![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 43%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELR%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,194 questions
@Linda Renate Andersen
Thank you for your questions!
Management plane - RBAC
Should it be dedicated RBAC for the typical operations in this interface?
Based off our best practices documentation, it's recommended to:
- Lock down access to your subscription, resource group and Key Vaults (RBAC)
- Create Access policies for every vault
- Use least privilege access principal to grant access
- Turn on Firewall and VNET Service Endpoints
You can create custom RBAC roles or use the predefined Key Vault roles to accomplish this. One of the key benefits of using Azure RBAC permission over vault access policies are centralized access control management and its integration with Privileged Identity Management (PIM).
For more information: Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control (preview)
Data plane - Key Vault access policies
Should it be dedicated service principal per key vault?
When it comes to a dedicated service principal per vault, are you referring to having only one user, group, or application per vault?
Additional Links:
Data Plane Access Option 1: Classic Key Vault Access Policies
Secure access to a key vault
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.