Security Secrets and keys premium field-manual-complete field-manual-complete

Key Vault access policy

A Key Vault access policy is the older Key Vault data-plane permission model that says who can read, write, list, delete, or manage keys, secrets, and certificates inside a vault. It is separate from normal Azure management permissions. A user might be able to see the vault resource but still be unable to read a secret, or the reverse might be possible through policy design. Newer designs often prefer Azure RBAC, but many production vaults still use access policies and need careful review.

Back to glossary browser Open Microsoft Learn source
Aliases
access policy, vault access policy, Key Vault policy permissions, data-plane access policy
Difficulty
Intermediate
CLI mappings
5
Last verified
2026-05-15

Microsoft Learn

Microsoft Learn describes a Key Vault access policy as a rule that grants a user, application, or group permissions to perform selected operations on keys, secrets, and certificates in a vault using the access policy permission model and permission categories.

Microsoft Learn: Assign an Azure Key Vault access policy2026-05-15

Technical context

Key Vault access policies live on the vault resource and apply to the data plane for secrets, keys, and certificates when the vault is not using Azure RBAC authorization for data actions. Each policy targets a Microsoft Entra object ID and grants specific permission lists. The management plane still uses Azure RBAC for the vault resource itself. Operators inspect enableRbacAuthorization, accessPolicies, object IDs, tenant IDs, diagnostic logs, private endpoint configuration, soft-delete, and purge protection to understand how vault access actually works.

Why it matters

Key Vault access policy matters because secrets and keys are usually on the critical path for applications, databases, certificates, encryption, and automation. A missing get permission can break production startup. An excessive set or delete permission can let someone change credentials or remove material that the business depends on. The model also creates a governance trap: principals with vault write permissions may be able to grant themselves data-plane access if access policies are used. Teams need to know which permission model each vault uses, who can change it, and how access is reviewed before incidents or audits expose the gap.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In the Key Vault Access policies blade, each entry lists a principal and the allowed key, secret, and certificate permissions for that specific vault review.

Signal 02

In Azure CLI output, properties.enableRbacAuthorization and properties.accessPolicies reveal whether data-plane access uses access policies or Azure RBAC for authorization during audits and incident response.

Signal 03

In diagnostic logs, denied secret, key, or certificate operations often point to missing permissions, stale object IDs, or a recent policy change during incident response reviews.

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Grant a managed identity get permission for one application secret while avoiding broad secret management rights.
  • Audit existing vaults that still use access policies before migrating data-plane authorization to Azure RBAC.
  • Remove stale user, service principal, or deployment identities from vault policies after application retirement or tenant cleanup.
  • Troubleshoot 403 errors from an application that can reach Key Vault but lacks the specific secret, key, or certificate permission.
  • Lock down who can modify vault properties so Contributors cannot casually add themselves to production secret access policies.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Key Vault access policy cleanup for SaaS onboarding

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A B2B SaaS provider discovered that old deployment service principals still had secret management permissions in several production vaults. Customer onboarding was slowing because every security review produced a new exception list.

Business/Technical Objectives
  • Map every production access policy to an active owner
  • Remove retired deployment identities without breaking releases
  • Reduce secret-management permissions for runtime apps
  • Produce reusable evidence for customer security reviews
Solution Using Key Vault access policy

The platform team used Azure CLI to export properties.enableRbacAuthorization and accessPolicies from each vault. They mapped object IDs to current managed identities, app registrations, and groups, then created permission templates for runtime read, deployment write, and certificate automation. Retired identities were removed first in staging, and deployment pipelines ran secret-read and secret-set tests before production changes. Diagnostic logs were reviewed for denied operations after each removal. For runtime services, policies were reduced to get permissions on secrets, while deployment identities kept narrowly approved set permissions through a controlled group.

Results & Business Impact
  • 34 stale policy entries were removed across nine vaults
  • Customer security questionnaires were answered 65% faster
  • Runtime identities lost broad set and delete permissions without application impact
  • No failed production deployments occurred during the cleanup window
Key Takeaway for Glossary Readers

Key Vault access policies become manageable when every object ID has an owner, a purpose, and a tested permission template.

Case study 02

Key Vault access policy repair for payment outage

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A payment processor had a production checkout outage after a well-meaning engineer removed a policy for an unfamiliar object ID. The object was the managed identity used by the card-tokenization service.

Business/Technical Objectives
  • Restore checkout secret access quickly
  • Identify the removed identity without guessing
  • Prevent repeat outages from undocumented policy cleanup
  • Add monitoring for future denied secret reads
Solution Using Key Vault access policy

Incident responders queried Key Vault diagnostic logs and found denied secret get operations for the tokenization secret immediately after the policy change. They matched the caller object ID to the managed identity on the App Service plan and restored a minimal access policy granting only secret get and list. After recovery, the team built a policy inventory that resolved object IDs to resource names, owners, and last-seen log activity. They also changed the cleanup runbook so policies could not be removed unless the owning workload confirmed retirement and a staged validation test passed.

Results & Business Impact
  • Checkout recovered in 18 minutes after the object ID was identified
  • Authorization-related mean time to diagnose fell from 47 minutes to 9 minutes
  • Policy cleanup now requires owner approval and staging proof
  • Alerts now fire within five minutes of repeated denied secret reads
Key Takeaway for Glossary Readers

Access-policy outages are easier to fix when logs, object-ID mapping, and rollback commands exist before someone starts deleting entries.

Case study 03

Key Vault access policy transition for manufacturing certificates

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A manufacturer used Key Vault to hold TLS certificates for plant-floor gateways. Access policies had grown inconsistent across regions, causing renewal failures that threatened scheduled maintenance windows.

Business/Technical Objectives
  • Standardize certificate permissions for renewal automation
  • Keep plant gateways online during policy changes
  • Prepare vaults for eventual Azure RBAC migration
  • Create evidence for operational technology audits
Solution Using Key Vault access policy

The security engineering team grouped vaults by region and exported every certificate-related access policy. They discovered renewal automation used different principals in Europe and North America, with some policies granting unnecessary secret delete rights. The team created a certificate automation permission template, applied it first to a noncritical plant, and validated certificate get, import, and update operations. Gateway applications retained only the permissions needed to retrieve current certificates. The team documented which vaults remained on access policies and which would move to Azure RBAC after the next gateway software update. The rollout checklist also named the approval owner for each plant.

Results & Business Impact
  • Certificate renewal failures dropped from 11 per quarter to 1
  • Unnecessary secret delete permissions were removed from 22 policies
  • No gateway downtime occurred during regional rollout
  • Audit preparation time fell by three business days per plant
Key Takeaway for Glossary Readers

Key Vault access policies are not just developer settings; they can decide whether certificate automation succeeds during real maintenance windows.

Why use Azure CLI for this?

With ten years of Azure operations experience, I use Azure CLI for Key Vault access policies because object IDs, permission lists, and authorization mode need precise evidence. Portal screenshots hide too much context and age badly. CLI can show whether the vault uses RBAC or access policies, list every policy in JSON, map principals, and apply or remove a policy through repeatable change steps. That is critical when an application is failing with 403 errors or an audit asks who could read production secrets last week. CLI also makes migration checks to Azure RBAC much easier to automate. It reduces guesswork.

CLI use cases

  • Show the vault authorization mode and accessPolicies array before deciding whether a change belongs in access policy or Azure RBAC.
  • Grant a managed identity only the secret get and list permissions required for a specific application startup path.
  • Remove a retired service principal from a production vault after confirming no active workload still uses that object ID.
  • Export access policy JSON for audit evidence and compare it against approved permission templates across environments.

Before you run CLI

  • Confirm the tenant, subscription, resource group, vault name, and Microsoft Entra object ID because display names can be duplicated or stale.
  • Check properties.enableRbacAuthorization first; access policy commands do not control data-plane access when the vault uses Azure RBAC authorization.
  • Understand whether the change affects secrets, keys, certificates, or all three, and avoid granting set, delete, recover, or purge casually.
  • Have a rollback command ready before removing policies used by deployment agents, certificate automation, encryption workflows, or production applications.

What output tells you

  • The authorization mode tells you whether the vault honors accessPolicies or ignores them in favor of Azure RBAC for data actions.
  • The accessPolicies array shows tenant ID, object ID, application ID when present, and separate permission lists for keys, secrets, certificates, and storage.
  • Set-policy output confirms the desired principal was added or modified, but a real data-plane operation proves the workload can use it.
  • Diagnostic output links failed operations to caller identity, operation name, result type, and timestamp, helping separate permission problems from network issues.

Mapped Azure CLI commands

Key Vault access policy operational checks

direct
az keyvault show --name <vault-name> --resource-group <resource-group> --query properties.enableRbacAuthorization
az keyvaultdiscoverSecurity
read-only Microsoft docs
az keyvault show --name <vault-name> --resource-group <resource-group> --query properties.accessPolicies
az keyvaultdiscoverSecurity
read-only Microsoft docs
az keyvault set-policy --name <vault-name> --object-id <principal-object-id> --secret-permissions get list
az keyvaultoperateSecurity
modifies-state Microsoft docs
az keyvault delete-policy --name <vault-name> --object-id <principal-object-id>
az keyvaultremoveSecurity
modifies-state Microsoft docs
az monitor activity-log list --resource-group <resource-group> --resource-provider Microsoft.KeyVault
az monitor activity-logdiscoverSecurity
read-only Microsoft docs

Architecture context

Architecturally, a Key Vault access policy is an authorization boundary inside a secret-management service, not just a convenience setting. I review it together with application identities, deployment pipelines, certificate renewal, private endpoints, diagnostic settings, purge protection, and backup procedures. Access-policy vaults need especially tight control over who has management-plane write permission because policy changes can grant data access. The design should define whether the organization is staying with access policies, migrating to Azure RBAC, or supporting both during transition. It should also define permission templates, break-glass handling, approval workflow, and evidence collection for every production principal that can read or change secret material.

Security

Security impact is high because access policies directly control data-plane operations on secrets, keys, and certificates. Grant only the permissions an identity needs, such as get for an application that reads a secret, rather than broad list, set, delete, recover, or purge rights. Limit who can modify vault properties when the access policy model is enabled, because those users may be able to add their own data access. Use managed identities instead of shared credentials, enable diagnostic logging, protect network access, and review stale object IDs. Prefer Azure RBAC for new designs when it better matches central governance. Review privileged role assignments together.

Cost

Access policies do not create a separate bill, but poor design creates indirect cost through outages, audit work, manual support, and emergency rotations. A broken policy can stop a deployment and burn engineering hours while teams chase misleading application errors. Excessive permissions can force incident response, secret replacement, certificate reissue, or customer-managed key recovery planning. During migrations, keeping both old and new access paths undocumented increases review effort. Cost control means standardizing permission templates, removing stale policies, automating evidence collection, and preventing repeated break-fix work caused by unclear ownership of vault access. Clear templates reduce repeated consulting and escalation time.

Reliability

Reliability depends on stable, understood access. Removing or changing an access policy can break application startup, certificate rotation, deployment pipelines, disk encryption, or customer-managed key workflows. Overly broad policies can also allow accidental secret replacement, producing outages that look like application bugs. Reliable operation means testing permission changes in lower environments, checking object IDs before deletion, watching Key Vault access failures, and keeping rollback steps for critical identities. Soft-delete and purge protection protect the vault objects, but they do not fix an application that cannot read its required secret during a live incident. Document critical identities before maintenance windows begin.

Performance

Runtime performance is usually indirect. A Key Vault access policy does not make secret retrieval faster, but it can affect application responsiveness when permissions cause repeated 403 errors, retry storms, cold-start failures, or certificate refresh delays. Broad list permissions can encourage inefficient applications that enumerate secrets instead of requesting known names. Operations performance improves when policies are standardized and easy to inspect, because incident teams can quickly separate permission failure from networking, identity, or vault availability. Monitor Key Vault latency, throttling, and failed authorization counts, but interpret them beside recent access-policy changes. Faster diagnosis protects release pipelines and customer-facing startup paths.

Operations

Operators inspect Key Vault access policies during onboarding, incidents, audits, and migrations to Azure RBAC. Common tasks include confirming the vault permission model, mapping object IDs to service principals or managed identities, reviewing permissions by object type, removing stale principals, and validating access from the consuming workload. Changes should be tied to a ticket and tested with a real secret read or certificate operation from the target identity. Diagnostics should capture denied operations, policy updates, and unusual access patterns. Good runbooks explain how to recover when a policy change locks out a deployment or application. Keep object-ID lookup notes beside each change.

Common mistakes

  • Adding permissions for a display name without verifying the object ID, then granting the wrong app registration, group, or user access.
  • Troubleshooting an access policy for hours when the vault is actually configured to use Azure RBAC for data-plane authorization.
  • Granting list, set, delete, recover, or purge permissions to an application that only needs get on a known secret name.
  • Removing a deployment identity policy without checking certificate renewal, key unwrap, or secret update automation that still depends on it.