Grant several applications access to a key vault
This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.
Access control policy can be used to grant several applications access to a key vault. An access control policy can support up to 1024 applications, and is configured as follows:
- Create an Azure Active Directory security group.
- Add all of the applications' associated service principals to the security group.
- Grant the security group access to your Key Vault.
Here are the prerequisites:
- Install Azure PowerShell.
- Install the Azure Active Directory V2 PowerShell module.
- Permissions to create/edit groups in the Azure Active Directory tenant. If you don't have permissions, you may need to contact your Azure Active Directory administrator. See About Azure Key Vault keys, secrets and certificates for details on Key Vault access policy permissions.
Granting Key Vault access to applications
Run the following commands in PowerShell:
# Connect to Azure AD Connect-AzureAD # Create Azure Active Directory Security Group $aadGroup = New-AzureADGroup -Description "Contoso App Group" -DisplayName "ContosoAppGroup" -MailEnabled 0 -MailNickName none -SecurityEnabled 1 # Find and add your applications (ServicePrincipal ObjectID) as members to this group $spn = Get-AzureADServicePrincipal –SearchString "ContosoApp1" Add-AzureADGroupMember –ObjectId $aadGroup.ObjectId -RefObjectId $spn.ObjectId # You can add several members to this group, in this fashion. # Set the Key Vault ACLs Set-AzKeyVaultAccessPolicy –VaultName ContosoVault –ObjectId $aadGroup.ObjectId ` -PermissionsToKeys decrypt,encrypt,unwrapKey,wrapKey,verify,sign,get,list,update,create,import,delete,backup,restore,recover,purge ` –PermissionsToSecrets get,list,set,delete,backup,restore,recover,purge ` –PermissionsToCertificates get,list,delete,create,import,update,managecontacts,getissuers,listissuers,setissuers,deleteissuers,manageissuers,recover,purge,backup,restore ` -PermissionsToStorage get,list,delete,set,update,regeneratekey,getsas,listsas,deletesas,setsas,recover,backup,restore,purge # Of course you can adjust the permissions as required
If you need to grant a different set of permissions to a group of applications, create a separate Azure Active Directory security group for such applications.
Learn more about how to Secure your key vault.