Just a quick nugget that I learned the other day that might help someone, somewhere, someday (if that is you, let me know!). There's a relatively esoteric endpoint on the Azure KeyVault API for Encrypt and Decrypt.
At first glance, you might be thinking - ohhhh shiny, I can offload encryption en masse to this sucker and get free compute out of the deal. Well, not really. These two relatively undocumented methods do in fact do what they say, but they are limited to ONE single block of data (which comes out to be around 220 bytes). Not much you can do in 220 bytes, except encrypting say another key, which happens all the time (Key Encryption Keys are a good example). But there is another catch here.
If you are needing to protect a symmetric key with an asymmetric key, use the API methods Wrap and Unwrap, not Encrypt and Decrypt. While the outcome is the same for both sets of methods when using RSA keys, if you use other types, you'll get unexpected results.
All up - just steer clear of Encrypt and Decrypt methods in the Azure Key Vault API until some new doc/guidance comes out in future releases.