Enable Role Based Access Control for Azure Key Vault

Last updated: April 9, 2026

Framework Reference: A.5.15 Integration: Azure – Key Vault (RBAC Configuration)

Why this matters:
Using Azure Role-Based Access Control (RBAC) for Key Vaults provides centralized, fine-grained access control across all vaults and resources. Unlike vault-level access policies, RBAC integrates with Privileged Identity Management (PIM) and Just-In-Time (JIT) access, improving control over sensitive key, secret, and certificate operations and reducing standing privileges.

What this check does:
This check verifies whether each Azure Key Vault is using the Azure RBAC permission model, rather than the legacy Vault access policy model.

Check Logic:

Key Vault property enableRbacAuthorization must be set to true

Where this is configured:
Azure Key Vault → Access Configuration → Permission Model

How this check is executed:

Azure Portal:
Go to "Key vaults"
Select each vault
Click "Access configuration"
Confirm that the Permission Model is set to Azure role-based access control

Azure CLI:

az keyvault show --resource-group <resource_group> --name <vault_name>

Confirm output contains:

"properties": { "enableRbacAuthorization": true }

PowerShell:

Get-AzKeyVault -VaultName <vault_name> -ResourceGroupName <resource_group>

Ensure the Enabled For RBAC Authorization setting is True.

How to fix it:

Azure Portal:

Go to "Key vaults" → select a vault
Click "Access configuration"
Set the Permission Model to "Azure role-based access control"
Acknowledge the warning message and click "Save"
Navigate to "Access Control (IAM)"
Under the "Role assignments" tab, reassign appropriate roles to users or groups

Azure CLI:

az keyvault update \ --resource-group <resource_group> \ --name <vault_name> \ --enable-rbac-authorization true

PowerShell:

Update-AzKeyVault -ResourceGroupName <resource_group> -VaultName <vault_name> ` -EnableRbacAuthorization $True

Exceptions:
None specified.

Further resources: