Assign a Key Vault access policy using Azure PowerShell

A Key Vault access policy determines whether a given service principal, namely an application or user group, can perform different operations on Key Vault secrets, keys, and certificates. You can assign access policies using the Azure portal, the Azure CLI, or Azure PowerShell (this article).

Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal. Because of this limitation, we recommend assigning access policies to groups of users, where possible, rather than individual users. Using groups makes it much easier to manage permissions for multiple people in your organization. For more information, see Manage app and resource access using Azure Active Directory groups

For full details on Key Vault access control, see Azure Key Vault security: Identity and access management.

For more information on creating groups in Azure Active Directory using Azure PowerShell, see New-AzureADGroup and Add-AzADGroupMember.

Configure PowerShell and sign-in

  1. To run commands locally, install Azure PowerShell if you haven't already.

    To run commands directly in the cloud, use the Azure Cloud Shell.

  2. Local PowerShell only:

    1. Install the Azure Active Directory PowerShell module.

    2. Sign in to Azure:


Acquire the object ID

Determine the object ID of the application, group, or user to which you want to assign the access policy:

  • Applications and other service principals: use the Get-AzADServicePrincipal cmdlet with the -SearchString parameter to filter results to the name of the desired service principal:

    Get-AzADServicePrincipal -SearchString <search-string>
  • Groups: use the Get-AzADGroup cmdlet with the -SearchString parameter to filter results to the name of the desired group:

    Get-AzADGroup -SearchString <search-string>

    In the output, the object ID is listed as Id.

  • Users: use the Get-AzADUser cmdlet, passing the user's email address to the -UserPrincipalName parameter.

     Get-AzAdUser -UserPrincipalName <email-address-of-user>

    In the output, the object ID is listed as Id.

Assign the access policy

Use the Set-AzKeyVaultAccessPolicy cmdlet to assign the access policy:

Set-AzKeyVaultAccessPolicy -VaultName <key-vault-name> -ObjectId <Id> -PermissionsToSecrets <secrets-permissions> -PermissionsToKeys <keys-permissions> -PermissionsToCertificates <certificate-permissions    

You need only include -PermissionsToSecrets, -PermissionsToKeys, and -PermissionsToCertificates when assigning permissions to those particular types. The allowable values for <secret-permissions>, <key-permissions>, and <certificate-permissions> are given in the Set-AzKeyVaultAccessPolicy - Parameters documentation.

Next steps