This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 69%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
I created a new Vault and added a few key permissions to users to be able to access the secrets in the vault.
However, I am unable to do it anymore. The Vault create button is disabled.
I do notice there's probably a KeyVault permission I am missing. If that's the case how to I ask for it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 69%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
might be the access policy changed or redefined.
check the admin who has more access right than yours.
sepcify if your environment has different subscriptions .
I found it odd that I created that vault, was able to create permissions for various users and now this capability was revoked.
I'll try reaching out to MSIT admin
@Miki Ben-Zeev
Thank you for your post!
Error Message:
"Microsoft.KeyVault/vaults/write" permission is required to add or edit access policies.
From your error message and post it looks like you're trying to create a new Key Vault Access Policy and are running into a permissions issue. I found a similar issue, and if you recently moved your Key Vault to a new Azure tenant, you'll have to update the Tenant ID.
Update tenant ID in a key vault:
Select-AzSubscription -SubscriptionId <your-subscriptionId> # Select your Azure Subscription
$vaultResourceId = (Get-AzKeyVault -VaultName myvault).ResourceId # Get your key vault's Resource ID
$vault = Get-AzResource -ResourceId $vaultResourceId -ExpandProperties # Get the properties for your key vault
$vault.Properties.TenantId = (Get-AzContext).Tenant.TenantId # Change the Tenant that your key vault resides in
$vault.Properties.AccessPolicies = @() # Access policies can be updated with real
# applications/users/rights so that it does not need to be # done after this whole activity. Here we are not setting
# any access policies.
Set-AzResource -ResourceId $vaultResourceId -Properties $vault.Properties # Modifies the key vault's properties.
Clear-AzContext #Clear the context from PowerShell
Connect-AzAccount #Log in again to confirm you have the correct tenant id
I hope this helps!
If you have any other questions, please let me know.
Hi,
This is a new Vault, and not a one that was moved from another Azure tenant.
In fact I was able to create a new Key Vault access policy for a couple of users until this capability was revoked.
Here is my access configuration, it's not RBAC. Maybe this has something to do with that?
@Miki Ben-Zeev
Thank you for following up on this!
To gain a better understanding of your issue:
You're able to create a new Key Vault and add Access Policies, but this capability eventually gets revoked.
If you'd like our support team to take a closer look into your issue, please let me know.
Thank you for your time and patience throughout this issue.
Hi James,
Here are my answers to your question
The access policy permission issue happened only once so I can't really tell if it's the amount of users I added (only 2 besides me) or the amount of time (about 1 day) after I created the key vault. I assume it's the amount of time since adding 2 users doesn't seem like the bar to revoke permissions...
I am not the owner of the subscription. The subscription is BIA_SF_Stage0_Test1
My permission was revoked only on the new key vault I created
I hope it helps
Thank you for following up on this!
Since you're running into this Access Policy permission issue after a certain amount of time (~1 day), I believe your permissions being revoked could be related to an Azure Policy being run on your subscription, especially if this is a work-related Subscription.
For example, within my internal subscription, I'm able to navigate to the Subscription, go to the Activity Log, filter by Resource Group, Event initiated by, and Resource, to see if any Subscription Management event was initiated.
Since you're internal, I'd also recommend working closer with our Key Vault Support Engineers, so they can take a closer look into your environment to confirm if this is related to an Azure Policy.
I hope this helps! If you have any other questions, please let me know.
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
I did some testing within my tenant, and you can also check your Activity Logs directly from your Key Vault to see what event/operation removed your user's permission.
Microsoft.KeyVault/vaults/write permission.I hope this helps! If you have any other questions, please let me know.
Hi James,
I looked at the activity log and I don't see any event that suggests I wasn't the one initiated it...