Azure Key Vault is a great component but it's a component not a solution. By way of example, Key Vault's hardware "secrets check in but they don't check out" capability is awesome for preventing disclosure of secrets but if you don't have a system for adequately managing who/what can use the contained key to sign messages all you've done is add a complex and pricey piece of security theater (but as I mention elsewhere our primary concern is making sure whatever secret management we use helps us defend against at least the early stages of compromise of our infrastructure)
Cool, thanks! Seems like a pretty direct competitor to AWS KMS. The pricing is identical, so I guess the choice between the two is quite obvious if you are hosted in Azure or AWS.