Azure Key Vaults: Assign Access Policies to a single object using PowerShell

In this blog I will share one way to assign a key vault access policies to a single application, security group or user using PowerShell.

My blogs have relatively simple, and sometimes complex, examples and I’m hoping that you will be able to tailor them to your need or use them in your own scripts.

To assign access policies to multiple applications, security groups or users, review Azure Key Vaults: Assign Access Policies to multiple objects using PowerShell.

Prerequisites

1. Install Azure PowerShell if you haven’t already. You can use Cloud Shell if you prefer to stay within Azure Portal.
2. Install Azure Active Directory PowerShell module if you haven’t already. You can use Cloud Shell if you prefer to stay within Azure Portal.
3. A key vault already created. You can use Quickstart: Create a key vault using the Azure portal to create one.

Introduction

The goal of this blog is to show one way to accomplish a task. It is not to show how to write a perfect script, the perfect solution to a challenge or the perfect process to accomplish a task.

Because key vault supports up to 1024 access policy entries, it is recommended to assign access policies to groups of users, where possible, rather than individual users.

Using PowerShell, I will show you how to assign a key vault access policies to:

1. A single application, security group or user using PowerShell.

PowerShell Cmdlets

1. Connect-AzAccount Connect to Azure with an authenticated account for use with cmdlets from the Az PowerShell modules.
2. Set-AzContext Sets the tenant, subscription, and environment for cmdlets to use in the current session.
3. Get-AzADGroup Filters active directory groups.
4. Set-AzKeyVaultAccessPolicy Grants or modifies existing permissions for a user, application, or security group to perform operations with a key vault. The cmdlet will be used with the following parameters: -VaultName, -UserPrincipalName, -ObjectId, -ServicePrincipalName, -PermissionsToKeys, and -PermissionsToSecrets.
   By default, Set-AzKeyVaultAccessPolicy does not generate any output. Use -PassThru to returns an object representing the item with which you are working.

Sign in to Azure

1. Sign in to Azure. If you have multiple subscriptions or tenants, make sure to sign in to the correct subscription.
2. You can use Set-AzContext to set the tenant, subscription, and environment for cmdlets to use in the current session.
   
   PowerShell

   Connect-AzAccount -Subscription "aa1111a1-1111-1a1a-11a1-1111a1a1a1a1"

   1	Connect-AzAccount -Subscription "aa1111a1-1111-1a1a-11a1-1111a1a1a1a1"

   
   

Assign access policies to a user using -UserPrincipalName

1. The first example specifies the user principal name (UPN) name ‘user1@contosodev.com’, and the command grants the user permissions to set, delete and get secrets.
2. The second example specifies the user principal name (UPN) name ‘user1@contosodev.com’, and the command grants the user permissions to (a) set, delete and get secrets and (b) create, import,  delete and list keys.
3. The final command specifies the user principal name (UPN) name ‘user1@contosodev.com’, and the command removes all permissions to key operations.
   
   PowerShell

   $VaultName = 'SaadDev03Vault' $UserPN = 'user1@saadkhamis.com' $PermToSecrets = @("set", "delete", "get") # Grants permissions for $UserPN to perform operations $PermToSecrets for a key vault named $VaultName Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $UserPN -PermissionsToSecrets $PermToSecrets # Grants permissions for $UserPN to perform operations $PermToKeys and $PermToSecrets for a key vault named $VaultName $PermToKeys = @("create", "import", "delete", "list") Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $UserPN -PermissionsToSecrets $PermToSecrets -PermissionsToKeys $PermToKeys # Removes all permissions to key operations for $UserPN for a key vault named $VaultName Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $UserPN -PermissionsToKeys @()

   1 2 3 4 5 6 7 8 9 10 11 12 13

   $VaultName = 'SaadDev03Vault' $UserPN = 'user1@saadkhamis.com'   $PermToSecrets = @("set", "delete", "get") # Grants permissions for $UserPN to perform operations $PermToSecrets for a key vault named $VaultName Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $UserPN -PermissionsToSecrets $PermToSecrets   # Grants permissions for $UserPN to perform operations $PermToKeys and $PermToSecrets for a key vault named $VaultName $PermToKeys = @("create", "import", "delete", "list") Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $UserPN -PermissionsToSecrets $PermToSecrets -PermissionsToKeys $PermToKeys   # Removes all permissions to key operations  for $UserPN for a key vault named $VaultName Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $UserPN -PermissionsToKeys @()

Assign access policies to a security group using -ObjectId

In order to assign access policies to a security group, the security group object Id is needed. The Get-AzADGroup cmdlet is used to get the security group object Id. You can:

1. Save the result of Get-AzADGroup in a variable then use the variable or
2. Get security group object Id inline in the same command line. The advantage of the first method is the ability to check validate the group name. I will show you both method.
   
   PowerShell

   $VaultName = 'SaadDev03Vault' $GroupName = 'Group1' $PermToSecrets = @("set", "delete", "get") # 1. Save the result of Get-AzADGroup in a variable then use the variable $GroupId = (Get-AzADGroup | Where {$_.DisplayName -eq $GroupName}).Id if ($GroupId -eq $null) { # Security group does not exist, write an error message Write-Host "[$GroupName] does not exist" -ForegroundColor Red } else { # Security group exists, grants the security group permissions Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId $GroupId -PermissionsToSecrets $PermToSecrets } # OR # 2. Get security group object Id inline in the same command line Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId (Get-AzADGroup | Where {$_.DisplayName -eq $GroupName}).Id -PermissionsToSecrets $PermToSecrets

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

   $VaultName = 'SaadDev03Vault' $GroupName = 'Group1' $PermToSecrets = @("set", "delete", "get")   # 1. Save the result of Get-AzADGroup in a variable then use the variable $GroupId = (Get-AzADGroup | Where {$_.DisplayName -eq $GroupName}).Id if ($GroupId -eq $null) { # Security group does not exist, write an error message     Write-Host "[$GroupName] does not exist" -ForegroundColor Red } else { # Security group exists, grants the security group permissions     Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId $GroupId -PermissionsToSecrets $PermToSecrets } # OR # 2. Get security group object Id inline in the same command line Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId (Get-AzADGroup | Where {$_.DisplayName -eq $GroupName}).Id -PermissionsToSecrets $PermToSecrets

Assign access policies to an application using -ServicePrincipalName

The application must be registered in your Azure Active Directory.

1. This example specifies the service principal name ‘http://payroll.saadkhamis.com’, and the command grants the application permissions to set and get secrets.
   
   PowerShell

   $VaultName = 'SaadDev03Vault' $AppServPN = 'http://payroll.saadkhamis.com' $PermToSecrets = @("set", "get") # Grants permissions for $AppServPN to perform operations $PermToSecrets for a key vault named $VaultName Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ServicePrincipalName $AppServPN -PermissionsToSecrets $PermToSecrets

   1 2 3 4 5 6

   $VaultName = 'SaadDev03Vault' $AppServPN = 'http://payroll.saadkhamis.com' $PermToSecrets = @("set", "get")   # Grants permissions for $AppServPN to perform operations $PermToSecrets for a key vault named $VaultName Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ServicePrincipalName $AppServPN -PermissionsToSecrets $PermToSecrets

Conclusion

In this blog we explored how to assign a key vault access policies to a single application, security group or user using PowerShell.

Did you find this blog easy to follow and helpful to you? Let me know in the comments below.