Azure KeyVault - Restrict contributor on Resource group from changing access policy

Arif 6 Reputation points
2020-10-27T17:44:11.25+00:00

Generally contributor cant assign an elevated role to itself, But in Azure KeyVault, eventhough there is no direct role assignment on KeyVault Contributor is able to change the security of keyvault from RBAC to AccessPolicy and assign himself all the roles on KeyVault, Even though he might not have those roles assigned via RBAC, This seems a problem with security management of keyVault if I understand that correct, Is there a way to restrict contributor from changing access policy of a specific keyVault ?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,367 questions
{count} vote

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,796 Reputation points Microsoft Employee
    2020-10-27T22:07:43.297+00:00

    @Arif
    Thank you for your question!

    You can use Azure deny assignments to block users from performing specific Azure resource actions even if a role assignment grants them access. For Azure Key Vault, as of right now, the only way you can add your own deny assignments is by using Azure Blueprints.

    35440-image.png

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.