Verify that Private Endpoints are Used for Azure Key Vault

Framework Reference: A.8.20 Integration: Azure – Key Vault (RBAC Configuration)

Why this matters:
Using Azure Role-Based Access Control (RBAC) for Key Vaults provides centralized, fine-grained access control across all vaults and resources. Unlike vault-level access policies, RBAC integrates with Privileged Identity Management (PIM) and Just-In-Time (JIT) access, enabling time-bound, scoped permissions. This reduces standing privileges and improves governance for secrets, keys, and certificates.


What this check does:
This check verifies whether each Azure Key Vault is configured to use the Azure RBAC permission model instead of the legacy vault access policy model.

Logic and expected value:

enableRbacAuthorization must be set to true

Where this value is stored:
Azure Key Vault β†’ Access Configuration β†’ Permission Model

How this check is executed:

Azure Portal:

  • Go to Key vaults
  • Select a vault
  • Click Access configuration
  • Confirm that the Permission Model is set to Azure role-based access control

Azure CLI:

az keyvault show --resource-group <resource_group> --name <vault_name>

Expected output:

"properties": {  "enableRbacAuthorization": true } 

PowerShell:

Get-AzKeyVault -VaultName <vault_name> -ResourceGroupName <resource_group>

Ensure Enabled For RBAC Authorization is True.


How to fix it:

Azure Portal:

  1. Go to Key vaults β†’ select a vault
  2. Click Access configuration
  3. Set the Permission Model to Azure role-based access control
  4. Acknowledge the warning message and click Save
  5. Go to Access Control (IAM)
  6. Under Role assignments, reassign appropriate roles to users or groups

Azure CLI:

az keyvault update \  --resource-group <resource_group> \  --name <vault_name> \  --enable-rbac-authorization true 

PowerShell:

Update-AzKeyVault `  -ResourceGroupName <resource_group> `  -VaultName <vault_name> `  -EnableRbacAuthorization $True


Exceptions:
None specified.


Further resources:

Was this article helpful?