Azure RBAC (role-based access control) and Key Vault access

Azure RBAC (role-based access control) and Key Vault access

Microsoft recently began enforcing the use of the Azure RBAC (role-based access control) which is a change from the previously used access policies. Azure RBAC comes with a unified access control model that makes it easier to manage and has improved security. This could affect your organization in many ways, but in this blog I want to point out how it will affect access to Key Vault Secrets. Key Vault secrets may be used by your application administrators, consulting partners or 3rd party applications and users for various automations.

What are Key Vault secrets?

Azure Key Vault Secrets are a type of resource in Microsoft Azure that allow you to securely store and manage sensitive information such as API keys, passwords, connection strings, certificates, and other secrets. Key Vault Secrets provide a centralized and secure repository for storing and accessing these sensitive pieces of data.

In Dynamics 365, storing sensitive information like secrets in environment variables is a common practice to secure application configuration. However, it is essential to manage and secure these environment variables properly, ensuring that they are not exposed inadvertently. Azure Key Vault can be integrated with applications to securely retrieve and manage secrets, providing an additional layer of security for sensitive information.

How does the new Azure RBAC affect my organization?

If you have 3rd party applications or automations such as MS Flow, they may be utilizing Key Vault Secrets for access to an applicaton and they may start to see errors such as the following:

“Error occured while reading secret: User is not authorized to read secrets from ‘/subscriptions/[Guid of subscription Id]/resourceGroups/[Resource Group Name]/providers/Microsoft.KeyVault/vaults/[KV name]/secrets/[Secret Name]’ resource.”

Granting Key Vault Secret access to applications/users

In Microsoft Azure, a new Key Vault Secrets User role is a built-in role that provides read access to secrets stored in Azure Key Vault. This role allows users or applications to retrieve secret values from the Key Vault.

To assign the Key Vault Secrets User role to an Azure resource, such as a user, service principal, or security group, you can follow these steps:

  1. Sign in to the Azure portal ( using an account with the necessary permissions.
  2. Open the Azure Key Vault resource you want to manage.
  3. In the left-hand menu, click on “Access control (IAM)”.
  4. Click on the “+ Add” button to add a new role assignment.
  5. In the “Add role assignment” window, configure the following settings:
    • Role: Select “Key Vault Secrets User” from the role list.
    • Assign access to: Choose the appropriate user, service principal, or security group that requires access to the Key Vault.
    • Select: Leave it as the default value, which is the current subscription.
  6. Click on the “Save” button to add the role assignment.

If you were previously using access control policies, you can follow these steps to migrate to an Azure role-based access control permission model.

Give us a call today!

After assigning the Key Vault Secrets User role, the user or application will have the necessary permissions to retrieve secrets from the Key Vault using the Azure Key Vault SDK or Azure CLI commands. Make sure to properly configure and authenticate the application or user with the appropriate credentials to access the Key Vault.

Beringer Technology Group, a leading Microsoft Partner specializing in Microsoft Dynamics 365 and CRM for Distribution also provides expert Managed IT ServicesBackup and Disaster RecoveryCloud Based Computing, Email Security Implementation and Training,  Unified Communication Solutions, and Cybersecurity Risk Assessment.