Security "bootstrapping" requires a reliable starting point.
When we "hide" one key by another key, the security is shifted to that second key.
Question is how to make the "base" key very secure?
In case of Azure Key Vault this is based on hardware encryption,
and then is leveraging PKI and Azure AD to propagate "secrets" to authorized Apps.
Key Vault Documentation | Microsoft Docs
What is Azure Key Vault? | Microsoft Docs
"Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. By using Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) by using keys that are protected by hardware security modules (HSMs). For added assurance, you can import or generate keys in HSMs. If you choose to do this, Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware)."
Azure Podcast: Episode 153 - Key Vault
Msdn forums - Azure Key Vault