Assign a Key Vault access policy (legacy)

A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault secrets, keys, and certificates. You can assign access policies using the Azure portal, the Azure CLI, or Azure PowerShell.

Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal. Because of this limitation, we recommend assigning access policies to groups of users, where possible, rather than individual users. Using groups makes it much easier to manage permissions for multiple people in your organization. For more information, see Manage app and resource access using Microsoft Entra groups

Assign an access policy

  1. In the Azure portal, navigate to the Key Vault resource.

  2. Select Access policies, then select Create:

    Select Access policies, selecting Add role assignment

  3. Select the permissions you want under Key permissions, Secret permissions, and Certificate permissions.

    Specifying access policy permissions

  4. Under the Principal selection pane, enter the name of the user, app or service principal in the search field and select the appropriate result.

    Selecting the security principal for the access policy

    If you're using a managed identity for the app, search for and select the name of the app itself. (For more information on security principals, see Key Vault authentication.

  5. Review the access policy changes and select Create to save the access policy.

    Adding the access policy with the security principal assigned

  6. Back on the Access policies page, verify that your access policy is listed.

    Saving the access policy changes

Next steps