Hi!
Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on the management plane, and the access policy model, which operates on both the management plane and the data plane.
- Azure RBAC is built on Azure Resource Manager and provides fine-grained access management of Azure resources. With Azure RBAC you control access to resources by creating role assignments, which consist of three elements: a security principal, a role definition (predefined set of permissions), and a scope (group of resources or individual resource).
- The access policy model, on the other hand, is an existing authorization system built in Key Vault to provide access to keys, secrets, and certificates. You can control access by assigning individual permissions to security principals (user, group, service principal, managed identity) at Key Vault scope.
Azure RBAC offers several advantages over access policies
- A unified access control model for Azure resource– it uses the same API across Azure services
- Centralized access management for administrators – manage all Azure resources in one view
- Integration with Privileged Identity Management for time-based access control
- Deny assignments – ability to exclude security principals at a particular scope
- More stringent permissions — managing access for users and service principals require Owner or User Access Administrator roles
Azure RBAC is now the recommended authorization system for the Azure Key Vault data plane.
Maxime.