What is the difference between “unmanaged” and “managed” secrets?
A “managed” secret is a secret that supports either a certificate or a vault account key. It cannot be mutated directly - for example, if you want to delete it, instead you must delete the corresponding certificate or storage account key. An “unmanaged” secret is a secret that is not managed — from the perspective of AKV, it's just a drop of data.
Why is every time I create a secret, it is "uncontrollable"?
As part of the Azure Portal, AKV only supports the creation of keys, secrets and certificates (there is no support for the storage account key yet). If you create a certificate, then a managed secret will also be created. Otherwise, if you create a secret (even if you select "Certificate" as the boot option), then it will be an unmanageable secret.
How do you create “managed” secrets?
Not directly. Only by creating a certificate or vault account key.
More context:
Azure Key Vault (AKV) initially supported only two types of objects that could be stored in storage: keys and secrets.
Later AKV introduced an object of the 3rd type: certificates . Initially, customers stored their certificates in their stores as raw secrets (from the point of view of AKV, just a drop of data). With this new certificate feature, customers can store certificates as first-class AKV objects. AKV can now manage the lifetime of a certificate (by automatically renewing or automatically sending email to remind the client to manually renew it when it is about to expire). Under the hood, when a first-class certificate is created in Key Vault, the certificate is maintained by a managed key and a managed secret.
Similarly, AKV also introduced a type 4 object: storage account keys . AKV similarly manages the lifetime of a vault account key, and it is maintained by a managed secret.