Verify that Private Endpoints are Used for Azure Key Vault

Framework Reference: A.8.20 Integration: Azure – Key Vault (RBAC Configuration)

Why this matters:
Using Azure Role-Based Access Control (RBAC) for Key Vaults provides centralized, fine-grained access control across all vaults and resources. Unlike vault-level access policies, RBAC integrates with Privileged Identity Management (PIM) and Just-In-Time (JIT) access, enabling time-bound, scoped permissions. This reduces standing privileges and improves governance for secrets, keys, and certificates.

What this check does:
This check verifies whether each Azure Key Vault is configured to use the Azure RBAC permission model instead of the legacy vault access policy model.

Logic and expected value:

enableRbacAuthorization must be set to true

Where this value is stored:
Azure Key Vault → Access Configuration → Permission Model

How this check is executed:

Azure Portal:

Go to Key vaults
Select a vault
Click Access configuration
Confirm that the Permission Model is set to Azure role-based access control

Azure CLI:

az keyvault show --resource-group <resource_group> --name <vault_name>

Expected output:

"properties": { "enableRbacAuthorization": true }

PowerShell:

Get-AzKeyVault -VaultName <vault_name> -ResourceGroupName <resource_group>

Ensure Enabled For RBAC Authorization is True.

How to fix it:

Azure Portal:

Go to Key vaults → select a vault
Click Access configuration
Set the Permission Model to Azure role-based access control
Acknowledge the warning message and click Save
Go to Access Control (IAM)
Under Role assignments, reassign appropriate roles to users or groups

Azure CLI:

az keyvault update \ --resource-group <resource_group> \ --name <vault_name> \ --enable-rbac-authorization true

PowerShell:

Update-AzKeyVault ` -ResourceGroupName <resource_group> ` -VaultName <vault_name> ` -EnableRbacAuthorization $True

Exceptions:
None specified.

Further resources:

Verify that Private Endpoints are Used for Azure Key Vault

Was this article helpful?