Enable Role Based Access Control for Azure Key Vault

Framework Reference: A.5.15 Integration: Azure – Key Vault (RBAC Configuration)

Why this matters:
Using Azure Role-Based Access Control (RBAC) for Key Vaults provides centralized, fine-grained access control across all vaults and resources. Unlike vault-level access policies, RBAC integrates with Privileged Identity Management (PIM) and Just-In-Time (JIT) access, improving control over sensitive key, secret, and certificate operations and reducing standing privileges.


What this check does:
This check verifies whether each Azure Key Vault is using the Azure RBAC permission model, rather than the legacy Vault access policy model.

Check Logic:

Key Vault property enableRbacAuthorization must be set to true

Where this is configured:
Azure Key Vault β†’ Access Configuration β†’ Permission Model

How this check is executed:

  • Azure Portal:
  • Go to "Key vaults"
  • Select each vault
  • Click "Access configuration"
  • Confirm that the Permission Model is set to Azure role-based access control

Azure CLI:

az keyvault show --resource-group <resource_group> --name <vault_name>

Confirm output contains:

"properties": {  "enableRbacAuthorization": true } 

PowerShell:

Get-AzKeyVault -VaultName <vault_name> -ResourceGroupName <resource_group>

Ensure the Enabled For RBAC Authorization setting is True.


How to fix it:

Azure Portal:

  1. Go to "Key vaults" β†’ select a vault
  2. Click "Access configuration"
  3. Set the Permission Model to "Azure role-based access control"
  4. Acknowledge the warning message and click "Save"
  5. Navigate to "Access Control (IAM)"
  6. Under the "Role assignments" tab, reassign appropriate roles to users or groups

Azure CLI:

az keyvault update \  --resource-group <resource_group> \  --name <vault_name> \  --enable-rbac-authorization true 

PowerShell:

Update-AzKeyVault `  -ResourceGroupName <resource_group> `  -VaultName <vault_name> `  -EnableRbacAuthorization $True


Exceptions:
None specified.


Further resources:

Was this article helpful?