Opening the book…
A secret in YAML is in git history forever, in every fork, and in every screen-share. Key Vault gives rotation, access policy, and audit; the variable group is just the delivery mechanism.
One variable group per environment, linked to that environment's vault. Pipeline YAML references the group; nobody pastes values. Secret scanning on in the repo as a backstop.
Microsoft Learn — Link a variable group to Key Vault — The supported secret-delivery pattern