of data in your web configuration is a bad idea; you're essentially allowing anyone who has access to the source code or web server access to your private data.
Instead, you should always put these secrets into Azure Key Vault.
What is Azure Key Vault
Azure Key Vault is a secret store: a centralized cloud service for storing application secrets. Key Vault keeps your confidential data safe by keeping application secrets in a single central location and providing secure access, permissions control, and access logging.
Secrets are stored in individual vaults, each with their own configuration and security policies to control access. You can then get to your data through a REST API, or through a client SDK available for most languages.
Important
Key Vault is designed to store configuration secrets for server applications. It's not intended for storing data belonging to your app's users, and it shouldn't be used in the client-side part of an app. This is reflected in its performance characteristics, API, and cost model.
User data should be stored elsewhere, such as in an Azure SQL database with Transparent Data Encryption, or a storage account with Storage Service Encryption. You can keep secrets your application uses to access those data stores in Key Vault.
Why use a Key Vault for my secrets
Key management and storing secrets can be complicated and error-prone when performed manually. Rotating certificates manually means potentially going without for a few hours or days. As mentioned above, saving your connections strings in your configuration file or code repository means someone could steal your credentials.
Key Vault allows users to store connection strings, secrets, passwords, certificates, access policies, file locks (making items in Azure read-only), and automation scripts. It also logs access and activity and allows you to monitor access control (IAM) in your subscription. It also has diagnostics, metrics, alerts, and troubleshooting tools to ensure you have the access you need.
Learn more about using an Azure Key Vault in Manage secrets in your server apps with Azure Key Vault.
Summary
Credential theft, manual key rotation, and certificate renewal can be a thing of the past if you manage your secrets well by using Azure Key Vault.