New-AzKeyVaultRoleAssignment
Assigns the specified RBAC role to the specified principal, at the specified scope.
Syntax
New-AzKeyVaultRoleAssignment
[-HsmName] <String>
[-Scope <String>]
-RoleDefinitionName <String>
-SignInName <String>
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] New-AzKeyVaultRoleAssignment
[-HsmName] <String>
[-Scope <String>]
-RoleDefinitionName <String>
-ApplicationId <String>
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] New-AzKeyVaultRoleAssignment
[-HsmName] <String>
[-Scope <String>]
-RoleDefinitionName <String>
-ObjectId <String>
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] New-AzKeyVaultRoleAssignment
[-HsmName] <String>
[-Scope <String>]
-RoleDefinitionId <String>
-ApplicationId <String>
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] New-AzKeyVaultRoleAssignment
[-HsmName] <String>
[-Scope <String>]
-RoleDefinitionId <String>
-ObjectId <String>
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] New-AzKeyVaultRoleAssignment
[-HsmName] <String>
[-Scope <String>]
-RoleDefinitionId <String>
-SignInName <String>
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
Use the New-AzKeyVaultRoleAssignment command to grant access.
Access is granted by assigning the appropriate RBAC role to them at the right scope.
The subject of the assignment must be specified.
To specify a user, use SignInName or Microsoft Entra ObjectId parameters.
To specify a security group, use Microsoft Entra ObjectId parameter.
And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters.
The role that is being assigned must be specified using the RoleDefinitionName pr RoleDefinitionId parameter. The scope at which access is being granted may be specified. It defaults to the selected subscription.
The cmdlet may call below Microsoft Graph API according to input parameters:
- GET /directoryObjects/{id}
- GET /users/{id}
- GET /servicePrincipals/{id}
- GET /servicePrincipals
- GET /groups/{id}
Examples
Example 1
New-AzKeyVaultRoleAssignment -HsmName bez-hsm -RoleDefinitionName "Managed Hsm Crypto User" -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxThis example assigns role "Managed Hsm Crypto User" to user "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" at top scope. If user wants to perform operations on keys. "Managed Hsm Crypto *" role is required for that user.
Example 2
New-AzKeyVaultRoleAssignment -HsmName myHsm -RoleDefinitionName "Managed HSM Policy Administrator" -SignInName user1@microsoft.com
RoleDefinitionName DisplayName ObjectType Scope
------------------ ----------- ---------- -----
Managed HSM Policy Administrator User 1 (user1@microsoft.com) User /This example assigns role "Managed HSM Policy Administrator" to user "user1@microsoft.com" at top scope.
Parameters
-ApplicationId
The app SPN.
| Type: | String |
| Aliases: | SPN, ServicePrincipalName |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HsmName
Name of the HSM.
| Type: | String |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ObjectId
The user or group object id.
| Type: | String |
| Aliases: | Id, PrincipalId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RoleDefinitionId
Role Id the principal is assigned to.
| Type: | String |
| Aliases: | RoleId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RoleDefinitionName
Name of the RBAC role to assign the principal with.
| Type: | String |
| Aliases: | RoleName |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Scope
Scope at which the role assignment or definition applies to, e.g., '/' or '/keys' or '/keys/{keyName}'. '/' is used when omitted.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignInName
The user SignInName.
| Type: | String |
| Aliases: | Email, UserPrincipalName |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
None
Outputs
Azure PowerShell