Being able to sign a macro with AzureSignTool does not mean you can sign using Azure Trusted Signing. AzureSignTool is designed for signing with code signing certificates that you store in Azure Key Vault (which could include certificates obtained from providers like DigiCert).

Azure Trusted Signing is a separate managed service that provides its own code signing certificates without needing to purchase or manage them from a third-party CA. However, it explicitly does not support signing VBA macros (e.g., in Office files like .xlsm or .dotm), as it only works with file types compatible with SignTool.exe and lacks integration with Office’s VBA signing interfaces. If you need to sign VBA macros, you’ll have to use the Key Vault approach with AzureSignTool and a certificate from a CA like DigiCert, or explore other alternatives like self-signed certs for testing

Azure Trusted Signing does not use Azure Key Vault. It’s a fully managed service where Microsoft handles the entire certificate lifecycle, including secure storage of private keys and certificates directly within the Trusted Signing infrastructure itself—users never receive or manage the certificates. This differs from the separate Azure Key Vault approach, where you store and manage your own code signing certificates (e.g., from a CA like DigiCert) and use tools like AzureSignTool for signing.