Table of Contents
What Security Principals Can Be Granted Access to an Azure Key Vault?
Learn how to grant access to an Azure Key Vault for AZ-500 exam. Understand the different security principals—users, groups, and applications—and the two access control models: Azure RBAC and Key Vault access policies, to securely manage your secrets, keys, and certificates.
Question
You can grant access to a key vault for:
A. Users
B. Groups
C. Applications
D. All of the above
Answer
D. All of the above
Explanation
The correct answer is D. All of the above. Azure Key Vault access can be granted to all three types of Azure Active Directory (Azure AD) security principals: users, groups, and applications.
You can grant key vault access to an Azure AD user, group, or an application.
Key Vault Access Control Principals
Azure Key Vault authenticates any request by validating the caller’s identity. These identities, known as security principals, are the fundamental objects to which permissions are assigned.
- Users: Individual user accounts in Azure AD can be granted access. This is common for administrators who need to manually manage secrets, keys, or certificates.
- Groups: Granting access to Azure AD security groups is a best practice for manageability. Instead of assigning permissions to individual users, you assign them to a group and then manage access by adding or removing users from that group in Azure AD.
- Applications: Applications and services need an identity to access Key Vault programmatically. This is achieved through:
- Service Principals: A specific identity created for an application.
- Managed Identities: The recommended approach for Azure resources (like VMs, App Services, or Functions). Azure automatically manages the identity, eliminating the need to store credentials in code.
Methods for Granting Access
Azure Key Vault supports two permission models for granting access to these security principals. You choose one model per Key Vault.
Vault Access Policy Model
This is the original permission model, configured directly within the Key Vault’s “Access policies” settings.
- An access policy links a security principal (user, group, or application) to a specific set of permissions for keys, secrets, and certificates.
- Permissions are highly granular, allowing you to specify actions like Get, List, and Set for secrets, or Sign and Verify for keys.
Azure Role-Based Access Control (RBAC) Model
This is the modern and recommended permission model, which integrates Key Vault with standard Azure RBAC.
- You assign built-in or custom roles to security principals at a specific scope (the Key Vault itself, a resource group, etc.).
- Built-in roles like Key Vault Secrets User (provides read access to secrets) and Key Vault Administrator (provides full management access) simplify permission assignment.
- This model offers the benefit of centralized management through standard Azure tools and supports Privileged Identity Management (PIM) for just-in-time access.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.