Azure Key Vaults: Assign Access Policies to a single object using PowerShell

By Saad Khamis

October 8, 2021

4177 views

In this blog I will share one way to assign a key vault access policies to a single application, security group or user using PowerShell.

My blogs have relatively simple, and sometimes complex, examples and I’m hoping that you will be able to tailor them to your need or use them in your own scripts.

To assign access policies to multiple applications, security groups or users, review Azure Key Vaults: Assign Access Policies to multiple objects using PowerShell.

Prerequisites

  1. Install Azure PowerShell if you haven’t already. You can use Cloud Shell if you prefer to stay within Azure Portal.
  2. Install Azure Active Directory PowerShell module if you haven’t already. You can use Cloud Shell if you prefer to stay within Azure Portal.
  3. A key vault already created. You can use Quickstart: Create a key vault using the Azure portal to create one.

Introduction

The goal of this blog is to show one way to accomplish a task. It is not to show how to write a perfect script, the perfect solution to a challenge or the perfect process to accomplish a task.

Because key vault supports up to 1024 access policy entries, it is recommended to assign access policies to groups of users, where possible, rather than individual users.

Using PowerShell, I will show you how to assign a key vault access policies to:

  1. A single application, security group or user using PowerShell.

PowerShell Cmdlets

  1. Connect-AzAccount Connect to Azure with an authenticated account for use with cmdlets from the Az PowerShell modules.
  2. Set-AzContext Sets the tenant, subscription, and environment for cmdlets to use in the current session.
  3. Get-AzADGroup Filters active directory groups.
  4. Set-AzKeyVaultAccessPolicy Grants or modifies existing permissions for a user, application, or security group to perform operations with a key vault. The cmdlet will be used with the following parameters: -VaultName-UserPrincipalName-ObjectId-ServicePrincipalName-PermissionsToKeys, and -PermissionsToSecrets.
    By default, Set-AzKeyVaultAccessPolicy does not generate any output. Use -PassThru to returns an object representing the item with which you are working.

Sign in to Azure

  1. Sign in to Azure. If you have multiple subscriptions or tenants, make sure to sign in to the correct subscription.
  2. You can use Set-AzContext to set the tenant, subscription, and environment for cmdlets to use in the current session.

Assign access policies to a user using -UserPrincipalName

  1. The first example specifies the user principal name (UPN) name ‘user1@contosodev.com’, and the command grants the user permissions to set, delete and get secrets.
  2. The second example specifies the user principal name (UPN) name ‘user1@contosodev.com’, and the command grants the user permissions to (a) set, delete and get secrets and (b) create, import,  delete and list keys.
  3. The final command specifies the user principal name (UPN) name ‘user1@contosodev.com’, and the command removes all permissions to key operations.

Assign access policies to a security group using -ObjectId

In order to assign access policies to a security group, the security group object Id is needed. The Get-AzADGroup cmdlet is used to get the security group object Id. You can:

  1. Save the result of Get-AzADGroup in a variable then use the variable or
  2. Get security group object Id inline in the same command line. The advantage of the first method is the ability to check validate the group name. I will show you both method.

Assign access policies to an application using -ServicePrincipalName

The application must be registered in your Azure Active Directory.

  1. This example specifies the service principal name ‘http://payroll.saadkhamis.com’, and the command grants the application permissions to set and get secrets.

Conclusion

In this blog we explored how to assign a key vault access policies to a single application, security group or user using PowerShell.

Did you find this blog easy to follow and helpful to you? Let me know in the comments below.

Disclaimer

Purpose of the code contained in blog is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.

Comments

There's no comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

List all AWS Certificate Manager certificates

By Saad Khamis 14101 views July 31, 2024

Get all AWS EBS snapshots across all profiles and regions

By Saad Khamis 18459 views June 26, 2024