When Azure Defender for Key Vault (now Microsoft Defender for Key Vault) detects unauthorized access attempts—especially from Tor exit nodes or other suspicious IPs—the recommended mitigation is to restrict access to trusted networks by using Key Vault firewalls and virtual networks . Microsoft’s official guidance specifies: “Enable Key Vault firewalls and virtual networks to allow access only from specific public IP addresses, IP ranges, or selected virtual networks. Deny requests from untrusted sources such as Tor exit nodes.”

While Azure AD permissions and RBAC control who can authenticate and what operations they can perform, they do not prevent network-level threats. Access policies define granul ar permissions but cannot block specific network origins. Network-level controls like firewalls and VNets provide the strongest protection against malicious traffic or automated attacks from anonymous sources.

Therefore, to mitigate unauthorized access att empts coming from Tor exit nodes, the appropriate configuration is A. Key Vault firewalls and virtual networks .