![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 28.000000000000004%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
904 questions
Hi
Key Vault Administrator and other built-in RBAC roles operate at Data Plane level for accessing and managing Key Vault data (certificates/keys/secrets):
For Management Plane access, you can either grant Owner/Contributor access to the Subscription/Management Group/Resource Group that the Key Vault sits in, or else you'd need to create a Custom Role to achieve this (this would be best practice).
Sample Custom Role can be created using the code below:
# Define the custom role JSON
$roleDefinition = '{
"Name": "KeyVaultManagementRole",
"IsCustom": true,
"Description": "Allows management of Azure Key Vault Management plane",
"Actions": [
"Microsoft.KeyVault/vaults/*"
],
"NotActions": [],
"AssignableScopes": ["/subscriptions/{subscriptionId}"]
}'
# Create the custom role
New-AzRoleDefinition -InputObject (ConvertFrom-Json $roleDefinition)
Hope this helps,
Thanks
Michael Durkan
- If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!