Does the Key Vault offer any benefit (security or otherwise) now that an app service can use Managed Identity to authenticate with other Azure resources? (E.g. azure storage and sql)
Is there any reason to use Managed Identity to access Key Vault and get a key for Storage, for example, now that an app service can directly use Managed Identity to talk to Storage?
You should always use Managed Service Identity where available, however they are not ubiquitous across all Azure. The list of supported services is maintained here. Keep in mind that the calling service needs to support authenticating with it's Managed Service Identity and the called service needs to be able to authenticate and authorise using Azure Active Directory.
When you have a service that does not directly support AD authentication (e.g. CosmosDB), then you still need to store and manage keys and KeyVault is still the right place to do this. This also applies to some 3rd party services like Salesforce, AWS, GCP, etc where "federation" may not be in place. You may also have additional sensitive config that you do not want to store in plain text.
Keep in mind that function appsettings can now directly reference KeyVault, saving the overhead of writing code and config to manage this yourself. See this link.
I would also say, that usage of managed identity should be preferred whenever possible. The major benefit I see is getting rid of credentials you have to manage. You outsource the authentication challenge to Microsoft here, and I would say it works very well.
One less credentials you need to protect, refresh, revoke etc.
I also believe that this goes well in the spirit of Infrastructure as a code, where you define you concern yourself with authorisation and leave secure authentication on the provider.
