diff --git a/modules/azure-resources/main.tf b/modules/azure-resources/main.tf
index ce2276c..f648c6f 100644
--- a/modules/azure-resources/main.tf
+++ b/modules/azure-resources/main.tf
@@ -21,23 +21,6 @@ resource "azurerm_storage_account" "storage" {
   tags                     = var.tags
 }
 
-# ---------------
-# Azure Key Vault
-# ---------------
-
-resource "azurerm_key_vault" "kv" {
-  name                        = "${local.name}-kv"
-  location                    = azurerm_resource_group.workspace.location
-  resource_group_name         = azurerm_resource_group.workspace.name
-  enabled_for_disk_encryption = true
-  tenant_id                   = local.client_tenant_id
-  soft_delete_retention_days  = 7     # minimum
-  purge_protection_enabled    = false # so we can fully delete it
-  sku_name                    = "standard"
-  tags                        = var.tags
-  enable_rbac_authorization   = true
-}
-
 # -----------------------
 # RBAC - Role Assignments
 # -----------------------
@@ -65,38 +48,3 @@ resource "azurerm_role_assignment" "rg_sp" {
   principal_id         = var.service_principal_id
   scope                = azurerm_resource_group.workspace.id
 }
-
-# Key Vault - Superadmins (i.e. organization - top level admins)
-
-resource "azurerm_role_assignment" "kv_superadmins" {
-  role_definition_name = "Key Vault Administrator" # note: takes up to 10 minutes to propagate
-  principal_id         = var.superadmins_group_id
-  scope                = azurerm_key_vault.kv.id
-}
-
-# Key Vault - Team Admins
-
-resource "azurerm_role_assignment" "kv_team_admins" {
-  role_definition_name = "Key Vault Administrator" # note: takes up to 10 minutes to propagate
-  principal_id         = var.admins_group_id
-  scope                = azurerm_key_vault.kv.id
-}
-
-# Key Vault - Devs
-
-resource "azurerm_role_assignment" "kv_team_devs" {
-  role_definition_name = "Key Vault Secrets User" # note: takes up to 10 minutes to propagate
-  principal_id         = var.devs_group_id
-  scope                = azurerm_key_vault.kv.id
-}
-
-# # Key Vault - Service Principal (team should create own sps/rbac per app)
-
-# resource "azurerm_role_assignment" "kv_workspace_sp" {
-#   role_definition_name = "Key Vault Secrets User" # note: takes up to 10 minutes to propagate
-#   principal_id         = var.devs_group_id
-#   scope                = azurerm_key_vault.kv.id
-# }
-
-# Why does it take up to 10 minutes for Key Vault RBAC to propagate?
-# See https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#known-limits-and-performance
diff --git a/modules/azure-resources/outputs.tf b/modules/azure-resources/outputs.tf
index 0c5553c..edec243 100644
--- a/modules/azure-resources/outputs.tf
+++ b/modules/azure-resources/outputs.tf
@@ -8,7 +8,3 @@ output "resource_group" {
 output "storage_account" {
   value = azurerm_storage_account.storage.name
 }
-
-output "key_vault" {
-  value = azurerm_key_vault.kv.name
-}
diff --git a/outputs.tf b/outputs.tf
index e3859cd..0eb5e4e 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -16,7 +16,6 @@ output "aad_groups" {
 output "arm_environments" {
   value = [
     for env in module.arm_environments : {
-      key_vault       = env.key_vault
       resource_group  = env.resource_group.name
       storage_account = env.storage_account
     }