Assign a Key Vault access policy using the Azure portal

A Key Vault access policy determines whether a given service principal, namely an application or user group, can perform different operations on Key Vault secrets, keys, and certificates. You can assign access policies using the Azure portal (this article), the Azure CLI, or Azure PowerShell.

Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal. Because of this limitation, we recommend assigning access policies to groups of users, where possible, rather than individual users. Using groups makes it much easier to manage permissions for multiple people in your organization. For more information, see Manage app and resource access using Azure Active Directory groups

For full details on Key Vault access control, see Azure Key Vault security: Identity and access management.

For more information on creating groups in Azure Active Directory through the Azure portal, see Create a basic group and add members

Assign an access policy

  1. In the Azure portal, navigate to the Key Vault resource.

  2. Under Settings, select Access policies, then select Add Access Policy:

    Select Access policies, selecting Add role assignment

  3. Select the permissions you want under Certificate permissions, Key permissions, and Secret permissions. You can also select a template that contains common permission combinations:

    Specifying access policy permissions

  4. Under Select principal, choose the None selected link to open the Principal selection pane. Enter the name of the app or service principal in the search field, select the appropriate result, then choose Select.

    Selecting the service principal for the access policy

    If you're using a managed identity for the app, search for and select the name of the app itself. (For more information on managed identity and service principals, see Key Vault authentication - app identity and service principals.)

  5. Back in the Add access policy pane, select Add to save the access policy.

    Adding the access policy with the service principal assigned

  6. Back on the Access policies page, verify that your access policy is listed under Current Access Policies, then select Save. Access policies aren't applied until you save them.

    Saving the access policy changes

Next steps