microsoft · Roopan-Microsoft · May 6, 2026 · May 5, 2026
@@ -181,8 +181,6 @@ Ensures consistent query translation across the organization.
 
 ### Security guidelines
 
-This template uses Azure Key Vault for use by AI Foundry.
-
 This template uses [Managed Identity](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview) for all Azure service communication.
 
 To ensure continued best practices in your own repository, we recommend that anyone creating solutions based on our templates ensure that the [Github secret scanning](https://docs.github.com/code-security/secret-scanning/about-secret-scanning) setting is enabled.

@@ -331,7 +331,6 @@ var privateDnsZones = [
   'privatelink.openai.azure.com'
   'privatelink.services.ai.azure.com'
   'privatelink.documents.azure.com'
-  'privatelink.vaultcore.azure.net'
   'privatelink.blob.${environment().suffixes.storage}'
   'privatelink.file.${environment().suffixes.storage}'
   'privatelink.monitor.azure.com'                       // Azure Monitor global endpoints (App Insights, DCE)
@@ -346,13 +345,12 @@ var dnsZoneIndex = {
   openAI: 1
   aiServices: 2
   cosmosDB: 3
-  keyVault: 4
-  storageBlob: 5
-  storageFile: 6
-  monitor: 7
-  oms: 8
-  ods: 9
-  agentSvc: 10
+  storageBlob: 4
+  storageFile: 5
+  monitor: 6
+  oms: 7
+  ods: 8
+  agentSvc: 9
 }
 
 // ===================================================
@@ -854,34 +852,6 @@ module storageAccount 'modules/storageAccount.bicep' = {
   }
 }
 
-module keyVault 'modules/keyVault.bicep' = {
-  name: take('module.keyVault.${solutionSuffix}', 64)
-  #disable-next-line no-unnecessary-dependson
-  dependsOn: [logAnalyticsWorkspace, virtualNetwork] // required due to optional flags that could change dependency
-  params: {
-    name: take('kv-${solutionSuffix}', 24)
-    location: location
-    sku: 'standard'
-    logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspaceResourceId : ''
-    privateNetworking: enablePrivateNetworking
-      ? {
-          virtualNetworkResourceId: virtualNetwork!.outputs.resourceId
-          subnetResourceId: virtualNetwork!.outputs.pepsSubnetResourceId
-          privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.keyVault]!.outputs.resourceId
-        }
-      : null
-    roleAssignments: [
-      {
-        principalId: aiServices.outputs.?systemAssignedMIPrincipalId ?? appIdentity.outputs.principalId
-        principalType: 'ServicePrincipal'
-        roleDefinitionIdOrName: 'Key Vault Administrator'
-      }
-    ]
-    tags: allTags
-    enableTelemetry: enableTelemetry
-  }
-}
-
 module cosmosDb 'modules/cosmosDb.bicep' = {
   name: take('module.cosmosDb.${solutionSuffix}', 64)
   #disable-next-line no-unnecessary-dependson

@@ -317,7 +317,6 @@ var privateDnsZones = [
   'privatelink.openai.azure.com'
   'privatelink.services.ai.azure.com'
   'privatelink.documents.azure.com'
-  'privatelink.vaultcore.azure.net'
   'privatelink.blob.${environment().suffixes.storage}'
   'privatelink.file.${environment().suffixes.storage}'
 ]
@@ -328,9 +327,8 @@ var dnsZoneIndex = {
   openAI: 1
   aiServices: 2
   cosmosDB: 3
-  keyVault: 4
-  storageBlob: 5
-  storageFile: 6
+  storageBlob: 4
+  storageFile: 5
 }
 
 // ===================================================
@@ -797,34 +795,6 @@ resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-
   }
 }
 
-module keyVault 'modules/keyVault.bicep' = {
-  name: take('module.keyVault.${solutionSuffix}', 64)
-  #disable-next-line no-unnecessary-dependson
-  dependsOn: [logAnalyticsWorkspace, virtualNetwork] // required due to optional flags that could change dependency
-  params: {
-    name: take('kv-${solutionSuffix}', 24)
-    location: location
-    sku: 'standard'
-    logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspaceResourceId : ''
-    privateNetworking: enablePrivateNetworking
-      ? {
-          virtualNetworkResourceId: virtualNetwork!.outputs.resourceId
-          subnetResourceId: virtualNetwork!.outputs.pepsSubnetResourceId
-          privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.keyVault]!.outputs.resourceId
-        }
-      : null
-    roleAssignments: [
-      {
-        principalId: aiServices.outputs.?systemAssignedMIPrincipalId ?? appIdentity.outputs.principalId
-        principalType: 'ServicePrincipal'
-        roleDefinitionIdOrName: 'Key Vault Administrator'
-      }
-    ]
-    tags: allTags
-    enableTelemetry: enableTelemetry
-  }
-}
-
 module cosmosDb 'modules/cosmosDb.bicep' = {
   name: take('module.cosmosDb.${solutionSuffix}', 64)
   #disable-next-line no-unnecessary-dependson

@@ -537,16 +537,3 @@ type endpointType = {
   @description('The endpoint URI.')
   endpoint: string?
 }
-
-@export()
-@description('The type of the secrets exported to the provided Key Vault.')
-type secretsExportConfigurationType = {
-  @description('Required. The key vault name where to store the keys and connection strings generated by the modules.')
-  keyVaultResourceId: string
-
-  @description('Optional. The name for the accessKey1 secret to create.')
-  accessKey1Name: string?
-
-  @description('Optional. The name for the accessKey2 secret to create.')
-  accessKey2Name: string?
-}
@@ -133,9 +133,6 @@ param managedIdentities managedIdentityAllType?
 @description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
-@description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
-param secretsExportConfiguration secretsExportConfigurationType?
-
 var formattedUserAssignedIdentities = reduce(
   map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }),
   {},
@@ -295,7 +292,6 @@ module cognitive_service_dependencies './dependencies.bicep' = if(!useExistingSe
         ]
       : []
     roleAssignments: roleAssignments
-    secretsExportConfiguration: secretsExportConfiguration
     sku: sku
     tags: tags
   }
@@ -314,7 +310,6 @@ module existing_cognitive_service_dependencies './dependencies.bicep' = if(useEx
     lock: lock
     privateEndpoints: privateEndpoints
     roleAssignments: roleAssignments
-    secretsExportConfiguration: secretsExportConfiguration
     sku: sku
     tags: tags
   }
@@ -521,19 +516,6 @@ type endpointType = {
   endpoint: string?
 }
 
-@export()
-@description('The type of the secrets exported to the provided Key Vault.')
-type secretsExportConfigurationType = {
-  @description('Required. The key vault name where to store the keys and connection strings generated by the modules.')
-  keyVaultResourceId: string
-
-  @description('Optional. The name for the accessKey1 secret to create.')
-  accessKey1Name: string?
-
-  @description('Optional. The name for the accessKey2 secret to create.')
-  accessKey2Name: string?
-}
-
 @export()
 @description('Values to establish private networking for resources that support createing private endpoints.')
 type aiServicesPrivateNetworkingType = {

@@ -32,9 +32,6 @@ param tags object?
 @description('Optional. Array of deployments about cognitive service accounts to create.')
 param deployments deploymentType[]?
 
-@description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
-param secretsExportConfiguration secretsExportConfigurationType?
-
 import { privateEndpointSingleServiceType } from 'br/public:avm/utl/types/avm-common-types:0.7.0'
 @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
 param privateEndpoints privateEndpointSingleServiceType[]?
@@ -325,36 +322,6 @@ resource cognitiveService_roleAssignments 'Microsoft.Authorization/roleAssignmen
   }
 ]
 
-module secretsExport 'keyVaultExport.bicep' = if (secretsExportConfiguration != null) {
-  name: '${uniqueString(deployment().name, location)}-secrets-kv'
-  scope: resourceGroup(
-    split(secretsExportConfiguration.?keyVaultResourceId!, '/')[2],
-    split(secretsExportConfiguration.?keyVaultResourceId!, '/')[4]
-  )
-  params: {
-    keyVaultName: last(split(secretsExportConfiguration.?keyVaultResourceId!, '/'))
-    secretsToSet: union(
-      [],
-      contains(secretsExportConfiguration!, 'accessKey1Name')
-        ? [
-            {
-              name: secretsExportConfiguration!.?accessKey1Name
-              value: cognitiveService.listKeys().key1
-            }
-          ]
-        : [],
-      contains(secretsExportConfiguration!, 'accessKey2Name')
-        ? [
-            {
-              name: secretsExportConfiguration!.?accessKey2Name
-              value: cognitiveService.listKeys().key2
-            }
-          ]
-        : []
-    )
-  }
-}
-
 module aiProject 'project.bicep' = if(!empty(projectName) || !empty(azureExistingAIProjectResourceId)) {
   name: take('${name}-ai-project-${projectName}-deployment', 64)
   params: {
@@ -369,9 +336,7 @@ module aiProject 'project.bicep' = if(!empty(projectName) || !empty(azureExistin
 
 import { secretsOutputType } from 'br/public:avm/utl/types/avm-common-types:0.7.0'
 @description('A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret\'s name.')
-output exportedSecrets secretsOutputType = (secretsExportConfiguration != null)
-  ? toObject(secretsExport!.outputs.secretsSet, secret => last(split(secret.secretResourceId, '/')), secret => secret)
-  : {}
+output exportedSecrets secretsOutputType = {}
 
 @description('The private endpoints of the congitive services account.')
 output privateEndpoints privateEndpointOutputType[] = [
@@ -467,16 +432,3 @@ type endpointType = {
   @description('The endpoint URI.')
   endpoint: string?
 }
-
-@export()
-@description('The type of the secrets exported to the provided Key Vault.')
-type secretsExportConfigurationType = {
-  @description('Required. The key vault name where to store the keys and connection strings generated by the modules.')
-  keyVaultResourceId: string
-
-  @description('Optional. The name for the accessKey1 secret to create.')
-  accessKey1Name: string?
-
-  @description('Optional. The name for the accessKey2 secret to create.')
-  accessKey2Name: string?
-}