How to create Key Vault secret when user id is administrator in Microsoft Entra?

Question

I am trying to learn to use Azure Key Vault for a webpage.

I created a subscription in Azure under my username and a Resource group to hold the Key Vault. The user id has a role of administrator in Microsoft Entra.

Access control (IAM) in the Azure Resource group has a warning that "1 user has elevated access in your tenant. You should remove all role assignments with elevated access".

When I view role assignments it displays my Id with a Role of "User Access Administrator". It gives me the option to delete the role.

Can this role be deleted in without screwing up my ability to administrate the users in Microsoft Entra?

Is there a better way to start this process then the steps described?

Answer 1

Hey Dean, it looks like you’ve run into Azure RBAC complaining about your elevated permissions (the “User Access Administrator” role) even though you’re a Microsoft Entra admin. Here’s the quick rundown:

1. Microsoft Entra “Administrator” roles control identities (users, groups, etc.) in Entra ID, but they don’t grant you access to Azure resources like Key Vault.
2. The warning you see in IAM is simply Azure telling you “you’ve got a role that can grant or remove permissions on resources”—that’s exactly what User Access Administrator does.
3. You can safely remove that RBAC assignment only if you already have the Owner role on the subscription or resource group. If you don’t, keep it until you assign yourself (or another principal) equivalent rights, otherwise you’ll lose the ability to delegate access.

To create and manage Key Vault secrets, you need permissions on the Key Vault itself:

• If your vault is using the RBAC permission model (recommended)

1. Go to your Key Vault in the Azure portal
2. Open Access control (IAM)
3. Click + Add → Add role assignment
4. Assign yourself Key Vault Secrets Officer (can only manage secrets) or Key Vault Administrator (full vault rights)

• If your vault is using the Access policies (legacy) model

1. Go to your Key Vault in the portal
2. Select Access policies
3. Click + Add Access Policy, pick the secret permissions you need (e.g., Get, Set), then select your user or service principal and save

Once you have those permissions, creating a secret is straightforward:

1. In the portal, navigate to your Key Vault → Secrets
2. Click + Generate/Import
3. Give it a name and value, then hit Create

That’ll get you up and running without breaking your Microsoft Entra admin setup. Let me know if you have any other questions!

Reference List

• Quickcreate secrets tutorial: https://learn.microsoft.com/azure/key-vault/secrets/quick-create-portal
• Key Vault RBAC guide: https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli
• Assign Key Vault access policy: https://learn.microsoft.com/azure/key-vault/general/assign-access-policy?tabs=azure-portal

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

Answer 2

Hi Dean,

In order to create secrets in Azure Key Vault you need to assign yourself minimum of Key Vault Secrets Officer role. Please add that role to your user, sign out/sign back in, and then retry to create secret.

The warning about a user having elevated access in your tenant is separate issue regarding general security best practices, and is unrelated to your key vault.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Answer 3

The User Access Administrator role assignment in the resource group is independent of the ability to administer users in Microsoft Entra ID. Removing that role from the resource group will not remove Microsoft Entra administrator privileges or prevent administration of users in Entra; it only affects the ability to manage Azure RBAC role assignments on that specific scope (resource group and its resources).

For learning Azure Key Vault and creating secrets, a safer pattern is:

1. Keep Microsoft Entra admin roles only where needed (tenant-level identity management), and avoid using them for day‑to‑day resource operations.
2. On the Key Vault, use Azure RBAC for data‑plane access instead of legacy access policies, as recommended.
3. Assign a least‑privilege Key Vault data role to the identity that will create and manage secrets, for example:
   • Key Vault Secrets Officer to manage (create/update/delete) secrets.
   • Key Vault Secrets User to read secrets.

Example using Azure portal (RBAC model on the vault):

1. Ensure the Key Vault is configured to use Azure RBAC permissions (not legacy access policies).
2. On the Key Vault, go to Access control (IAM) → Role assignments → Add role assignment.
3. Choose a data role such as Key Vault Secrets Officer or Key Vault Secrets User.
4. Under Assign access to, select User, group, or service principal and pick the identity that will manage/read secrets.
5. Complete Review + assign.

After that, secrets can be created in the Key Vault by that identity without relying on elevated roles at the resource group level.

If the warning about elevated access is specifically about the User Access Administrator role on the resource group, it can be removed once there is confidence that no scripts or processes depend on that role for managing RBAC assignments at that scope. Entra admin roles (like Global Administrator) are managed separately in Microsoft Entra and are not removed by deleting an Azure RBAC assignment on a resource group.

---

References:

• Tutorial: Encrypt and decrypt blobs using Azure Key Vault
• Azure Key Vault basic concepts
• Provide access to Key Vault keys, certificates, and secrets with Azure role-based access control
• Secure your Azure Key Vault
• Tutorial: Use a managed identity to connect Key Vault to an Azure web app in .NET