How It Works

From Deployment to Protection in Minutes

VaultGuard360 deploys as an Azure Managed Application directly from Azure Marketplace. It runs entirely within your Azure tenant, using a managed identity to securely scan your Key Vaults.

1

Deploy from Azure Marketplace

~10 minutes

Search for "VaultGuard360" in Azure Marketplace, click "Create" and select your subscription, choose your tier, configure basic settings, and deploy. RBAC permissions are auto-assigned by the ARM template.

2

Assign Key Vault Permissions

~3 minutes

From the VaultGuard360 dashboard, go to the Setup page to copy your Managed Identity name. Then assign the Key Vault Reader role to this identity on each Azure subscription you want to monitor. The Setup page provides step-by-step instructions and a one-click copy button for the identity name.

3

Configure Notifications

~5 minutes

Set up your notification email address and team routing. Configure webhook URLs for additional integrations.

4

Set Alert Thresholds

~2 minutes

Choose when to be notified (30, 14, 7 days before expiration, or set a custom threshold).

5

You're Protected

Ongoing

VaultGuard360 scans on your configured schedule and sends alerts automatically. View your dashboard or wait for email alerts.

Coverage

What Gets Scanned

Item TypeWhat We Monitor
SecretsName, expiration date, enabled status
CertificatesName, expiration date, enabled status
KeysName, expiration date, enabled status

Important: Your managed identity reads only metadata required for expiration tracking — never secret values. The publisher has zero access to any of this data.

Security

Your Data Stays Yours

Runs in Your Tenant

VaultGuard360 runs entirely in your Azure subscription as a Managed Application. The publisher has zero access to your managed resource group — no Contributor role, no JIT access, no standing permissions of any kind.

Your Managed Identity

Your managed identity scans your vaults using Key Vault Reader RBAC — no stored credentials. The publisher never has access to your secrets or metadata.

Key Vault Data Plane

Your managed identity scans via Key Vault data plane APIs, reading only metadata — never secret values or private keys. The publisher never sees any of this data.

No External Transmission

Alerts sent via Azure Communication Services email, Microsoft Teams, Slack, PagerDuty, ServiceNow, or webhooks. No data transmitted to the publisher.

Zero Publisher Access

Unlike most Azure Managed Apps, VaultGuard360 is configured with "No access" in Partner Center. The publisher cannot view, read, modify, or delete any resources in your deployment — not your Key Vault names, subscription names, or any metadata. This is a technical enforcement, not a policy promise.

Ready to Deploy?

Get started in minutes with our Azure Marketplace deployment. Your first scan runs automatically.

Deploy from Azure MarketplaceView Pricing