diff --git a/builder/azure/arm/config.go b/builder/azure/arm/config.go
index 798ba4833..ba7a26f5d 100644
--- a/builder/azure/arm/config.go
+++ b/builder/azure/arm/config.go
@@ -40,6 +40,7 @@ const (
 	DefaultUserName                          = "packer"
 	DefaultPrivateVirtualNetworkWithPublicIp = false
 	DefaultVMSize                            = "Standard_A1"
+	DefaultKeyVaultSKU                       = "standard"
 )
 
 const (
@@ -256,7 +257,10 @@ type Config struct {
 	BuildResourceGroupName string `mapstructure:"build_resource_group_name"`
 	// Specify an existing key vault to use for uploading certificates to the
 	// instance to connect.
-	BuildKeyVaultName          string `mapstructure:"build_key_vault_name"`
+	BuildKeyVaultName string `mapstructure:"build_key_vault_name"`
+	// Specify the KeyVault SKU to create during the build. Valid values are
+	// standard or premium. The default value is standard.
+	BuildKeyVaultSKU           string `mapstructure:"build_key_vault_sku"`
 	storageAccountBlobEndpoint string
 	// This value allows you to
 	// set a virtual_network_name and obtain a public IP. If this value is not
@@ -684,6 +688,10 @@ func provideDefaultValues(c *Config) {
 		c.ImageVersion = DefaultImageVersion
 	}
 
+	if c.BuildKeyVaultSKU == "" {
+		c.BuildKeyVaultSKU = DefaultKeyVaultSKU
+	}
+
 	c.ClientConfig.SetDefaultValues()
 }
 
diff --git a/builder/azure/arm/config.hcl2spec.go b/builder/azure/arm/config.hcl2spec.go
index 0d116c42c..4d28b0cfa 100644
--- a/builder/azure/arm/config.hcl2spec.go
+++ b/builder/azure/arm/config.hcl2spec.go
@@ -54,6 +54,7 @@ type FlatConfig struct {
 	TempResourceGroupName                      *string                            `mapstructure:"temp_resource_group_name" cty:"temp_resource_group_name"`
 	BuildResourceGroupName                     *string                            `mapstructure:"build_resource_group_name" cty:"build_resource_group_name"`
 	BuildKeyVaultName                          *string                            `mapstructure:"build_key_vault_name" cty:"build_key_vault_name"`
+	BuildKeyVaultSKU                           *string                            `mapstructure:"build_key_vault_sku" cty:"build_key_vault_sku"`
 	PrivateVirtualNetworkWithPublicIp          *bool                              `mapstructure:"private_virtual_network_with_public_ip" required:"false" cty:"private_virtual_network_with_public_ip"`
 	VirtualNetworkName                         *string                            `mapstructure:"virtual_network_name" required:"false" cty:"virtual_network_name"`
 	VirtualNetworkSubnetName                   *string                            `mapstructure:"virtual_network_subnet_name" required:"false" cty:"virtual_network_subnet_name"`
@@ -166,6 +167,7 @@ func (*FlatConfig) HCL2Spec() map[string]hcldec.Spec {
 		"temp_resource_group_name":                &hcldec.AttrSpec{Name: "temp_resource_group_name", Type: cty.String, Required: false},
 		"build_resource_group_name":               &hcldec.AttrSpec{Name: "build_resource_group_name", Type: cty.String, Required: false},
 		"build_key_vault_name":                    &hcldec.AttrSpec{Name: "build_key_vault_name", Type: cty.String, Required: false},
+		"build_key_vault_sku":                     &hcldec.AttrSpec{Name: "build_key_vault_sku", Type: cty.String, Required: false},
 		"private_virtual_network_with_public_ip":  &hcldec.AttrSpec{Name: "private_virtual_network_with_public_ip", Type: cty.Bool, Required: false},
 		"virtual_network_name":                    &hcldec.AttrSpec{Name: "virtual_network_name", Type: cty.String, Required: false},
 		"virtual_network_subnet_name":             &hcldec.AttrSpec{Name: "virtual_network_subnet_name", Type: cty.String, Required: false},
diff --git a/builder/azure/arm/template_factory.go b/builder/azure/arm/template_factory.go
index 80dd296a5..0d5bc47f3 100644
--- a/builder/azure/arm/template_factory.go
+++ b/builder/azure/arm/template_factory.go
@@ -17,6 +17,7 @@ type templateFactoryFunc func(*Config) (*resources.Deployment, error)
 func GetKeyVaultDeployment(config *Config) (*resources.Deployment, error) {
 	params := &template.TemplateParameters{
 		KeyVaultName:        &template.TemplateParameter{Value: config.tmpKeyVaultName},
+		KeyVaultSKU:         &template.TemplateParameter{Value: config.BuildKeyVaultSKU},
 		KeyVaultSecretValue: &template.TemplateParameter{Value: config.winrmCertificate},
 		ObjectId:            &template.TemplateParameter{Value: config.ClientConfig.ObjectID},
 		TenantId:            &template.TemplateParameter{Value: config.ClientConfig.TenantID},
diff --git a/builder/azure/arm/template_factory_test.TestKeyVaultDeployment03.approved.json b/builder/azure/arm/template_factory_test.TestKeyVaultDeployment03.approved.json
index 3ba2f7ce5..44c9e68e4 100644
--- a/builder/azure/arm/template_factory_test.TestKeyVaultDeployment03.approved.json
+++ b/builder/azure/arm/template_factory_test.TestKeyVaultDeployment03.approved.json
@@ -5,6 +5,9 @@
     "keyVaultName": {
       "type": "string"
     },
+    "keyVaultSKU": {
+      "type": "string"
+    },
     "keyVaultSecretValue": {
       "type": "securestring"
     },
@@ -39,7 +42,7 @@
         "enabledForTemplateDeployment": "true",
         "sku": {
           "family": "A",
-          "name": "standard"
+          "name": "[parameters('keyVaultSKU')]"
         },
         "tenantId": "[parameters('tenantId')]"
       },
diff --git a/builder/azure/common/template/template_builder.go b/builder/azure/common/template/template_builder.go
index 9f74c20b0..6d276c010 100644
--- a/builder/azure/common/template/template_builder.go
+++ b/builder/azure/common/template/template_builder.go
@@ -482,6 +482,9 @@ const KeyVault = `{
     "keyVaultName": {
       "type": "string"
     },
+    "keyVaultSKU": {
+      "type": "string"
+    },
     "keyVaultSecretValue": {
       "type": "securestring"
     },
@@ -518,7 +521,7 @@ const KeyVault = `{
           }
         ],
         "sku": {
-          "name": "standard",
+          "name": "[parameters('keyVaultSKU')]",
           "family": "A"
         }
       },
diff --git a/builder/azure/common/template/template_parameters.go b/builder/azure/common/template/template_parameters.go
index 74b0562a7..6900deb82 100644
--- a/builder/azure/common/template/template_parameters.go
+++ b/builder/azure/common/template/template_parameters.go
@@ -22,6 +22,7 @@ type TemplateParameters struct {
 	AdminPassword              *TemplateParameter `json:"adminPassword,omitempty"`
 	DnsNameForPublicIP         *TemplateParameter `json:"dnsNameForPublicIP,omitempty"`
 	KeyVaultName               *TemplateParameter `json:"keyVaultName,omitempty"`
+	KeyVaultSKU                *TemplateParameter `json:"keyVaultSKU,omitempty"`
 	KeyVaultSecretValue        *TemplateParameter `json:"keyVaultSecretValue,omitempty"`
 	ObjectId                   *TemplateParameter `json:"objectId,omitempty"`
 	NicName                    *TemplateParameter `json:"nicName,omitempty"`
diff --git a/website/source/partials/builder/azure/arm/_Config-not-required.html.md b/website/source/partials/builder/azure/arm/_Config-not-required.html.md
index 8e06b236c..b6f549fc6 100644
--- a/website/source/partials/builder/azure/arm/_Config-not-required.html.md
+++ b/website/source/partials/builder/azure/arm/_Config-not-required.html.md
@@ -118,6 +118,9 @@
 -   `build_key_vault_name` (string) - Specify an existing key vault to use for uploading certificates to the
     instance to connect.
     
+-   `build_key_vault_sku` (string) - Specify the KeyVault SKU to create during the build. Valid values are
+    standard or premium. The default value is standard.
+    
 -   `private_virtual_network_with_public_ip` (bool) - This value allows you to
     set a virtual_network_name and obtain a public IP. If this value is not
     set and virtual_network_name is defined Packer is only allowed to be