Enable Role Based Access Control for Azure Key Vault
Why this matters:
Using Azure Role-Based Access Control (RBAC) for Key Vaults provides centralized, fine-grained access control across all vaults and resources. Unlike vault-level access policies, RBAC integrates with Privileged Identity Management (PIM) and Just-In-Time (JIT) access, improving control over sensitive key, secret, and certificate operations and reducing standing privileges.
What this check does:
This check verifies whether each Azure Key Vault is using the Azure RBAC permission model, rather than the legacy Vault access policy model.
Check Logic:
Key Vault property enableRbacAuthorization
must be set to true
Where this is configured:
Azure Key Vault β Access Configuration β Permission Model
How this check is executed:
- Azure Portal:
- Go to "Key vaults"
- Select each vault
- Click "Access configuration"
- Confirm that the Permission Model is set to Azure role-based access control
Azure CLI:
az keyvault show --resource-group <resource_group> --name <vault_name>
Confirm output contains:
"properties": {
"enableRbacAuthorization": true }
PowerShell:
Get-AzKeyVault -VaultName <vault_name> -ResourceGroupName <resource_group>
Ensure the Enabled For RBAC Authorization
setting is True
.
How to fix it:
Azure Portal:
- Go to "Key vaults" β select a vault
- Click "Access configuration"
- Set the Permission Model to "Azure role-based access control"
- Acknowledge the warning message and click "Save"
- Navigate to "Access Control (IAM)"
- Under the "Role assignments" tab, reassign appropriate roles to users or groups
Azure CLI:
az keyvault update \
--resource-group <resource_group> \
--name <vault_name> \
--enable-rbac-authorization true
PowerShell:
Update-AzKeyVault `
-ResourceGroupName <resource_group> `
-VaultName <vault_name> `
-EnableRbacAuthorization $True
Exceptions:
None specified.
Further resources:
- https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-migration#vault-access-policy-to-azure-rbac-migration-steps
- https://docs.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal?tabs=current
- https://docs.microsoft.com/en-gb/azure/role-based-access-control/overview
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository