Editar

Partilhar via


New-AzKeyVaultRoleAssignment

Assigns the specified RBAC role to the specified principal, at the specified scope.

Syntax

New-AzKeyVaultRoleAssignment
   [-HsmName] <String>
   [-Scope <String>]
   -RoleDefinitionName <String>
   -SignInName <String>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzKeyVaultRoleAssignment
   [-HsmName] <String>
   [-Scope <String>]
   -RoleDefinitionName <String>
   -ApplicationId <String>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzKeyVaultRoleAssignment
   [-HsmName] <String>
   [-Scope <String>]
   -RoleDefinitionName <String>
   -ObjectId <String>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzKeyVaultRoleAssignment
   [-HsmName] <String>
   [-Scope <String>]
   -RoleDefinitionId <String>
   -ApplicationId <String>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzKeyVaultRoleAssignment
   [-HsmName] <String>
   [-Scope <String>]
   -RoleDefinitionId <String>
   -ObjectId <String>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzKeyVaultRoleAssignment
   [-HsmName] <String>
   [-Scope <String>]
   -RoleDefinitionId <String>
   -SignInName <String>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

Use the New-AzKeyVaultRoleAssignment command to grant access. Access is granted by assigning the appropriate RBAC role to them at the right scope. The subject of the assignment must be specified. To specify a user, use SignInName or Microsoft Entra ObjectId parameters. To specify a security group, use Microsoft Entra ObjectId parameter. And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName pr RoleDefinitionId parameter. The scope at which access is being granted may be specified. It defaults to the selected subscription.

The cmdlet may call below Microsoft Graph API according to input parameters:

  • GET /directoryObjects/{id}
  • GET /users/{id}
  • GET /servicePrincipals/{id}
  • GET /servicePrincipals
  • GET /groups/{id}

Examples

Example 1

New-AzKeyVaultRoleAssignment -HsmName bez-hsm -RoleDefinitionName "Managed Hsm Crypto User" -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

This example assigns role "Managed Hsm Crypto User" to user "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" at top scope. If user wants to perform operations on keys. "Managed Hsm Crypto *" role is required for that user.

Example 2

New-AzKeyVaultRoleAssignment -HsmName myHsm -RoleDefinitionName "Managed HSM Policy Administrator" -SignInName user1@microsoft.com

RoleDefinitionName               DisplayName                    ObjectType Scope
------------------               -----------                    ---------- -----
Managed HSM Policy Administrator User 1 (user1@microsoft.com)   User       /

This example assigns role "Managed HSM Policy Administrator" to user "user1@microsoft.com" at top scope.

Parameters

-ApplicationId

The app SPN.

Type:String
Aliases:SPN, ServicePrincipalName
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-HsmName

Name of the HSM.

Type:String
Position:1
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-ObjectId

The user or group object id.

Type:String
Aliases:Id, PrincipalId
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-RoleDefinitionId

Role Id the principal is assigned to.

Type:String
Aliases:RoleId
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-RoleDefinitionName

Name of the RBAC role to assign the principal with.

Type:String
Aliases:RoleName
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Scope

Scope at which the role assignment or definition applies to, e.g., '/' or '/keys' or '/keys/{keyName}'. '/' is used when omitted.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SignInName

The user SignInName.

Type:String
Aliases:Email, UserPrincipalName
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None

Outputs

PSKeyVaultRoleAssignment