Verify that Private Endpoints are Used for Azure Key Vault
Why this matters:
Using Azure Role-Based Access Control (RBAC) for Key Vaults provides centralized, fine-grained access control across all vaults and resources. Unlike vault-level access policies, RBAC integrates with Privileged Identity Management (PIM) and Just-In-Time (JIT) access, enabling time-bound, scoped permissions. This reduces standing privileges and improves governance for secrets, keys, and certificates.
What this check does:
This check verifies whether each Azure Key Vault is configured to use the Azure RBAC permission model instead of the legacy vault access policy model.
Logic and expected value:
enableRbacAuthorization
must be set to true
Where this value is stored:
Azure Key Vault β Access Configuration β Permission Model
How this check is executed:
Azure Portal:
- Go to Key vaults
- Select a vault
- Click Access configuration
- Confirm that the Permission Model is set to Azure role-based access control
Azure CLI:
az keyvault show --resource-group <resource_group> --name <vault_name>
Expected output:
"properties": {
"enableRbacAuthorization": true }
PowerShell:
Get-AzKeyVault -VaultName <vault_name> -ResourceGroupName <resource_group>
Ensure Enabled For RBAC Authorization
is True
.
How to fix it:
Azure Portal:
- Go to Key vaults β select a vault
- Click Access configuration
- Set the Permission Model to Azure role-based access control
- Acknowledge the warning message and click Save
- Go to Access Control (IAM)
- Under Role assignments, reassign appropriate roles to users or groups
Azure CLI:
az keyvault update \
--resource-group <resource_group> \
--name <vault_name> \
--enable-rbac-authorization true
PowerShell:
Update-AzKeyVault `
-ResourceGroupName <resource_group> `
-VaultName <vault_name> `
-EnableRbacAuthorization $True
Exceptions:
None specified.
Further resources:
- https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-migration#vault-access-policy-to-azure-rbac-migration-steps
- https://docs.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal?tabs=current
- https://docs.microsoft.com/en-gb/azure/role-based-access-control/overview
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository