This article applies to BHCE and BHE

The Key Vault Contributor role grants full control of the target Key Vault. This includes the ability to read all secrets stored on the Key Vault.

Abuse Info

You can read secrets and alter access policies (grant yourself access to read secrets)

Via PowerZure:

Opsec Considerations

This will depend on which particular abuse you perform, but in general Azure will create a log event for each abuse.