diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index e104ccbf88ec..0f5e385c9f4a 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -62,7 +62,7 @@
 /sdk/identity/ @schaabs @daviwil @jonathandturner @sadasant
 
 # PRLabel: %KeyVault
-/sdk/keyvault/ @jonathandturner @sadasant
+/sdk/keyvault/ @jonathandturner @sadasant @maorleger
 
 # PRLabel: %Storage
 /sdk/storage/ @XiaoningLiu @jeremymeng @HarshaNalluru @vinjiang @jiacfan @ljian3377
diff --git a/.gitignore b/.gitignore
index 792413a0b368..5386990e97c6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -118,6 +118,7 @@ Thumbs.db
 *.cer
 *.pfx
 *.pem
+*.key
 
 # WebStorm #
 .idea/
diff --git a/sdk/keyvault/keyvault-admin/package.json b/sdk/keyvault/keyvault-admin/package.json
index 7b4c219481c5..8f114e109d04 100644
--- a/sdk/keyvault/keyvault-admin/package.json
+++ b/sdk/keyvault/keyvault-admin/package.json
@@ -71,7 +71,7 @@
     "test:node": "npm run clean && npm run build:test && npm run unit-test:node",
     "test": "npm run clean && npm run build:test && npm run unit-test",
     "unit-test:browser": "echo skipped",
-    "unit-test:node": "echo skipped",
+    "unit-test:node": "mocha --require source-map-support/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 180000 --full-trace dist-test/index.node.js",
     "unit-test": "npm run unit-test:node && npm run unit-test:browser",
     "docs": "typedoc --excludePrivate --excludeNotExported --excludeExternals --stripInternal --mode file --out ./dist/docs ./src"
   },
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_createroleassignment.js b/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_createroleassignment.js
index f40e503c6020..3d8961efb34b 100644
--- a/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_createroleassignment.js
+++ b/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_createroleassignment.js
@@ -1,5 +1,5 @@
 let nock = require('nock');
 
-module.exports.hash = "9c172c4656e4629ca849292a53f63e69";
+module.exports.hash = "9b001c0ee7f3f7fc602fb02c32d6e92d";
 
 module.exports.testInfo = {"uniqueName":{},"newDate":{}}
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_deleteroleassignment.js b/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_deleteroleassignment.js
index daf26d287209..4971df1940ca 100644
--- a/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_deleteroleassignment.js
+++ b/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_deleteroleassignment.js
@@ -1,5 +1,5 @@
 let nock = require('nock');
 
-module.exports.hash = "ec4c6c9f6fc235fd128add02b39994d7";
+module.exports.hash = "595a6495128ab7cbb1269e723aa97f65";
 
 module.exports.testInfo = {"uniqueName":{},"newDate":{}}
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_getroleassignment.js b/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_getroleassignment.js
index c3bfc5862974..ca2cf90120a9 100644
--- a/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_getroleassignment.js
+++ b/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_getroleassignment.js
@@ -1,5 +1,5 @@
 let nock = require('nock');
 
-module.exports.hash = "13040817b44ca1bf01b149d9ca4f1820";
+module.exports.hash = "2c966b7b5eb6e3a2ca9e780a095b1879";
 
 module.exports.testInfo = {"uniqueName":{},"newDate":{}}
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_listroleassignments.js b/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_listroleassignments.js
index 471877cf9def..8f78f71d00fb 100644
--- a/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_listroleassignments.js
+++ b/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_listroleassignments.js
@@ -1,5 +1,5 @@
 let nock = require('nock');
 
-module.exports.hash = "e99fae533ce806665682342192c1bd3f";
+module.exports.hash = "014b26d2a6855e2963a4fd04699658c3";
 
 module.exports.testInfo = {"uniqueName":{},"newDate":{}}
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_listroledefinitions.js b/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_listroledefinitions.js
index 9730ddf91470..33fe17f70863 100644
--- a/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_listroledefinitions.js
+++ b/sdk/keyvault/keyvault-admin/recordings/node/aborting_keyvaultaccesscontrolclients_requests/recording_can_abort_listroledefinitions.js
@@ -1,5 +1,5 @@
 let nock = require('nock');
 
-module.exports.hash = "44a7395caa8e9ccff4123693134cbb72";
+module.exports.hash = "868f7e89cc9fb0534e7e9702563a7873";
 
 module.exports.testInfo = {"uniqueName":{},"newDate":{}}
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests/recording_authentication_should_be_idempotent.js b/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests/recording_authentication_should_be_idempotent.js
new file mode 100644
index 000000000000..af5617804652
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests/recording_authentication_should_be_idempotent.js
@@ -0,0 +1,187 @@
+let nock = require('nock');
+
+module.exports.hash = "3eff7c58d008b0759e8b092d2dd8df1c";
+
+module.exports.testInfo = {"uniqueName":{},"newDate":{}}
+
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
+  .get('///providers/Microsoft.Authorization/roleAssignments')
+  .query(true)
+  .reply(401, "OK", [
+  'content-type',
+  'application/json; charset=utf-8',
+  'x-content-type-options',
+  'nosniff',
+  'www-authenticate',
+  'Bearer authorization="https://login.microsoftonline.com/azure_tenant_id", resource="https://managedhsm.azure.net"',
+  'x-frame-options',
+  'SAMEORIGIN',
+  'content-length',
+  '2',
+  'x-ms-request-id',
+  'c8d9afd2-56d3-11eb-9a1b-0242ac12000b',
+  'strict-transport-security',
+  'max-age=31536000; includeSubDomains',
+  'content-security-policy',
+  "default-src 'self'",
+  'x-ms-build-version',
+  '1.0.20210112-1-4fbf61ac-develop',
+  'cache-control',
+  'no-cache',
+  'x-ms-server-latency',
+  '2'
+]);
+
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
+  .get('///providers/Microsoft.Authorization/roleAssignments')
+  .query(true)
+  .reply(401, "OK", [
+  'content-type',
+  'application/json; charset=utf-8',
+  'x-content-type-options',
+  'nosniff',
+  'www-authenticate',
+  'Bearer authorization="https://login.microsoftonline.com/azure_tenant_id", resource="https://managedhsm.azure.net"',
+  'x-frame-options',
+  'SAMEORIGIN',
+  'content-length',
+  '2',
+  'x-ms-request-id',
+  'c8d9a488-56d3-11eb-93f8-0242ac12000b',
+  'strict-transport-security',
+  'max-age=31536000; includeSubDomains',
+  'content-security-policy',
+  "default-src 'self'",
+  'x-ms-build-version',
+  '1.0.20210112-1-4fbf61ac-develop',
+  'cache-control',
+  'no-cache',
+  'x-ms-server-latency',
+  '1'
+]);
+
+nock('https://login.microsoftonline.com:443', {"encodedQueryParams":true})
+  .post('/azure_tenant_id/oauth2/v2.0/token', "response_type=token&grant_type=client_credentials&client_id=azure_client_id&client_secret=azure_client_secret&scope=https%3A%2F%2Fmanagedhsm.azure.net%2F.default")
+  .reply(200, {"token_type":"Bearer","expires_in":86399,"ext_expires_in":86399,"access_token":"access_token"}, [
+  'Cache-Control',
+  'no-store, no-cache',
+  'Pragma',
+  'no-cache',
+  'Content-Type',
+  'application/json; charset=utf-8',
+  'Expires',
+  '-1',
+  'Strict-Transport-Security',
+  'max-age=31536000; includeSubDomains',
+  'X-Content-Type-Options',
+  'nosniff',
+  'P3P',
+  'CP="DSP CUR OTPi IND OTRi ONL FIN"',
+  'x-ms-request-id',
+  '7f120c47-bee8-4b7b-94c5-add1a6560b00',
+  'x-ms-ests-server',
+  '2.1.11397.13 - EUS ProdSlices',
+  'Set-Cookie',
+  'fpc=Alf8-GibFnZDr_3b_fTLO50nffZ-AQAAAHXrktcOAAAA; expires=Sun, 14-Feb-2021 01:48:37 GMT; path=/; secure; HttpOnly; SameSite=None',
+  'Set-Cookie',
+  'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly',
+  'Set-Cookie',
+  'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly',
+  'Date',
+  'Fri, 15 Jan 2021 01:48:37 GMT',
+  'Content-Length',
+  '1322'
+]);
+
+nock('https://login.microsoftonline.com:443', {"encodedQueryParams":true})
+  .post('/azure_tenant_id/oauth2/v2.0/token', "response_type=token&grant_type=client_credentials&client_id=azure_client_id&client_secret=azure_client_secret&scope=https%3A%2F%2Fmanagedhsm.azure.net%2F.default")
+  .reply(200, {"token_type":"Bearer","expires_in":86399,"ext_expires_in":86399,"access_token":"access_token"}, [
+  'Cache-Control',
+  'no-store, no-cache',
+  'Pragma',
+  'no-cache',
+  'Content-Type',
+  'application/json; charset=utf-8',
+  'Expires',
+  '-1',
+  'Strict-Transport-Security',
+  'max-age=31536000; includeSubDomains',
+  'X-Content-Type-Options',
+  'nosniff',
+  'P3P',
+  'CP="DSP CUR OTPi IND OTRi ONL FIN"',
+  'x-ms-request-id',
+  '31c7d331-206d-4f11-865f-dca2a5a00a00',
+  'x-ms-ests-server',
+  '2.1.11397.13 - EUS ProdSlices',
+  'Set-Cookie',
+  'fpc=AjLb4QWjk0VDnlmAyQTvue8nffZ-AQAAAHTrktcOAAAA; expires=Sun, 14-Feb-2021 01:48:37 GMT; path=/; secure; HttpOnly; SameSite=None',
+  'Set-Cookie',
+  'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly',
+  'Set-Cookie',
+  'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly',
+  'Date',
+  'Fri, 15 Jan 2021 01:48:37 GMT',
+  'Content-Length',
+  '1322'
+]);
+
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
+  .get('///providers/Microsoft.Authorization/roleAssignments')
+  .query(true)
+  .reply(200, {"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/abf770e6-59b6-48c4-1574-bb4d071f9760","name":"abf770e6-59b6-48c4-1574-bb4d071f9760","properties":{"principalId":"01ea9a65-813e-4238-8204-bf7328d63fc6","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}, [
+  'x-frame-options',
+  'SAMEORIGIN',
+  'x-ms-request-id',
+  'c91305d4-56d3-11eb-9a1b-0242ac12000b',
+  'content-type',
+  'application/json; charset=utf-8',
+  'x-ms-keyvault-region',
+  'westeurope',
+  'content-length',
+  '410',
+  'strict-transport-security',
+  'max-age=31536000; includeSubDomains',
+  'content-security-policy',
+  "default-src 'self'",
+  'cache-control',
+  'no-cache',
+  'x-content-type-options',
+  'nosniff',
+  'x-ms-build-version',
+  '1.0.20210112-1-4fbf61ac-develop',
+  'x-ms-keyvault-network-info',
+  'addr=50.35.231.105',
+  'x-ms-server-latency',
+  '1'
+]);
+
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
+  .get('///providers/Microsoft.Authorization/roleAssignments')
+  .query(true)
+  .reply(200, {"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/abf770e6-59b6-48c4-1574-bb4d071f9760","name":"abf770e6-59b6-48c4-1574-bb4d071f9760","properties":{"principalId":"01ea9a65-813e-4238-8204-bf7328d63fc6","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}, [
+  'x-frame-options',
+  'SAMEORIGIN',
+  'x-ms-request-id',
+  'c9181aec-56d3-11eb-93f8-0242ac12000b',
+  'content-type',
+  'application/json; charset=utf-8',
+  'x-ms-keyvault-region',
+  'westeurope',
+  'content-length',
+  '410',
+  'strict-transport-security',
+  'max-age=31536000; includeSubDomains',
+  'content-security-policy',
+  "default-src 'self'",
+  'cache-control',
+  'no-cache',
+  'x-content-type-options',
+  'nosniff',
+  'x-ms-build-version',
+  '1.0.20210112-1-4fbf61ac-develop',
+  'x-ms-keyvault-network-info',
+  'addr=50.35.231.105',
+  'x-ms-server-latency',
+  '0'
+]);
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests/recording_once_authenticated_new_requests_should_not_authenticate_again.js b/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests/recording_once_authenticated_new_requests_should_not_authenticate_again.js
new file mode 100644
index 000000000000..fa7e24d565e0
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests/recording_once_authenticated_new_requests_should_not_authenticate_again.js
@@ -0,0 +1,126 @@
+let nock = require('nock');
+
+module.exports.hash = "4f3faa0eb733c1ab38626a6664db2ec8";
+
+module.exports.testInfo = {"uniqueName":{},"newDate":{}}
+
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
+  .get('///providers/Microsoft.Authorization/roleAssignments')
+  .query(true)
+  .reply(401, "OK", [
+  'content-type',
+  'application/json; charset=utf-8',
+  'x-content-type-options',
+  'nosniff',
+  'www-authenticate',
+  'Bearer authorization="https://login.microsoftonline.com/azure_tenant_id", resource="https://managedhsm.azure.net"',
+  'x-frame-options',
+  'SAMEORIGIN',
+  'content-length',
+  '2',
+  'x-ms-request-id',
+  'c933c77e-56d3-11eb-9a1b-0242ac12000b',
+  'strict-transport-security',
+  'max-age=31536000; includeSubDomains',
+  'content-security-policy',
+  "default-src 'self'",
+  'x-ms-build-version',
+  '1.0.20210112-1-4fbf61ac-develop',
+  'cache-control',
+  'no-cache',
+  'x-ms-server-latency',
+  '0'
+]);
+
+nock('https://login.microsoftonline.com:443', {"encodedQueryParams":true})
+  .post('/azure_tenant_id/oauth2/v2.0/token', "response_type=token&grant_type=client_credentials&client_id=azure_client_id&client_secret=azure_client_secret&scope=https%3A%2F%2Fmanagedhsm.azure.net%2F.default")
+  .reply(200, {"token_type":"Bearer","expires_in":86399,"ext_expires_in":86399,"access_token":"access_token"}, [
+  'Cache-Control',
+  'no-store, no-cache',
+  'Pragma',
+  'no-cache',
+  'Content-Type',
+  'application/json; charset=utf-8',
+  'Expires',
+  '-1',
+  'Strict-Transport-Security',
+  'max-age=31536000; includeSubDomains',
+  'X-Content-Type-Options',
+  'nosniff',
+  'P3P',
+  'CP="DSP CUR OTPi IND OTRi ONL FIN"',
+  'x-ms-request-id',
+  '3201d6bf-bbfa-4888-90b3-922a80651300',
+  'x-ms-ests-server',
+  '2.1.11397.13 - WUS2 ProdSlices',
+  'Set-Cookie',
+  'fpc=AjLb4QWjk0VDnlmAyQTvue8nffZ-AgAAAHTrktcOAAAA; expires=Sun, 14-Feb-2021 01:48:38 GMT; path=/; secure; HttpOnly; SameSite=None',
+  'Set-Cookie',
+  'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly',
+  'Set-Cookie',
+  'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly',
+  'Date',
+  'Fri, 15 Jan 2021 01:48:37 GMT',
+  'Content-Length',
+  '1322'
+]);
+
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
+  .get('///providers/Microsoft.Authorization/roleAssignments')
+  .query(true)
+  .reply(200, {"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/abf770e6-59b6-48c4-1574-bb4d071f9760","name":"abf770e6-59b6-48c4-1574-bb4d071f9760","properties":{"principalId":"01ea9a65-813e-4238-8204-bf7328d63fc6","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}, [
+  'x-frame-options',
+  'SAMEORIGIN',
+  'x-ms-request-id',
+  'c959fd36-56d3-11eb-93f8-0242ac12000b',
+  'content-type',
+  'application/json; charset=utf-8',
+  'x-ms-keyvault-region',
+  'westeurope',
+  'content-length',
+  '410',
+  'strict-transport-security',
+  'max-age=31536000; includeSubDomains',
+  'content-security-policy',
+  "default-src 'self'",
+  'cache-control',
+  'no-cache',
+  'x-content-type-options',
+  'nosniff',
+  'x-ms-build-version',
+  '1.0.20210112-1-4fbf61ac-develop',
+  'x-ms-keyvault-network-info',
+  'addr=50.35.231.105',
+  'x-ms-server-latency',
+  '1'
+]);
+
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
+  .get('///providers/Microsoft.Authorization/roleAssignments')
+  .query(true)
+  .reply(200, {"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/abf770e6-59b6-48c4-1574-bb4d071f9760","name":"abf770e6-59b6-48c4-1574-bb4d071f9760","properties":{"principalId":"01ea9a65-813e-4238-8204-bf7328d63fc6","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}, [
+  'x-frame-options',
+  'SAMEORIGIN',
+  'x-ms-request-id',
+  'c973fc7c-56d3-11eb-9a1b-0242ac12000b',
+  'content-type',
+  'application/json; charset=utf-8',
+  'x-ms-keyvault-region',
+  'westeurope',
+  'content-length',
+  '410',
+  'strict-transport-security',
+  'max-age=31536000; includeSubDomains',
+  'content-security-policy',
+  "default-src 'self'",
+  'cache-control',
+  'no-cache',
+  'x-content-type-options',
+  'nosniff',
+  'x-ms-build-version',
+  '1.0.20210112-1-4fbf61ac-develop',
+  'x-ms-keyvault-network-info',
+  'addr=50.35.231.105',
+  'x-ms-server-latency',
+  '0'
+]);
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests_parsewwwauthenticate_tests/recording_should_skip_unexpected_properties_on_the_wwwauthenticate_header.js b/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests_parsewwwauthenticate_tests/recording_should_skip_unexpected_properties_on_the_wwwauthenticate_header.js
new file mode 100644
index 000000000000..4a0e8a3b0ee8
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests_parsewwwauthenticate_tests/recording_should_skip_unexpected_properties_on_the_wwwauthenticate_header.js
@@ -0,0 +1,5 @@
+let nock = require('nock');
+
+module.exports.hash = "a4c0302591ac2a3ba24bf059840f44b5";
+
+module.exports.testInfo = {"uniqueName":{},"newDate":{}}
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests_parsewwwauthenticate_tests/recording_should_work_for_known_shapes_of_the_wwwauthenticate_header.js b/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests_parsewwwauthenticate_tests/recording_should_work_for_known_shapes_of_the_wwwauthenticate_header.js
new file mode 100644
index 000000000000..e8b1d7855489
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/recordings/node/challenge_based_authentication_tests_parsewwwauthenticate_tests/recording_should_work_for_known_shapes_of_the_wwwauthenticate_header.js
@@ -0,0 +1,5 @@
+let nock = require('nock');
+
+module.exports.hash = "d3e6ee11591a0825c0401d60b83a6d75";
+
+module.exports.testInfo = {"uniqueName":{},"newDate":{}}
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/keyvaultaccesscontrolclient/recording_listroleassignments.js b/sdk/keyvault/keyvault-admin/recordings/node/keyvaultaccesscontrolclient/recording_listroleassignments.js
index a4f444210725..4b65365bce37 100644
--- a/sdk/keyvault/keyvault-admin/recordings/node/keyvaultaccesscontrolclient/recording_listroleassignments.js
+++ b/sdk/keyvault/keyvault-admin/recordings/node/keyvaultaccesscontrolclient/recording_listroleassignments.js
@@ -1,59 +1,96 @@
 let nock = require('nock');
 
-module.exports.hash = "40a7c9b72f55641675802c7541f1b95b";
+module.exports.hash = "35cfadfb466022e6ec4de357d76294db";
 
 module.exports.testInfo = {"uniqueName":{},"newDate":{}}
 
-nock('https://eastus2.keyvault_name.managedhsm.azure.net:443', {"encodedQueryParams":true})
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
   .get('///providers/Microsoft.Authorization/roleAssignments')
   .query(true)
-  .reply(401, "OK", [ 'content-type',
+  .reply(401, "OK", [
+  'content-type',
   'application/json; charset=utf-8',
   'x-content-type-options',
   'nosniff',
   'www-authenticate',
-  'Bearer authorization="https://login.windows-ppe.net/azure_tenant_id", resource="https://managedhsm-int.azure-int.net"',
+  'Bearer authorization="https://login.microsoftonline.com/azure_tenant_id", resource="https://managedhsm.azure.net"',
   'x-frame-options',
   'SAMEORIGIN',
   'content-length',
   '2',
   'x-ms-request-id',
-  'e6aeb748-f2ae-11ea-857a-0242ac120004',
+  'c9e0049e-56d3-11eb-93f8-0242ac12000b',
   'strict-transport-security',
   'max-age=31536000; includeSubDomains',
   'content-security-policy',
-  'default-src \'self\'',
+  "default-src 'self'",
   'x-ms-build-version',
-  '1.0.20200909-2-c73be597-develop',
+  '1.0.20210112-1-4fbf61ac-develop',
   'cache-control',
   'no-cache',
   'x-ms-server-latency',
-  '1' ]);
+  '0'
+]);
+
+nock('https://login.microsoftonline.com:443', {"encodedQueryParams":true})
+  .post('/azure_tenant_id/oauth2/v2.0/token', "response_type=token&grant_type=client_credentials&client_id=azure_client_id&client_secret=azure_client_secret&scope=https%3A%2F%2Fmanagedhsm.azure.net%2F.default")
+  .reply(200, {"token_type":"Bearer","expires_in":86399,"ext_expires_in":86399,"access_token":"access_token"}, [
+  'Cache-Control',
+  'no-store, no-cache',
+  'Pragma',
+  'no-cache',
+  'Content-Length',
+  '1322',
+  'Content-Type',
+  'application/json; charset=utf-8',
+  'Expires',
+  '-1',
+  'Strict-Transport-Security',
+  'max-age=31536000; includeSubDomains',
+  'X-Content-Type-Options',
+  'nosniff',
+  'P3P',
+  'CP="DSP CUR OTPi IND OTRi ONL FIN"',
+  'x-ms-request-id',
+  '5448d034-6f6a-48c4-94f6-484341a10c00',
+  'x-ms-ests-server',
+  '2.1.11397.13 - EUS ProdSlices',
+  'Set-Cookie',
+  'fpc=AjLb4QWjk0VDnlmAyQTvue8nffZ-AwAAAHTrktcOAAAA; expires=Sun, 14-Feb-2021 01:48:39 GMT; path=/; secure; HttpOnly; SameSite=None',
+  'Set-Cookie',
+  'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly',
+  'Set-Cookie',
+  'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly',
+  'Date',
+  'Fri, 15 Jan 2021 01:48:38 GMT'
+]);
 
-nock('https://eastus2.keyvault_name.managedhsm.azure.net:443', {"encodedQueryParams":true})
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
   .get('///providers/Microsoft.Authorization/roleAssignments')
   .query(true)
-  .reply(200, {"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/8e7fe831-35fe-0488-beaf-5b0866306cbb","name":"8e7fe831-35fe-0488-beaf-5b0866306cbb","properties":{"principalId":"4f584d72-47b3-48d1-971c-ce0ae8a47560","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/65e1be51-aa38-4250-967a-8658fdfb260b","name":"65e1be51-aa38-4250-967a-8658fdfb260b","properties":{"principalId":"49acc88b-8f9e-4619-9856-16691db66767","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/967a0ebd-73a1-0145-85fc-3b6514ac2581","name":"967a0ebd-73a1-0145-85fc-3b6514ac2581","properties":{"principalId":"e7941875-b7e4-4ba2-9527-d3ef2a9b58fa","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/1d8e08be-5415-4c5f-94f2-22ba4f889ef7","name":"1d8e08be-5415-4c5f-94f2-22ba4f889ef7","properties":{"principalId":"c2101ce9-648a-4bbe-8f0e-3e891ff1658d","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/1587adcd-1227-4799-03dc-a4194c659c07","name":"1587adcd-1227-4799-03dc-a4194c659c07","properties":{"principalId":"2bca474d-4fac-495d-919a-30376e0fe515","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/129c2001-45e7-0814-13d0-9d933e794b37","name":"129c2001-45e7-0814-13d0-9d933e794b37","properties":{"principalId":"d0596a07-8d8d-433f-a25e-5c6f46787784","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}, [ 'x-frame-options',
+  .reply(200, {"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/abf770e6-59b6-48c4-1574-bb4d071f9760","name":"abf770e6-59b6-48c4-1574-bb4d071f9760","properties":{"principalId":"01ea9a65-813e-4238-8204-bf7328d63fc6","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}, [
+  'x-frame-options',
   'SAMEORIGIN',
   'x-ms-request-id',
-  'e6aeb748-f2ae-11ea-857a-0242ac120004',
+  'ca0df228-56d3-11eb-9a1b-0242ac12000b',
   'content-type',
   'application/json; charset=utf-8',
   'x-ms-keyvault-region',
-  'EASTUS',
+  'westeurope',
   'content-length',
-  '2405',
+  '410',
   'strict-transport-security',
   'max-age=31536000; includeSubDomains',
   'content-security-policy',
-  'default-src \'self\'',
+  "default-src 'self'",
   'cache-control',
   'no-cache',
   'x-content-type-options',
   'nosniff',
   'x-ms-build-version',
-  '1.0.20200909-2-c73be597-develop',
+  '1.0.20210112-1-4fbf61ac-develop',
   'x-ms-keyvault-network-info',
-  'addr=108.226.109.105',
+  'addr=50.35.231.105',
   'x-ms-server-latency',
-  '1' ]);
+  '0'
+]);
diff --git a/sdk/keyvault/keyvault-admin/recordings/node/keyvaultaccesscontrolclient/recording_listroledefinitions.js b/sdk/keyvault/keyvault-admin/recordings/node/keyvaultaccesscontrolclient/recording_listroledefinitions.js
index 8a52e303df2c..46edcf288a71 100644
--- a/sdk/keyvault/keyvault-admin/recordings/node/keyvaultaccesscontrolclient/recording_listroledefinitions.js
+++ b/sdk/keyvault/keyvault-admin/recordings/node/keyvaultaccesscontrolclient/recording_listroledefinitions.js
@@ -1,59 +1,96 @@
 let nock = require('nock');
 
-module.exports.hash = "d61a5b81560a7e21eb384041c75fb8db";
+module.exports.hash = "2b71da0768a562fe2e037f0b22ed74b9";
 
 module.exports.testInfo = {"uniqueName":{},"newDate":{}}
 
-nock('https://eastus2.keyvault_name.managedhsm.azure.net:443', {"encodedQueryParams":true})
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
   .get('///providers/Microsoft.Authorization/roleDefinitions')
   .query(true)
-  .reply(401, "OK", [ 'content-type',
+  .reply(401, "OK", [
+  'content-type',
   'application/json; charset=utf-8',
   'x-content-type-options',
   'nosniff',
   'www-authenticate',
-  'Bearer authorization="https://login.windows-ppe.net/azure_tenant_id", resource="https://managedhsm-int.azure-int.net"',
+  'Bearer authorization="https://login.microsoftonline.com/azure_tenant_id", resource="https://managedhsm.azure.net"',
   'x-frame-options',
   'SAMEORIGIN',
   'content-length',
   '2',
   'x-ms-request-id',
-  '58dd65a2-f2a6-11ea-a492-0242ac120009',
+  'c99f288e-56d3-11eb-93f8-0242ac12000b',
   'strict-transport-security',
   'max-age=31536000; includeSubDomains',
   'content-security-policy',
-  'default-src \'self\'',
+  "default-src 'self'",
   'x-ms-build-version',
-  '1.0.20200909-2-c73be597-develop',
+  '1.0.20210112-1-4fbf61ac-develop',
   'cache-control',
   'no-cache',
   'x-ms-server-latency',
-  '1' ]);
+  '0'
+]);
+
+nock('https://login.microsoftonline.com:443', {"encodedQueryParams":true})
+  .post('/azure_tenant_id/oauth2/v2.0/token', "response_type=token&grant_type=client_credentials&client_id=azure_client_id&client_secret=azure_client_secret&scope=https%3A%2F%2Fmanagedhsm.azure.net%2F.default")
+  .reply(200, {"token_type":"Bearer","expires_in":86399,"ext_expires_in":86399,"access_token":"access_token"}, [
+  'Cache-Control',
+  'no-store, no-cache',
+  'Pragma',
+  'no-cache',
+  'Content-Type',
+  'application/json; charset=utf-8',
+  'Expires',
+  '-1',
+  'Strict-Transport-Security',
+  'max-age=31536000; includeSubDomains',
+  'X-Content-Type-Options',
+  'nosniff',
+  'P3P',
+  'CP="DSP CUR OTPi IND OTRi ONL FIN"',
+  'x-ms-request-id',
+  '31c7d331-206d-4f11-865f-dca2dfa00a00',
+  'x-ms-ests-server',
+  '2.1.11397.13 - EUS ProdSlices',
+  'Set-Cookie',
+  'fpc=AjLb4QWjk0VDnlmAyQTvue8nffZ-AgAAAHTrktcOAAAA; expires=Sun, 14-Feb-2021 01:48:38 GMT; path=/; secure; HttpOnly; SameSite=None',
+  'Set-Cookie',
+  'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly',
+  'Set-Cookie',
+  'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly',
+  'Date',
+  'Fri, 15 Jan 2021 01:48:38 GMT',
+  'Content-Length',
+  '1322'
+]);
 
-nock('https://eastus2.keyvault_name.managedhsm.azure.net:443', {"encodedQueryParams":true})
+nock('https://azure_managedhsm.managedhsm.azure.net:443', {"encodedQueryParams":true})
   .get('///providers/Microsoft.Authorization/roleDefinitions')
   .query(true)
-  .reply(200, {"value":[{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","name":"a290e904-7015-4bba-90c8-60543313cdb4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete","Microsoft.KeyVault/managedHsm/securitydomain/download/action","Microsoft.KeyVault/managedHsm/securitydomain/upload/action","Microsoft.KeyVault/managedHsm/securitydomain/upload/read","Microsoft.KeyVault/managedHsm/securitydomain/transferkey/read","Microsoft.KeyVault/managedHsm/backup/start/action","Microsoft.KeyVault/managedHsm/restore/start/action","Microsoft.KeyVault/managedHsm/backup/status/action","Microsoft.KeyVault/managedHsm/restore/status/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778","name":"515eb02d-2335-4d2d-92f2-b1cbdf9c3778","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Crypto Officer","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b","name":"21dbd100-6940-42c2-9190-5d6cb909625b","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Crypto User","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4","name":"4bd23610-cdcf-4971-bdee-bdc562cc28e4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Policy Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","name":"2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Crypto Auditor","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/33413926-3206-4cdd-b39a-83574fe37a17","name":"33413926-3206-4cdd-b39a-83574fe37a17","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Crypto Service Encryption","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/7b127d3c-77bd-4e3e-bbe0-dbb8971fa7f8","name":"7b127d3c-77bd-4e3e-bbe0-dbb8971fa7f8","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/backup/start/action","Microsoft.KeyVault/managedHsm/backup/status/action","Microsoft.KeyVault/managedHsm/keys/backup/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Backup","type":""},"type":"Microsoft.Authorization/roleDefinitions"}]}, [ 'x-frame-options',
+  .reply(200, {"value":[{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/7b127d3c-77bd-4e3e-bbe0-dbb8971fa7f8","name":"7b127d3c-77bd-4e3e-bbe0-dbb8971fa7f8","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/uri/start/action","Microsoft.KeyVault/managedHsm/uri/status/action","Microsoft.KeyVault/managedHsm/keys/uri/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Backup","type":"AKVBuiltInRole"},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/33413926-3206-4cdd-b39a-83574fe37a17","name":"33413926-3206-4cdd-b39a-83574fe37a17","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Crypto Service Encryption","type":"AKVBuiltInRole"},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","name":"2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Crypto Auditor","type":"AKVBuiltInRole"},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4","name":"4bd23610-cdcf-4971-bdee-bdc562cc28e4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleDefinitions/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Policy Administrator","type":"AKVBuiltInRole"},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b","name":"21dbd100-6940-42c2-9190-5d6cb909625b","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/uri/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Crypto User","type":"AKVBuiltInRole"},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778","name":"515eb02d-2335-4d2d-92f2-b1cbdf9c3778","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/uri/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Crypto Officer","type":"AKVBuiltInRole"},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","name":"a290e904-7015-4bba-90c8-60543313cdb4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/uri/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleDefinitions/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/delete/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete","Microsoft.KeyVault/managedHsm/securitydomain/download/action","Microsoft.KeyVault/managedHsm/securitydomain/upload/action","Microsoft.KeyVault/managedHsm/securitydomain/upload/read","Microsoft.KeyVault/managedHsm/securitydomain/transferkey/read","Microsoft.KeyVault/managedHsm/uri/start/action","Microsoft.KeyVault/managedHsm/restore/start/action","Microsoft.KeyVault/managedHsm/uri/status/action","Microsoft.KeyVault/managedHsm/restore/status/action"],"notActions":[],"notDataActions":[]}],"roleName":"Managed HSM Administrator","type":"AKVBuiltInRole"},"type":"Microsoft.Authorization/roleDefinitions"}]}, [
+  'x-frame-options',
   'SAMEORIGIN',
   'x-ms-request-id',
-  '58dd65a2-f2a6-11ea-a492-0242ac120009',
+  'c9c6d672-56d3-11eb-9a1b-0242ac12000b',
   'content-type',
   'application/json; charset=utf-8',
   'x-ms-keyvault-region',
-  'EASTUS',
+  'westeurope',
   'content-length',
-  '6428',
+  '6772',
   'strict-transport-security',
   'max-age=31536000; includeSubDomains',
   'content-security-policy',
-  'default-src \'self\'',
+  "default-src 'self'",
   'cache-control',
   'no-cache',
   'x-content-type-options',
   'nosniff',
   'x-ms-build-version',
-  '1.0.20200909-2-c73be597-develop',
+  '1.0.20210112-1-4fbf61ac-develop',
   'x-ms-keyvault-network-info',
-  'addr=108.226.109.105',
+  'addr=50.35.231.105',
   'x-ms-server-latency',
-  '1' ]);
+  '0'
+]);
diff --git a/sdk/keyvault/keyvault-admin/src/constants.ts b/sdk/keyvault/keyvault-admin/src/constants.ts
index bf8c98afb7df..68e9bc53204c 100644
--- a/sdk/keyvault/keyvault-admin/src/constants.ts
+++ b/sdk/keyvault/keyvault-admin/src/constants.ts
@@ -4,7 +4,7 @@
 /**
  * Current version of the Key Vault Admin SDK.
  */
-export const SDK_VERSION: string = "4.0.0-beta.1";
+export const SDK_VERSION: string = "4.0.0-beta.2";
 
 /**
  * The latest supported Key Vault service API version.
diff --git a/sdk/keyvault/keyvault-admin/src/generated/keyVaultClientContext.ts b/sdk/keyvault/keyvault-admin/src/generated/keyVaultClientContext.ts
index b50514c4eef3..4ed2d854b755 100644
--- a/sdk/keyvault/keyvault-admin/src/generated/keyVaultClientContext.ts
+++ b/sdk/keyvault/keyvault-admin/src/generated/keyVaultClientContext.ts
@@ -10,7 +10,7 @@ import * as coreHttp from "@azure/core-http";
 import { KeyVaultClientOptionalParams } from "./models";
 
 const packageName = "@azure/keyvault-admin";
-export const packageVersion = "4.0.0-beta.1";
+export const packageVersion = "4.0.0-beta.2";
 
 export class KeyVaultClientContext extends coreHttp.ServiceClient {
   apiVersion: string;
diff --git a/sdk/keyvault/keyvault-admin/test/internal/challengeBasedAuthenticationPolicy.spec.ts b/sdk/keyvault/keyvault-admin/test/internal/challengeBasedAuthenticationPolicy.spec.ts
new file mode 100644
index 000000000000..41007663bbe9
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/test/internal/challengeBasedAuthenticationPolicy.spec.ts
@@ -0,0 +1,97 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import * as assert from "assert";
+import Sinon, { createSandbox } from "sinon";
+import { Recorder } from "@azure/test-utils-recorder";
+
+import {
+  AuthenticationChallengeCache,
+  AuthenticationChallenge,
+  parseWWWAuthenticate
+} from "../../../keyvault-common/src";
+import { KeyVaultAccessControlClient } from "../../src";
+import { authenticate } from "../utils/authentication";
+
+describe("Challenge based authentication tests", function() {
+  let client: KeyVaultAccessControlClient;
+  let recorder: Recorder;
+  let sandbox: Sinon.SinonSandbox;
+
+  beforeEach(async function() {
+    const authentication = await authenticate(this);
+    client = authentication.accessControlClient;
+    recorder = authentication.recorder;
+    sandbox = createSandbox();
+  });
+
+  afterEach(async function() {
+    sandbox.restore();
+    await recorder.stop();
+  });
+
+  it("Authentication should be idempotent", async function() {
+    const spy = sandbox.spy(AuthenticationChallengeCache.prototype, "setCachedChallenge");
+    const spyEqualTo = sandbox.spy(AuthenticationChallenge.prototype, "equalTo");
+
+    const promises = [
+      client.listRoleAssignments("/").next(),
+      client.listRoleAssignments("/").next()
+    ];
+    await Promise.all(promises);
+
+    // Even though we had multiple requests, only one authentication should have happened.
+
+    // This is determined by the comparison between the cached challenge and the new receive challenge.
+    // So, AuthenticationChallenge's equalTo should have returned true at least once.
+    assert.ok(spyEqualTo.returned(true));
+
+    // The challenge should have been written to the cache exactly ONCE.
+    assert.equal(spy.getCalls().length, 1);
+  });
+
+  it("Once authenticated, new requests should not authenticate again", async function() {
+    const spy = sandbox.spy(AuthenticationChallengeCache.prototype, "setCachedChallenge");
+
+    await client.listRoleAssignments("/").next();
+    await client.listRoleAssignments("/").next();
+
+    assert.equal(spy.getCalls().length, 1);
+  });
+
+  describe("parseWWWAuthenticate tests", () => {
+    it("Should work for known shapes of the WWW-Authenticate header", () => {
+      const wwwAuthenticate1 = `Bearer authorization="some_authorization", resource="https://some.url"`;
+      const parsed1 = parseWWWAuthenticate(wwwAuthenticate1);
+      assert.deepEqual(parsed1, {
+        authorization: "some_authorization",
+        resource: "https://some.url"
+      });
+
+      const wwwAuthenticate2 = `Bearer authorization="some_authorization", scope="https://some.url"`;
+      const parsed2 = parseWWWAuthenticate(wwwAuthenticate2);
+      assert.deepEqual(parsed2, {
+        authorization: "some_authorization",
+        scope: "https://some.url"
+      });
+    });
+
+    it("Should skip unexpected properties on the WWW-Authenticate header", () => {
+      const wwwAuthenticate1 = `Bearer authorization="some_authorization", a="a", b="b"`;
+      const parsed1 = parseWWWAuthenticate(wwwAuthenticate1);
+      assert.deepEqual(parsed1, {
+        authorization: "some_authorization",
+        a: "a",
+        b: "b"
+      });
+
+      const wwwAuthenticate2 = `scope="https://some.url", a="a", c="c"`;
+      const parsed2 = parseWWWAuthenticate(wwwAuthenticate2);
+      assert.deepEqual(parsed2, {
+        scope: "https://some.url",
+        a: "a",
+        c: "c"
+      });
+    });
+  });
+});
diff --git a/sdk/keyvault/keyvault-admin/test/internal/logger.spec.ts b/sdk/keyvault/keyvault-admin/test/internal/logger.spec.ts
index 76d8a621960f..faf08e1018ab 100644
--- a/sdk/keyvault/keyvault-admin/test/internal/logger.spec.ts
+++ b/sdk/keyvault/keyvault-admin/test/internal/logger.spec.ts
@@ -39,12 +39,9 @@ describe("The keyvault-admin clients logging options should work", () => {
   let credential: ClientSecretCredential;
 
   beforeEach(async () => {
-    credential = await new ClientSecretCredential(
-      "<tenant-id>",
-      "<client-id>",
-      "<azure-client-secret>"
-    );
+    credential = new ClientSecretCredential("<tenant-id>", "<client-id>", "<azure-client-secret>");
     setLogLevel("info");
+    sandbox = createSandbox();
   });
 
   afterEach(() => {
@@ -55,7 +52,6 @@ describe("The keyvault-admin clients logging options should work", () => {
   describe("KeyVaultAccessControlClient", () => {
     beforeEach(async () => {
       mockHttpClient = makeHTTPMock("/providers/Microsoft.Authorization/roleDefinitions");
-      sandbox = createSandbox();
       spy = sandbox.spy(logger, "info");
     });
 
@@ -79,7 +75,6 @@ describe("The keyvault-admin clients logging options should work", () => {
   describe("KeyVaultBackupClient", () => {
     beforeEach(async () => {
       mockHttpClient = makeHTTPMock("/backup", 202);
-      sandbox = createSandbox();
       spy = sandbox.spy(logger, "info");
     });
 
diff --git a/sdk/keyvault/keyvault-admin/test/internal/serviceVersionParameter.spec.ts b/sdk/keyvault/keyvault-admin/test/internal/serviceVersionParameter.spec.ts
index 8551108d1b31..7b1d3e979c9c 100644
--- a/sdk/keyvault/keyvault-admin/test/internal/serviceVersionParameter.spec.ts
+++ b/sdk/keyvault/keyvault-admin/test/internal/serviceVersionParameter.spec.ts
@@ -8,6 +8,7 @@ import { LATEST_API_VERSION } from "../../src/constants";
 import { HttpClient, WebResourceLike, HttpOperationResponse, HttpHeaders } from "@azure/core-http";
 import { ClientSecretCredential } from "@azure/identity";
 import { env } from "@azure/test-utils-recorder";
+import { URL } from "url";
 
 // Adding this to the source would change the public API.
 type ApIVersions = "7.2-preview";
@@ -35,11 +36,12 @@ describe("The keyvault-admin clients should set the serviceVersion", () => {
   let credential: ClientSecretCredential;
 
   beforeEach(async () => {
-    credential = await new ClientSecretCredential(
+    credential = new ClientSecretCredential(
       env.AZURE_TENANT_ID!,
       env.AZURE_CLIENT_ID!,
       env.AZURE_CLIENT_SECRET!
     );
+    sandbox = createSandbox();
   });
 
   afterEach(() => {
@@ -49,7 +51,6 @@ describe("The keyvault-admin clients should set the serviceVersion", () => {
   describe("KeyVaultAccessControlClient", () => {
     beforeEach(async () => {
       mockHttpClient = makeHTTPMock("/providers/Microsoft.Authorization/roleDefinitions");
-      sandbox = createSandbox();
       spy = sandbox.spy(mockHttpClient, "sendRequest");
     });
 
@@ -58,11 +59,11 @@ describe("The keyvault-admin clients should set the serviceVersion", () => {
         httpClient: mockHttpClient
       });
       await client.listRoleDefinitions("/").next();
+
+      assert.ok(spy.called);
       const calls = spy.getCalls();
-      assert.equal(
-        calls[0].args[0].url,
-        `${env.KEYVAULT_URI}///providers/Microsoft.Authorization/roleDefinitions?api-version=${LATEST_API_VERSION}`
-      );
+      const params = new URL(calls[0].args[0].url);
+      assert.equal(params.searchParams.get("api-version"), LATEST_API_VERSION);
     });
 
     it("it should allow us to specify an API version from a specific set of versions", async function() {
@@ -73,19 +74,16 @@ describe("The keyvault-admin clients should set the serviceVersion", () => {
       });
       await client.listRoleDefinitions("/").next();
 
+      assert.ok(spy.called);
       const calls = spy.getCalls();
-      const lastCall = calls[calls.length - 1];
-      assert.equal(
-        lastCall.args[0].url,
-        `${env.KEYVAULT_URI}///providers/Microsoft.Authorization/roleDefinitions?api-version=${serviceVersion}`
-      );
+      const params = new URL(calls[0].args[0].url);
+      assert.equal(params.searchParams.get("api-version"), LATEST_API_VERSION);
     });
   });
 
   describe("KeyVaultBackupClient", () => {
     beforeEach(async () => {
       mockHttpClient = makeHTTPMock("/backup", 202);
-      sandbox = createSandbox();
       spy = sandbox.spy(mockHttpClient, "sendRequest");
     });
 
@@ -95,11 +93,10 @@ describe("The keyvault-admin clients should set the serviceVersion", () => {
       });
       await client.beginBackup("secretName", "value");
 
+      assert.ok(spy.called);
       const calls = spy.getCalls();
-      assert.equal(
-        calls[0].args[0].url,
-        `${env.KEYVAULT_URI}/backup?api-version=${LATEST_API_VERSION}`
-      );
+      const params = new URL(calls[0].args[0].url);
+      assert.equal(params.searchParams.get("api-version"), LATEST_API_VERSION);
     });
 
     it("it should allow us to specify an API version from a specific set of versions", async function() {
@@ -110,12 +107,10 @@ describe("The keyvault-admin clients should set the serviceVersion", () => {
       });
       await client.beginBackup("secretName", "value");
 
+      assert.ok(spy.called);
       const calls = spy.getCalls();
-      const lastCall = calls[calls.length - 1];
-      assert.equal(
-        lastCall.args[0].url,
-        `${env.KEYVAULT_URI}/backup?api-version=${serviceVersion}`
-      );
+      const params = new URL(calls[0].args[0].url);
+      assert.equal(params.searchParams.get("api-version"), serviceVersion);
     });
   });
 });
diff --git a/sdk/keyvault/keyvault-admin/test/internal/userAgent.spec.ts b/sdk/keyvault/keyvault-admin/test/internal/userAgent.spec.ts
index 4ac74a833d6a..5e065f41721d 100644
--- a/sdk/keyvault/keyvault-admin/test/internal/userAgent.spec.ts
+++ b/sdk/keyvault/keyvault-admin/test/internal/userAgent.spec.ts
@@ -8,16 +8,18 @@ import { isNode } from "@azure/core-http";
 import path from "path";
 import fs from "fs";
 
-describe("Key Vault Admin's user agent (only in Node, because of fs)", () => {
+describe("Key Vault Admin's user agent (only in Node, because of fs)", function() {
+  beforeEach(function() {
+    if (!isNode) {
+      this.skip();
+    }
+  });
+
   it("SDK_VERSION and packageVersion should match", async function() {
     assert.equal(SDK_VERSION, packageVersion);
   });
 
   it("the version should also match with the one available in the package.json  (only in Node, because of fs)", async function() {
-    if (!isNode) {
-      this.skip();
-      return;
-    }
     let version: string;
     try {
       const fileContents = JSON.parse(
diff --git a/sdk/keyvault/keyvault-admin/test/public/accessControlClient.spec.ts b/sdk/keyvault/keyvault-admin/test/public/accessControlClient.spec.ts
index dff1998ccafc..819fbcc9037d 100644
--- a/sdk/keyvault/keyvault-admin/test/public/accessControlClient.spec.ts
+++ b/sdk/keyvault/keyvault-admin/test/public/accessControlClient.spec.ts
@@ -71,7 +71,7 @@ describe("KeyVaultAccessControlClient", () => {
     assert.ok(receivedRoles.length);
   });
 
-  it("createRoleAssignment, getRoleAssignment and deleteRoleAssignment", async function() {
+  it.skip("createRoleAssignment, getRoleAssignment and deleteRoleAssignment", async function() {
     // First, deleting any existing assignment, just in case.
     for await (const roleAssignment of client.listRoleAssignments(globalScope)) {
       // Removing all roles from this object ID might kick us out of the system.
@@ -81,8 +81,8 @@ describe("KeyVaultAccessControlClient", () => {
       }
     }
 
-    const roleDefinition = (await client.listRoleDefinitions(globalScope).next()).value;
     const name = generateFakeUUID();
+    const roleDefinition = (await client.listRoleDefinitions(globalScope).next()).value;
 
     let assignment = await client.createRoleAssignment(
       globalScope,
diff --git a/sdk/keyvault/keyvault-admin/test/public/backupClient.abort.spec.ts b/sdk/keyvault/keyvault-admin/test/public/backupClient.abort.spec.ts
index 2073a6f677ea..68070f46f064 100644
--- a/sdk/keyvault/keyvault-admin/test/public/backupClient.abort.spec.ts
+++ b/sdk/keyvault/keyvault-admin/test/public/backupClient.abort.spec.ts
@@ -9,7 +9,7 @@ import { authenticate } from "../utils/authentication";
 import { testPollerProperties } from "../utils/recorder";
 import { assertThrowsAbortError, getFolderName } from "../utils/common";
 
-describe("Aborting KeyVaultBackupClient's requests", () => {
+describe.skip("Aborting KeyVaultBackupClient's requests", () => {
   let client: KeyVaultBackupClient;
   let recorder: Recorder;
   let generateFakeUUID: () => string;
diff --git a/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts b/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts
index feeb28406f8f..78daa5924208 100644
--- a/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts
+++ b/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts
@@ -23,17 +23,17 @@ describe("KeyVaultBackupClient", () => {
     await recorder.stop();
   });
 
-  // The tests follow
-
-  it("beginBackup", async function() {
-    const blobStorageUri = env.BLOB_STORAGE_URI;
+  it.skip("beginBackup", async function() {
+    const blobStorageUri = `https://${env.BLOB_STORAGE_ACCOUNT_NAME}.blob.core.windows.net/backup`;
     const sasToken = env.BLOB_STORAGE_SAS_TOKEN;
+    console.log("blobStorageUri", blobStorageUri);
+    console.log("sasToken", sasToken);
     const backupPoller = await client.beginBackup(blobStorageUri, sasToken, testPollerProperties);
-    const backupURI = await backupPoller.pollUntilDone();
-    assert.ok(!!backupURI.match(blobStorageUri));
+    const backupResult = await backupPoller.pollUntilDone();
+    assert.equal(backupResult, blobStorageUri);
   });
 
-  it("beginBackup, then beginRestore", async function() {
+  it.skip("beginBackup, then beginRestore", async function() {
     const blobStorageUri = env.BLOB_STORAGE_URI;
     const sasToken = env.BLOB_STORAGE_SAS_TOKEN;
     const backupPoller = await client.beginBackup(blobStorageUri, sasToken, testPollerProperties);
@@ -53,7 +53,7 @@ describe("KeyVaultBackupClient", () => {
     assert.equal(operationState.error, undefined);
   });
 
-  it("beginBackup, then beginSelectiveRestore", async function() {
+  it.skip("beginBackup, then beginSelectiveRestore", async function() {
     const keyName = "rsa-1";
 
     const blobStorageUri = env.BLOB_STORAGE_URI;
diff --git a/sdk/keyvault/keyvault-admin/test/utils/authentication.ts b/sdk/keyvault/keyvault-admin/test/utils/authentication.ts
index 1674d5d4fca8..cbbc4d981e20 100644
--- a/sdk/keyvault/keyvault-admin/test/utils/authentication.ts
+++ b/sdk/keyvault/keyvault-admin/test/utils/authentication.ts
@@ -1,12 +1,11 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-import { AzureCliCredential } from "@azure/identity";
-import { isPlaybackMode, record, RecorderEnvironmentSetup } from "@azure/test-utils-recorder";
+import { ClientSecretCredential } from "@azure/identity";
+import { env, isPlaybackMode, record, RecorderEnvironmentSetup } from "@azure/test-utils-recorder";
 import { v4 as uuidv4 } from "uuid";
 
 import { KeyVaultAccessControlClient, KeyVaultBackupClient } from "../../src";
-import { getKeyvaultName, getKeyVaultUrl } from "./common";
 import { uniqueString } from "./recorder";
 
 export async function authenticate(that: any): Promise<any> {
@@ -23,14 +22,16 @@ export async function authenticate(that: any): Promise<any> {
   const suffix = uniqueString();
   const recorderEnvSetup: RecorderEnvironmentSetup = {
     replaceableVariables: {
+      AZURE_MANAGEDHSM_URL: "https://azure_managedhsm.managedhsm.azure.net",
       AZURE_CLIENT_ID: "azure_client_id",
-      AZURE_TENANT_ID: "azure_tenant_id",
       AZURE_CLIENT_SECRET: "azure_client_secret",
-      CLIENT_OBJECT_ID: "01ea9a65-813e-4238-8204-bf7328d63fc6",
-      BLOB_STORAGE_URI: "https://uri.blob.core.windows.net/backup",
+      AZURE_TENANT_ID: "azure_tenant_id",
+      KEYVAULT_URI: "https://keyvault_name.vault.azure.net",
+      BLOB_CONTAINER_NAME: "uri",
+      BLOB_STORAGE_ACCOUNT_NAME: "blob_storage_account_name",
       BLOB_STORAGE_SAS_TOKEN: "blob_storage_sas_token",
-      KEYVAULT_NAME: "keyvault_name",
-      KEYVAULT_URI: "https://eastus2.keyvault_name.managedhsm.azure.net"
+      BLOB_STORAGE_URI: "https://uri.blob.core.windows.net/backup",
+      CLIENT_OBJECT_ID: "01ea9a65-813e-4238-8204-bf7328d63fc6"
     },
     customizationsOnRecordings: [
       (recording: any): any =>
@@ -55,12 +56,19 @@ export async function authenticate(that: any): Promise<any> {
     queryParametersToSkip: []
   };
   const recorder = record(that, recorderEnvSetup);
-  const credential = await new AzureCliCredential();
+  const credential = new ClientSecretCredential(
+    env.AZURE_TENANT_ID,
+    env.AZURE_CLIENT_ID,
+    env.AZURE_CLIENT_SECRET
+  );
+
+  const keyVaultHsmUrl = env.AZURE_MANAGEDHSM_URL;
+  if (!keyVaultHsmUrl) {
+    throw new Error("Missing AZURE_MANAGEDHSM_URL environment variable.");
+  }
 
-  const keyVaultName = getKeyvaultName();
-  const keyVaultUrl = getKeyVaultUrl() || `https://${keyVaultName}.vault.azure.net`;
-  const accessControlClient = new KeyVaultAccessControlClient(keyVaultUrl, credential);
-  const backupClient = new KeyVaultBackupClient(keyVaultUrl, credential);
+  const accessControlClient = new KeyVaultAccessControlClient(keyVaultHsmUrl, credential);
+  const backupClient = new KeyVaultBackupClient(keyVaultHsmUrl, credential);
 
   return { recorder, accessControlClient, backupClient, suffix, generateFakeUUID };
 }
diff --git a/sdk/keyvault/keyvault-admin/test/utils/common.ts b/sdk/keyvault/keyvault-admin/test/utils/common.ts
index fe10995cac2b..369ae46070ff 100644
--- a/sdk/keyvault/keyvault-admin/test/utils/common.ts
+++ b/sdk/keyvault/keyvault-admin/test/utils/common.ts
@@ -1,7 +1,6 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-import { env } from "@azure/test-utils-recorder";
 import * as assert from "assert";
 
 // Async iterator's polyfill for Node 8
@@ -9,25 +8,6 @@ if (!Symbol || !(Symbol as any).asyncIterator) {
   (Symbol as any).asyncIterator = Symbol.for("Symbol.asyncIterator");
 }
 
-export function getKeyvaultName(): string {
-  const keyVaultEnvVarName = "KEYVAULT_NAME";
-  const keyVaultName: string | undefined = env[keyVaultEnvVarName];
-
-  if (!keyVaultName) {
-    throw new Error(`${keyVaultEnvVarName} environment variable not specified.`);
-  }
-
-  return keyVaultName;
-}
-
-// The property in the clients is called vaultUrl, but the environment variable is KEYVAULT_URI.
-export function getKeyVaultUrl(): string {
-  const keyVaultEnvVarName = "KEYVAULT_URI";
-  const result: string | undefined = env[keyVaultEnvVarName];
-
-  return result!;
-}
-
 export async function assertThrowsAbortError(cb: () => Promise<any>): Promise<void> {
   let passed = false;
   try {
diff --git a/sdk/keyvault/keyvault-admin/tests.yml b/sdk/keyvault/keyvault-admin/tests.yml
index 6fd4c6143258..6eec2719d0ac 100644
--- a/sdk/keyvault/keyvault-admin/tests.yml
+++ b/sdk/keyvault/keyvault-admin/tests.yml
@@ -5,7 +5,19 @@ extends:
   parameters:
     PackageName: "@azure/keyvault-admin"
     ResourceServiceDirectory: keyvault
-    TestMinMax: true
+    # KV HSM limitation prevents us from running live tests
+    # against multiple platforms in parallel (we're limited to a single
+    # instance per region per subscription) so we're only running
+    # live tests against a single instance.
+    TestMinMax: false
+    TestBrowser: false
+    testSamples: false
+    ArmTemplateParameters: "@{ enableHsm = $true }"
+    Matrix:
+      Linux Node 10 with Managed HSM:
+        OSVmImage: "ubuntu-18.04"
+        TestType: "node"
+        NodeTestVersion: "10.x"
     EnvVars:
       AZURE_CLIENT_ID: $(aad-azure-sdk-test-client-id)
       AZURE_TENANT_ID: $(aad-azure-sdk-test-tenant-id)
diff --git a/sdk/keyvault/keyvault-certificates/karma.conf.js b/sdk/keyvault/keyvault-certificates/karma.conf.js
index 105085fe393b..4713581df0d8 100644
--- a/sdk/keyvault/keyvault-certificates/karma.conf.js
+++ b/sdk/keyvault/keyvault-certificates/karma.conf.js
@@ -49,6 +49,7 @@ module.exports = function(config) {
       "AZURE_CLIENT_SECRET",
       "AZURE_TENANT_ID",
       "KEYVAULT_NAME",
+      "KEYVAULT_URI",
       "TEST_MODE"
     ],
 
diff --git a/sdk/keyvault/keyvault-certificates/test/utils/testAuthentication.ts b/sdk/keyvault/keyvault-certificates/test/utils/testAuthentication.ts
index 3437517a6a0e..12325c1e807c 100644
--- a/sdk/keyvault/keyvault-certificates/test/utils/testAuthentication.ts
+++ b/sdk/keyvault/keyvault-certificates/test/utils/testAuthentication.ts
@@ -2,7 +2,6 @@
 // Licensed under the MIT license.
 
 import { ClientSecretCredential } from "@azure/identity";
-import { getKeyvaultName } from "./utils.common";
 import { CertificateClient } from "../../src";
 import { uniqueString } from "./recorderUtils";
 import { env, record, RecorderEnvironmentSetup } from "@azure/test-utils-recorder";
@@ -16,7 +15,8 @@ export async function authenticate(that: Context): Promise<any> {
       AZURE_CLIENT_ID: "azure_client_id",
       AZURE_CLIENT_SECRET: "azure_client_secret",
       AZURE_TENANT_ID: "azure_tenant_id",
-      KEYVAULT_NAME: "keyvault_name"
+      KEYVAULT_NAME: "keyvault_name",
+      KEYVAULT_URI: "https://keyvault_name.vault.azure.net"
     },
     customizationsOnRecordings: [
       (recording: any): any =>
@@ -33,8 +33,11 @@ export async function authenticate(that: Context): Promise<any> {
     env.AZURE_CLIENT_SECRET
   );
 
-  const keyVaultName = getKeyvaultName();
-  const keyVaultUrl = `https://${keyVaultName}.vault.azure.net`;
+  const keyVaultUrl = env.KEYVAULT_URI;
+  if (!keyVaultUrl) {
+    throw new Error("Missing KEYVAULT_URI environment variable.");
+  }
+
   const client = new CertificateClient(keyVaultUrl, credential);
   const testClient = new TestClient(client);
 
diff --git a/sdk/keyvault/keyvault-keys/karma.conf.js b/sdk/keyvault/keyvault-keys/karma.conf.js
index 287a194c79c5..eb03a2d993ea 100644
--- a/sdk/keyvault/keyvault-keys/karma.conf.js
+++ b/sdk/keyvault/keyvault-keys/karma.conf.js
@@ -49,6 +49,7 @@ module.exports = function(config) {
       "AZURE_CLIENT_SECRET",
       "AZURE_TENANT_ID",
       "KEYVAULT_NAME",
+      "KEYVAULT_URI",
       "TEST_MODE"
     ],
 
diff --git a/sdk/keyvault/keyvault-keys/test/internal/challengeBasedAuthenticationPolicy.spec.ts b/sdk/keyvault/keyvault-keys/test/internal/challengeBasedAuthenticationPolicy.spec.ts
index 90aa35e3dc96..a9be2e0db0ce 100644
--- a/sdk/keyvault/keyvault-keys/test/internal/challengeBasedAuthenticationPolicy.spec.ts
+++ b/sdk/keyvault/keyvault-keys/test/internal/challengeBasedAuthenticationPolicy.spec.ts
@@ -26,7 +26,7 @@ describe("Challenge based authentication tests", () => {
   let testClient: TestClient;
   let recorder: Recorder;
 
-  beforeEach(async function () {
+  beforeEach(async function() {
     const authentication = await authenticate(this);
     keySuffix = authentication.keySuffix;
     client = authentication.client;
@@ -34,13 +34,13 @@ describe("Challenge based authentication tests", () => {
     recorder = authentication.recorder;
   });
 
-  afterEach(async function () {
+  afterEach(async function() {
     await recorder.stop();
   });
 
   // The tests follow
 
-  it("Authentication should work for parallel requests", async function () {
+  it("Authentication should work for parallel requests", async function() {
     const keyName = testClient.formatName(`${keyPrefix}-${this!.test!.title}-${keySuffix}`);
     const keyNames = [`${keyName}-0`, `${keyName}-1`];
 
@@ -71,7 +71,7 @@ describe("Challenge based authentication tests", () => {
     sandbox.restore();
   });
 
-  it("Once authenticated, new requests should not authenticate again", async function () {
+  it("Once authenticated, new requests should not authenticate again", async function() {
     // Our goal is to intercept how our pipelines are storing the challenge.
     // The first network call should indeed set the challenge in memory.
     // Subsequent network calls should not set new challenges.
diff --git a/sdk/keyvault/keyvault-keys/test/public/list.spec.ts b/sdk/keyvault/keyvault-keys/test/public/list.spec.ts
index 08c39ab8c162..4fc6c6172a52 100644
--- a/sdk/keyvault/keyvault-keys/test/public/list.spec.ts
+++ b/sdk/keyvault/keyvault-keys/test/public/list.spec.ts
@@ -20,7 +20,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
     let testClient: TestClient;
     let recorder: Recorder;
 
-    beforeEach(async function () {
+    beforeEach(async function() {
       const authentication = await authenticate(this, serviceVersion);
       keySuffix = authentication.keySuffix;
       client = authentication.client;
@@ -28,7 +28,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
       recorder = authentication.recorder;
     });
 
-    afterEach(async function () {
+    afterEach(async function() {
       await recorder.stop();
     });
 
@@ -37,8 +37,8 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
     // Use this while recording to make sure the target keyvault is clean.
     // The next tests will produce a more consistent output.
     // This test is only useful while developing locally.
-    it("can purge all keys", async function (): Promise<void> {
-      // WARNING: When TEST_MODE equals "record", all of the keys in the indicated KEYVAULT_NAME will be deleted as part of this test.
+    it("can purge all keys", async function(): Promise<void> {
+      // WARNING: When TEST_MODE equals "record", all of the keys in the indicated KEYVAULT_URI will be deleted as part of this test.
       if (!isRecordMode()) {
         return this.skip();
       }
@@ -58,7 +58,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
       }
     });
 
-    it("can get the versions of a key", async function () {
+    it("can get the versions of a key", async function() {
       const keyName = testClient.formatName(`${keyPrefix}-${this!.test!.title}-${keySuffix}`);
       await client.createKey(keyName, "RSA");
       let totalVersions = 0;
@@ -75,7 +75,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
     });
 
     // On playback mode, the tests happen too fast for the timeout to work
-    it("can get the versions of a key with requestOptions timeout", async function () {
+    it("can get the versions of a key with requestOptions timeout", async function() {
       recorder.skip(undefined, "Timeout tests don't work on playback mode.");
       const iter = client.listPropertiesOfKeyVersions("doesntmatter", {
         requestOptions: { timeout: 1 }
@@ -85,7 +85,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
       });
     });
 
-    it("can get the versions of a key (paged)", async function () {
+    it("can get the versions of a key (paged)", async function() {
       const keyName = testClient.formatName(`${keyPrefix}-${this!.test!.title}-${keySuffix}`);
       await client.createKey(keyName, "RSA");
       let totalVersions = 0;
@@ -103,7 +103,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
       await testClient.flushKey(keyName);
     });
 
-    it("list 0 versions of a non-existing key", async function () {
+    it("list 0 versions of a non-existing key", async function() {
       const keyName = testClient.formatName(`${keyPrefix}-${this!.test!.title}-${keySuffix}`);
       let totalVersions = 0;
       for await (const version of client.listPropertiesOfKeyVersions(keyName)) {
@@ -117,7 +117,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
       assert.equal(totalVersions, 0, `Unexpected total versions for key ${keyName}`);
     });
 
-    it("list 0 versions of a non-existing key (paged)", async function () {
+    it("list 0 versions of a non-existing key (paged)", async function() {
       const keyName = testClient.formatName(`${keyPrefix}-${this!.test!.title}-${keySuffix}`);
       let totalVersions = 0;
       for await (const page of client.listPropertiesOfKeyVersions(keyName).byPage()) {
@@ -133,7 +133,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
       assert.equal(totalVersions, 0, `Unexpected total versions for key ${keyName}`);
     });
 
-    it("can get several inserted keys", async function () {
+    it("can get several inserted keys", async function() {
       const keyName = testClient.formatName(`${keyPrefix}-${this!.test!.title}-${keySuffix}`);
       const keyNames = [`${keyName}-0`, `${keyName}-1`];
       for (const name of keyNames) {
@@ -155,7 +155,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
     });
 
     // On playback mode, the tests happen too fast for the timeout to work
-    it("can get several inserted keys with requestOptions timeout", async function () {
+    it("can get several inserted keys with requestOptions timeout", async function() {
       recorder.skip(undefined, "Timeout tests don't work on playback mode.");
       const iter = client.listPropertiesOfKeys({ requestOptions: { timeout: 1 } });
 
@@ -164,7 +164,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
       });
     });
 
-    it("can get several inserted keys (paged)", async function () {
+    it("can get several inserted keys (paged)", async function() {
       const keyName = testClient.formatName(`${keyPrefix}-${this!.test!.title}-${keySuffix}`);
       const keyNames = [`${keyName}-0`, `${keyName}-1`];
       for (const name of keyNames) {
@@ -187,7 +187,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
       }
     });
 
-    it("list deleted keys", async function () {
+    it("list deleted keys", async function() {
       const keyName = testClient.formatName(`${keyPrefix}-${this!.test!.title}-${keySuffix}`);
       const keyNames = [`${keyName}-0`, `${keyName}-1`];
       for (const name of keyNames) {
@@ -213,7 +213,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
     });
 
     // On playback mode, the tests happen too fast for the timeout to work
-    it("list deleted keys with requestOptions timeout", async function () {
+    it("list deleted keys with requestOptions timeout", async function() {
       recorder.skip(undefined, "Timeout tests don't work on playback mode.");
       const iter = client.listDeletedKeys({ requestOptions: { timeout: 1 } });
       await assertThrowsAbortError(async () => {
@@ -221,7 +221,7 @@ versionsToTest(serviceApiVersions, {}, (serviceVersion, onVersions) => {
       });
     });
 
-    it("list deleted keys (paged)", async function () {
+    it("list deleted keys (paged)", async function() {
       const keyName = testClient.formatName(`${keyPrefix}-${this!.test!.title}-${keySuffix}`);
       const keyNames = [`${keyName}-0`, `${keyName}-1`];
       for (const name of keyNames) {
diff --git a/sdk/keyvault/keyvault-keys/test/utils/testAuthentication.ts b/sdk/keyvault/keyvault-keys/test/utils/testAuthentication.ts
index 7afbb7a482c2..d276e5ab353a 100644
--- a/sdk/keyvault/keyvault-keys/test/utils/testAuthentication.ts
+++ b/sdk/keyvault/keyvault-keys/test/utils/testAuthentication.ts
@@ -2,7 +2,6 @@
 // Licensed under the MIT license.
 
 import { ClientSecretCredential } from "@azure/identity";
-import { getKeyvaultName } from "./utils.common";
 import { KeyClient } from "../../src";
 import { env, record, RecorderEnvironmentSetup } from "@azure/test-utils-recorder";
 import { uniqueString } from "./recorderUtils";
@@ -18,7 +17,8 @@ export async function authenticate(that: Context, version?: string): Promise<any
       AZURE_CLIENT_ID: "azure_client_id",
       AZURE_CLIENT_SECRET: "azure_client_secret",
       AZURE_TENANT_ID: "azure_tenant_id",
-      KEYVAULT_NAME: "keyvault_name"
+      KEYVAULT_NAME: "keyvault_name",
+      KEYVAULT_URI: "https://keyvault_name.vault.azure.net"
     },
     customizationsOnRecordings: [
       (recording: any): any =>
@@ -29,14 +29,17 @@ export async function authenticate(that: Context, version?: string): Promise<any
     queryParametersToSkip: []
   };
   const recorder = record(that, recorderEnvSetup);
-  const credential = await new ClientSecretCredential(
+  const credential = new ClientSecretCredential(
     env.AZURE_TENANT_ID,
     env.AZURE_CLIENT_ID,
     env.AZURE_CLIENT_SECRET
   );
 
-  const keyVaultName = getKeyvaultName();
-  const keyVaultUrl = `https://${keyVaultName}.vault.azure.net`;
+  const keyVaultUrl = env.KEYVAULT_URI;
+  if (!keyVaultUrl) {
+    throw new Error("Missing KEYVAULT_URI environment variable.");
+  }
+
   const client = new KeyClient(keyVaultUrl, credential, {
     serviceVersion: version as ApiVersions
   });
diff --git a/sdk/keyvault/keyvault-secrets/karma.conf.js b/sdk/keyvault/keyvault-secrets/karma.conf.js
index 0efb8f8a47e3..ee874339ff58 100644
--- a/sdk/keyvault/keyvault-secrets/karma.conf.js
+++ b/sdk/keyvault/keyvault-secrets/karma.conf.js
@@ -49,6 +49,7 @@ module.exports = function(config) {
       "AZURE_CLIENT_SECRET",
       "AZURE_TENANT_ID",
       "KEYVAULT_NAME",
+      "KEYVAULT_URI",
       "TEST_MODE"
     ],
 
diff --git a/sdk/keyvault/keyvault-secrets/test/public/list.spec.ts b/sdk/keyvault/keyvault-secrets/test/public/list.spec.ts
index 0b88522d563c..20a6ccb4ed8e 100644
--- a/sdk/keyvault/keyvault-secrets/test/public/list.spec.ts
+++ b/sdk/keyvault/keyvault-secrets/test/public/list.spec.ts
@@ -39,7 +39,7 @@ describe("Secret client - list secrets in various ways", () => {
   // The next tests will produce a more consistent output.
   // This test is only useful while developing locally.
   it("can purge all secrets", async function(): Promise<void> {
-    // WARNING: When TEST_MODE equals "record", all of the secrets in the indicated KEYVAULT_NAME will be deleted as part of this test.
+    // WARNING: When TEST_MODE equals "record", all of the secrets in the indicated KEYVAULT_URI will be deleted as part of this test.
     if (!isRecordMode()) {
       return this.skip();
     }
diff --git a/sdk/keyvault/keyvault-secrets/test/utils/testAuthentication.ts b/sdk/keyvault/keyvault-secrets/test/utils/testAuthentication.ts
index 7cc90171409e..d5f577f7a247 100644
--- a/sdk/keyvault/keyvault-secrets/test/utils/testAuthentication.ts
+++ b/sdk/keyvault/keyvault-secrets/test/utils/testAuthentication.ts
@@ -2,7 +2,6 @@
 // Licensed under the MIT license.
 
 import { ClientSecretCredential } from "@azure/identity";
-import { getKeyvaultName } from "./utils.common";
 import { SecretClient } from "../../src";
 import { env, record, RecorderEnvironmentSetup } from "@azure/test-utils-recorder";
 import { uniqueString } from "./recorderUtils";
@@ -16,7 +15,8 @@ export async function authenticate(that: Context): Promise<any> {
       AZURE_CLIENT_ID: "azure_client_id",
       AZURE_CLIENT_SECRET: "azure_client_secret",
       AZURE_TENANT_ID: "azure_tenant_id",
-      KEYVAULT_NAME: "keyvault_name"
+      KEYVAULT_NAME: "keyvault_name",
+      KEYVAULT_URI: "https://keyvault_name.vault.azure.net"
     },
     customizationsOnRecordings: [
       (recording: any): any =>
@@ -33,8 +33,11 @@ export async function authenticate(that: Context): Promise<any> {
     env.AZURE_CLIENT_SECRET
   );
 
-  const keyVaultName = getKeyvaultName();
-  const keyVaultUrl = `https://${keyVaultName}.vault.azure.net`;
+  const keyVaultUrl = env.KEYVAULT_URI;
+  if (!keyVaultUrl) {
+    throw new Error("Missing KEYVAULT_URI environment variable.");
+  }
+
   const client = new SecretClient(keyVaultUrl, credential);
   const testClient = new TestClient(client);
 
diff --git a/sdk/keyvault/keyvault-secrets/test/utils/utils.common.ts b/sdk/keyvault/keyvault-secrets/test/utils/utils.common.ts
index 7f8cf70092d8..dc16169c23a4 100644
--- a/sdk/keyvault/keyvault-secrets/test/utils/utils.common.ts
+++ b/sdk/keyvault/keyvault-secrets/test/utils/utils.common.ts
@@ -1,7 +1,6 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-import { env } from "@azure/test-utils-recorder";
 import * as assert from "assert";
 
 // Async iterator's polyfill for Node 8
@@ -9,17 +8,6 @@ if (!Symbol || !(Symbol as any).asyncIterator) {
   (Symbol as any).asyncIterator = Symbol.for("Symbol.asyncIterator");
 }
 
-export function getKeyvaultName(): string {
-  const keyVaultEnvVarName = "KEYVAULT_NAME";
-  const keyVaultName: string | undefined = env[keyVaultEnvVarName];
-
-  if (!keyVaultName) {
-    throw new Error(`${keyVaultEnvVarName} environment variable not specified.`);
-  }
-
-  return keyVaultName;
-}
-
 export async function assertThrowsAbortError(cb: () => Promise<any>): Promise<void> {
   let passed = false;
   try {
diff --git a/sdk/keyvault/test-resources-post.ps1 b/sdk/keyvault/test-resources-post.ps1
new file mode 100644
index 000000000000..7ad39eea28fa
--- /dev/null
+++ b/sdk/keyvault/test-resources-post.ps1
@@ -0,0 +1,108 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+# IMPORTANT: Do not invoke this file directly. Please instead run eng/New-TestResources.ps1 from the repository root.
+
+#Requires -Version 6.0
+#Requires -PSEdition Core
+
+using namespace System.Security.Cryptography
+using namespace System.Security.Cryptography.X509Certificates
+
+# Use same parameter names as declared in eng/New-TestResources.ps1 (assume validation therein).
+[CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
+param (
+    [Parameter()]
+    [hashtable] $DeploymentOutputs,
+
+    # Captures any arguments from eng/New-TestResources.ps1 not declared here (no parameter errors).
+    [Parameter(ValueFromRemainingArguments = $true)]
+    $RemainingArguments
+)
+
+# By default stop for any error.
+if (!$PSBoundParameters.ContainsKey('ErrorAction')) {
+    $ErrorActionPreference = 'Stop'
+}
+
+function Log($Message) {
+    Write-Host ('{0} - {1}' -f [DateTime]::Now.ToLongTimeString(), $Message)
+}
+
+function New-X509Certificate2([string] $SubjectName) {
+
+    $rsa = [RSA]::Create(2048)
+    try {
+        $req = [CertificateRequest]::new(
+            [string] $SubjectName,
+            $rsa,
+            [HashAlgorithmName]::SHA256,
+            [RSASignaturePadding]::Pkcs1
+        )
+
+        # TODO: Add any KUs necessary to $req.CertificateExtensions
+
+        $NotBefore = [DateTimeOffset]::Now.AddDays(-1)
+        $NotAfter = $NotBefore.AddDays(365)
+
+        $req.CreateSelfSigned($NotBefore, $NotAfter)
+    }
+    finally {
+        $rsa.Dispose()
+    }
+}
+
+function Export-X509Certificate2([string] $Path, [X509Certificate2] $Certificate) {
+
+    $Certificate.Export([X509ContentType]::Pfx) | Set-Content $Path -AsByteStream
+}
+
+function Export-X509Certificate2PEM([string] $Path, [X509Certificate2] $Certificate) {
+
+@"
+-----BEGIN CERTIFICATE-----
+$([Convert]::ToBase64String($Certificate.RawData, 'InsertLineBreaks'))
+-----END CERTIFICATE-----
+"@ > $Path
+
+}
+
+# Make sure we deployed a Managed HSM.
+if (!$DeploymentOutputs['AZURE_MANAGEDHSM_URL']) {
+    Log "Managed HSM not deployed; skipping activation"
+    exit
+}
+
+[Uri] $hsmUrl = $DeploymentOutputs['AZURE_MANAGEDHSM_URL']
+$hsmName = $hsmUrl.Host.Substring(0, $hsmUrl.Host.IndexOf('.'))
+
+$tenant = $DeploymentOutputs['KEYVAULT_TENANT_ID']
+$username = $DeploymentOutputs['KEYVAULT_CLIENT_ID']
+$password = $DeploymentOutputs['KEYVAULT_CLIENT_SECRET']
+
+Log 'Creating 3 X509 certificates to activate security domain'
+$wrappingFiles = foreach ($i in 0..2) {
+    $certificate = New-X509Certificate2 "CN=$($hsmUrl.Host)"
+
+    $baseName = Join-Path -Path $PSScriptRoot -ChildPath "$hsmName-certificate$i"
+    Export-X509Certificate2 "$baseName.pfx" $certificate
+    Export-X509Certificate2PEM "$baseName.cer" $certificate
+
+    Resolve-Path "$baseName.cer"
+}
+
+# TODO: Use Az module when available; for now, assumes Azure CLI is installed and in $Env:PATH.
+Log "Logging '$username' into the Azure CLI"
+az login --service-principal --tenant "$tenant" --username "$username" --password="$password"
+
+Log "Downloading security domain from '$hsmUrl'"
+
+$sdPath = Join-Path -Path $PSScriptRoot -ChildPath "$hsmName-security-domain.key"
+if (Test-Path $sdpath) {
+    Log "Deleting old security domain: $sdPath"
+    Remove-Item $sdPath -Force
+}
+
+az keyvault security-domain download --hsm-name $hsmName --security-domain-file $sdPath --sd-quorum 2 --sd-wrapping-keys $wrappingFiles
+
+Log "Security domain downloaded to '$sdPath'; Managed HSM is now active at '$hsmUrl'"
diff --git a/sdk/keyvault/test-resources.json b/sdk/keyvault/test-resources.json
index 2d646f901c21..a1594bed9673 100644
--- a/sdk/keyvault/test-resources.json
+++ b/sdk/keyvault/test-resources.json
@@ -1,41 +1,98 @@
 {
-  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "baseName": {
       "type": "string",
       "defaultValue": "[resourceGroup().name]",
       "metadata": {
-        "description": "The base resource name that is used to ensure the generated resources have unique names. This field gets automatically generated on our CI pipelines. It's possible to use non-alphanumeric characters in some resource names, like dashes in KV names, but keeping it simple will reduce confusion. A safe upper limit on the number of characters is 17 characters."
+        "description": "The base resource name."
       }
     },
     "tenantId": {
       "type": "string",
+      "defaultValue": "72f988bf-86f1-41af-91ab-2d7cd011db47",
       "metadata": {
-        "description": "The tenant ID to which the application and resources belong. You may copy it from the one available on the overview page of the Azure Active Directory section of the Azure portal, or obtain it from the overview page of a recently created Azure Application."
+        "description": "The tenant ID to which the application and resources belong."
       }
     },
     "testApplicationOid": {
       "type": "string",
+      "defaultValue": "b3653439-8136-4cd5-aac3-2a9460871ca6",
       "metadata": {
-        "description": "The application client ID used to run tests. You may get it from the overview page of a recently created Azure application."
+        "description": "The client OID to grant access to test resources."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of the resource. By default, this is the same as the resource group."
+      }
+    },
+    "hsmLocation": {
+      "type": "string",
+      "defaultValue": "eastus2",
+      "allowedValues": ["eastus2", "southcentralus", "northeurope", "westeurope"],
+      "metadata": {
+        "description": "The location of the Managed HSM. By default, this is 'southcentralus'."
+      }
+    },
+    "enableHsm": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "Whether to enable deployment of Managed HSM. The default is false."
+      }
+    },
+    "enableSoftDelete": {
+      "type": "bool",
+      "defaultValue": true,
+      "metadata": {
+        "description": "Whether to enable soft delete for the Key Vault. The default is true."
+      }
+    },
+    "keyVaultSku": {
+      "type": "string",
+      "defaultValue": "premium",
+      "metadata": {
+        "description": "Key Vault SKU to deploy. The default is 'premium'"
       }
     }
   },
   "variables": {
-    "location": "[resourceGroup().location]",
-    "keyVaultName": "[parameters('baseName')]"
+    "kvApiVersion": "2019-09-01",
+    "kvName": "[parameters('baseName')]",
+    "hsmApiVersion": "2020-04-01-preview",
+    "hsmName": "[concat(parameters('baseName'), 'hsm')]",
+    "mgmtApiVersion": "2019-04-01",
+    "blobContainerName": "backup",
+    "primaryAccountName": "[concat(replace(parameters('baseName'), '-', ''), 'prim')]",
+    "encryption": {
+      "services": {
+        "blob": {
+          "enabled": true
+        }
+      },
+      "keySource": "Microsoft.Storage"
+    },
+    "networkAcls": {
+      "bypass": "AzureServices",
+      "virtualNetworkRules": [],
+      "ipRules": [],
+      "defaultAction": "Allow"
+    }
   },
   "resources": [
     {
       "type": "Microsoft.KeyVault/vaults",
-      "apiVersion": "2016-10-01",
-      "name": "[variables('keyVaultName')]",
-      "location": "[variables('location')]",
+      "apiVersion": "[variables('kvApiVersion')]",
+      "name": "[variables('kvName')]",
+      "location": "[parameters('location')]",
       "properties": {
         "sku": {
           "family": "A",
-          "name": "Premium"
+          "name": "[parameters('keyVaultSku')]"
         },
         "tenantId": "[parameters('tenantId')]",
         "accessPolicies": [
@@ -44,41 +101,41 @@
             "objectId": "[parameters('testApplicationOid')]",
             "permissions": {
               "keys": [
-                "backup",
-                "create",
-                "decrypt",
-                "delete",
-                "encrypt",
                 "get",
-                "import",
                 "list",
-                "purge",
+                "update",
+                "create",
+                "import",
+                "delete",
                 "recover",
+                "backup",
                 "restore",
-                "sign",
+                "decrypt",
+                "encrypt",
                 "unwrapKey",
-                "update",
+                "wrapKey",
                 "verify",
-                "wrapKey"
+                "sign",
+                "purge"
               ],
-              "secrets": ["backup", "delete", "get", "list", "purge", "recover", "restore", "set"],
+              "secrets": ["get", "list", "set", "delete", "recover", "backup", "restore", "purge"],
               "certificates": [
-                "backup",
-                "create",
-                "delete",
-                "deleteissuers",
                 "get",
-                "getissuers",
-                "import",
                 "list",
-                "listissuers",
-                "managecontacts",
-                "manageissuers",
-                "purge",
+                "update",
+                "create",
+                "import",
+                "delete",
                 "recover",
+                "backup",
                 "restore",
+                "managecontacts",
+                "manageissuers",
+                "getissuers",
+                "listissuers",
                 "setissuers",
-                "update"
+                "deleteissuers",
+                "purge"
               ]
             }
           }
@@ -86,18 +143,90 @@
         "enabledForDeployment": false,
         "enabledForDiskEncryption": false,
         "enabledForTemplateDeployment": false,
-        "enableSoftDelete": true
+        "enableSoftDelete": "[parameters('enableSoftDelete')]",
+        "softDeleteRetentionInDays": 7
+      }
+    },
+    {
+      "type": "Microsoft.KeyVault/managedHSMs",
+      "apiVersion": "[variables('hsmApiVersion')]",
+      "name": "[variables('hsmName')]",
+      "condition": "[parameters('enableHsm')]",
+      "location": "[parameters('hsmLocation')]",
+      "sku": {
+        "family": "B",
+        "name": "Standard_B1"
+      },
+      "properties": {
+        "tenantId": "[parameters('tenantId')]",
+        "initialAdminObjectIds": ["[parameters('testApplicationOid')]"],
+        "enablePurgeProtection": false,
+        "enableSoftDelete": "[parameters('enableSoftDelete')]"
+      }
+    },
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "[variables('mgmtApiVersion')]",
+      "name": "[variables('primaryAccountName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "Standard_RAGRS",
+        "tier": "Standard"
+      },
+      "kind": "StorageV2",
+      "properties": {
+        "networkAcls": "[variables('networkAcls')]",
+        "supportsHttpsTrafficOnly": true,
+        "encryption": "[variables('encryption')]",
+        "accessTier": "Hot"
+      }
+    },
+    {
+      "type": "Microsoft.Storage/storageAccounts/blobServices",
+      "apiVersion": "2019-06-01",
+      "name": "[concat(variables('primaryAccountName'), '/default')]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]"
+      ],
+      "sku": {
+        "name": "Standard_RAGRS",
+        "tier": "Standard"
+      },
+      "properties": {
+        "cors": {
+          "corsRules": []
+        },
+        "deleteRetentionPolicy": {
+          "enabled": false
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
+      "apiVersion": "2019-06-01",
+      "name": "[concat(variables('primaryAccountName'), '/default/', variables('blobContainerName'))]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('primaryAccountName'), 'default')]",
+        "[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]"
+      ],
+      "properties": {
+        "publicAccess": "None"
       }
     }
   ],
   "outputs": {
-    "KEYVAULT_NAME": {
+    "KEYVAULT_URI": {
       "type": "string",
-      "value": "[variables('keyVaultName')]"
+      "value": "[reference(variables('kvName')).vaultUri]"
     },
-    "KEYVAULT_URI": {
+    "AZURE_MANAGEDHSM_URL": {
       "type": "string",
-      "value": "[reference(variables('keyVaultName')).vaultUri]"
+      "condition": "[parameters('enableHsm')]",
+      "value": "[reference(variables('hsmName')).hsmUri]"
+    },
+    "KEYVAULT_SKU": {
+      "type": "string",
+      "value": "[reference(parameters('baseName')).sku.name]"
     },
     "CLIENT_OBJECT_ID": {
       "type": "string",
@@ -105,11 +234,15 @@
     },
     "BLOB_STORAGE_URI": {
       "type": "string",
-      "value": "7.2-preview-blob-storage-uri"
+      "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))).primaryEndpoints.blob]"
+    },
+    "BLOB_PRIMARY_STORAGE_ACCOUNT_KEY": {
+      "type": "string",
+      "value": "[listKeys(variables('primaryAccountName'), variables('mgmtApiVersion')).keys[0].value]"
     },
-    "BLOB_STORAGE_SAS_TOKEN": {
+    "BLOB_CONTAINER_NAME": {
       "type": "string",
-      "value": "7.2-preview-blob-storage-sas-uri"
+      "value": "[variables('blobContainerName')]"
     }
   }
 }