You missed their point, or you’re using a different term for “vault”. If you’re talking something like KeyVault, it still exists on Microsoft hardware, which means ultimately they could access it.
The only way they would have a lot of trouble is if you only stored the encrypted blob on their platform and then streamed it to something off platform (AWS, on-premises, etc. ) and decrypted it there so they never had access to the key.
You missed their point, or you’re using a different term for “vault”. If you’re talking something like KeyVault, it still exists on Microsoft hardware, which means ultimately they could access it.
The only way they would have a lot of trouble is if you only stored the encrypted blob on their platform and then streamed it to something off platform (AWS, on-premises, etc. ) and decrypted it there so they never had access to the key.