< Back
Set-AzureRmKeyVaultAccessPolicy
Post
NAME Set-AzureRmKeyVaultAccessPolicy
SYNOPSIS
Grants or modifies existing permissions for a user, application, or security group to perform operations with a key vault.
SYNTAX
Set-AzureRmKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <String>] [-ApplicationId <Guid>] [-BypassObjectIdValidation]
[-DefaultProfile <IAzureContextContainer>] -ObjectId <String> [-PassThru] [-PermissionsToCertificates {get | list | delete | create | import |
update | managecontacts | getissuers | listissuers | setissuers | deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys
{decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete | backup | restore | recover | purge |
all}] [-PermissionsToSecrets {get | list | set | delete | backup | restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete |
set | update | regeneratekey | getsas | listsas | deletesas | setsas | all}] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-InputObject] <PSKeyVault> [-ApplicationId <Guid>] [-BypassObjectIdValidation] [-DefaultProfile
<IAzureContextContainer>] -ObjectId <String> [-PassThru] [-PermissionsToCertificates {get | list | delete | create | import | update |
managecontacts | getissuers | listissuers | setissuers | deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys {decrypt |
encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete | backup | restore | recover | purge | all}]
[-PermissionsToSecrets {get | list | set | delete | backup | restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete | set |
update | regeneratekey | getsas | listsas | deletesas | setsas | all}] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <String>] [-DefaultProfile <IAzureContextContainer>] -EmailAddress
<String> [-PassThru] [-PermissionsToCertificates {get | list | delete | create | import | update | managecontacts | getissuers | listissuers |
setissuers | deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign
| get | list | update | create | import | delete | backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete |
backup | restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas |
deletesas | setsas | all}] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-InputObject] <PSKeyVault> [-DefaultProfile <IAzureContextContainer>] -EmailAddress <String> [-PassThru]
[-PermissionsToCertificates {get | list | delete | create | import | update | managecontacts | getissuers | listissuers | setissuers |
deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list
| update | create | import | delete | backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete | backup |
restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas | deletesas |
setsas | all}] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <String>] [-DefaultProfile <IAzureContextContainer>]
[-EnabledForDeployment] [-EnabledForDiskEncryption] [-EnabledForTemplateDeployment] [-PassThru] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-InputObject] <PSKeyVault> [-DefaultProfile <IAzureContextContainer>] [-EnabledForDeployment]
[-EnabledForDiskEncryption] [-EnabledForTemplateDeployment] [-PassThru] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-InputObject] <PSKeyVault> [-DefaultProfile <IAzureContextContainer>] [-PassThru] [-PermissionsToCertificates
{get | list | delete | create | import | update | managecontacts | getissuers | listissuers | setissuers | deleteissuers | manageissuers | recover
| purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete |
backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete | backup | restore | recover | purge | all}]
[-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas | deletesas | setsas | all}] -ServicePrincipalName
<String> [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-InputObject] <PSKeyVault> [-DefaultProfile <IAzureContextContainer>] [-PassThru] [-PermissionsToCertificates
{get | list | delete | create | import | update | managecontacts | getissuers | listissuers | setissuers | deleteissuers | manageissuers | recover
| purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete |
backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete | backup | restore | recover | purge | all}]
[-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas | deletesas | setsas | all}] -UserPrincipalName
<String> [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <String>] [-DefaultProfile <IAzureContextContainer>] [-PassThru]
[-PermissionsToCertificates {get | list | delete | create | import | update | managecontacts | getissuers | listissuers | setissuers |
deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list
| update | create | import | delete | backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete | backup |
restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas | deletesas |
setsas | all}] -UserPrincipalName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <String>] [-DefaultProfile <IAzureContextContainer>] [-PassThru]
[-PermissionsToCertificates {get | list | delete | create | import | update | managecontacts | getissuers | listissuers | setissuers |
deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list
| update | create | import | delete | backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete | backup |
restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas | deletesas |
setsas | all}] -ServicePrincipalName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Set-AzureRmKeyVaultAccessPolicy cmdlet grants or modifies existing permissions for a user, application, or security group to perform the
specified operations with a key vault. It does not modify the permissions that other users, applications, or security groups have on the key vault.
If you are setting permissions for a security group, this operation affects only users in that security group.
The following directories must all be the same Azure directory: - The default directory of the Azure subscription in which the key vault resides.
- The Azure directory that contains the user or application group that you are granting permissions to.
Examples of scenarios when these conditions are not met and this cmdlet will not work are:
- Authorizing a user from a different organization to manage your key vault. Each organization has its own directory. - Your Azure account has
multiple directories. If you register an application in a directory other than the default directory, you cannot authorize that application to use
your key vault. The application must be in the default directory.
Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance.
PARAMETERS
-ApplicationId <Guid>
For future use.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-BypassObjectIdValidation [<SwitchParameter>]
Enables you to specify an object ID without validating that the object exists in Azure Active Directory.
Use this parameter only if you want to grant access to your key vault to an object ID that refers to a delegated security group from another
Azure tenant.
Required? false
Position? named
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-DefaultProfile <IAzureContextContainer>
The credentials, account, tenant, and subscription used for communication with azure
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-EmailAddress <String>
Specifies the user email address of the user to whom to grant permissions.
This email address must exist in the directory associated with the current subscription and be unique.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-EnabledForDeployment [<SwitchParameter>]
Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource
creation, for example when creating a virtual machine.
Required? false
Position? named
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-EnabledForDiskEncryption [<SwitchParameter>]
Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault.
Required? false
Position? named
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-EnabledForTemplateDeployment [<SwitchParameter>]
Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.
Required? false
Position? named
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-InputObject <PSKeyVault>
Key Vault Object
Required? true
Position? 0
Default value None
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
-ObjectId <String>
Specifies the object ID of the user or service principal in Azure Active Directory for which to grant permissions.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PassThru [<SwitchParameter>]
Returns an object representing the item with which you are working.
By default, this cmdlet does not generate any output.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-PermissionsToCertificates <String[]>
Specifies an array of certificate permissions to grant to a user or service principal.
The acceptable values for this parameter:
- Get
- List
- Delete
- Create
- Import
- Update
- Managecontacts
- Getissuers
- Listissuers
- Setissuers
- Deleteissuers
- Manageissuers
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PermissionsToKeys <String[]>
Specifies an array of key operation permissions to grant to a user or service principal.
The acceptable values for this parameter:
- Decrypt
- Encrypt
- UnwrapKey
- WrapKey
- Verify
- Sign
- Get
- List
- Update
- Create
- Import
- Delete
- Backup
- Restore
- Recover
- Purge
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PermissionsToSecrets <String[]>
Specifies an array of secret operation permissions to grant to a user or service principal.
The acceptable values for this parameter:
- Get
- List
- Set
- Delete
- Backup
- Restore
- Recover
- Purge
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PermissionsToStorage <String[]>
Specifies managed storage account and SaS-definition operation permissions to grant to a user or service principal.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceGroupName <String>
Specifies the name of a resource group.
Required? false
Position? 1
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ServicePrincipalName <String>
Specifies the service principal name of the application to which to grant permissions.
Specify the application ID, also known as client ID, registered for the application in AzureActive Directory. The application with the service
principal name that this parameter specifies must be registered in the Azure directory that contains your current subscription.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-UserPrincipalName <String>
Specifies the user principal name of the user to whom to grant permissions.
This user principal name must exist in the directory associated with the current subscription.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-VaultName <String>
Specifies the name of a key vault.
This cmdlet modifies the access policy for the key vault that this parameter specifies.
Required? true
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
String, Guid, String[], Switch
OUTPUTS
Microsoft.Azure.Commands.KeyVault.Models.PSKeyVault
NOTES
Example 1: Grant permissions to a user for a key vault and modify the permissions
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PermissionsToKeys
create,import,delete,list -PermissionsToSecrets set,delete
PS C:\\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PermissionsToSecrets
set,delete,get -PassThru
PS C:\\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PermissionsToKeys @() -PassThru
The first command grants permissions for a user in your Azure Active Directory, PattiFuller@contoso.com, to perform operations on keys and secrets
with a key vault named Contoso03Vault.
The second command modifies the permissions that were granted to PattiFuller@contoso.com in the first command, to now allow getting secrets in
addition to setting and deleting them. The permissions to key operations remain unchanged after this command. The PassThru parameter results in
the updated object being returned by the cmdlet.
The final command further modifies the existing permissions for PattiFuller@contoso.com to remove all permissions to key operations. The
permissions to secret operations remain unchanged after this command. The PassThru parameter results in the updated object being returned by the
cmdlet.
Example 2: Grant permissions for an application service principal to read and write secrets
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ServicePrincipalName 'http://payroll.contoso.com' -PermissionsToSecrets Get,Set
This command grants permissions for an application for a key vault named Contoso03Vault.
The ServicePrincipalName parameter specifies the application. The application must be registered in your Azure Active Directory. The value of the
ServicePrincipalName parameter must be either the service principal name of the application or the application ID GUID.
This example specifies the service principal name http://payroll.contoso.com, and the command grants the application permissions to read and write
secrets.
Example 3: Grant permissions for an application using its object ID
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets Get,Set
This command grants the application permissions to read and write secrets.
This example specifies the application using the object ID of the service principal of the application.
Example 4: Grant permissions for a user principal name
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PermissionsToSecrets Get,List,Set
This command grants get, list, and set permissions for the specified user principal name for access to secrets.
Example 5: Enable secrets to be retrieved from a key vault vault by the Microsoft.Compute resource provider
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -EnabledForDeployment
This command grants the permissions for secrets to be retrieved from the Contoso03Vault key vault by the Microsoft.Compute resource provider.
Example 6: Grant permissions to a security group
PS C:\\>Get-AzureRmADGroup
PS C:\\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'myownvault' -ObjectId (Get-AzureRmADGroup -SearchString 'group2')[0].Id -PermissionsToKeys All
-PermissionsToSecrets All
DisplayName Type ObjectId
----------- ---- --------
group1 96a0daa6-9841-4a9c-bdeb-e7062276c688
group2 b8a401eb-63ad-4a30-b0e1-a7461969fe54
group3 da07a6be-2c1e-4e42-934d-ceb57cf652b4
The first command uses the Get-AzureRmADGroup cmdlet to get all Active Directory groups. From the output, you see 3 groups returned, named group1
, group2 , and group3 . Multiple groups can have the same name but always have a unique ObjectId. When more than one group that has the same name
is returned, use the ObjectId in the output to identify the one you want to use.
You then use the output of this command with Set-AzureRmKeyVaultAccessPolicy to grant permissions to group2 for your key vault, named myownvault .
This example enumerates the groups named 'group2' inline in the same command line.
There may be multiple groups in the returned list that are named 'group2'. This example picks the first one, indicated by index [0] in the
returned list.
Example 7: Grant Azure Information Protection access to the customer-managed tenant key (BYOK)
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso04Vault' -ServicePrincipalName 00000012-0000-0000-c000-000000000000 -PermissionsToKeys
decrypt,sign,get
This command authorizes Azure Information Protection to use a customer-managed key (the bring your own key, or "BYOK" scenario) as the Azure
Information Protection tenant key.
When you run this command, specify your own key vault name but you must specify the ServicePrincipalName parameter with the GUID
00000012-0000-0000-c000-000000000000 and specify the permissions in the example.
RELATED LINKS
Online Version: https://docs.microsoft.com/en-us/powers ... cesspolicy
Get-AzureRmKeyVault
Remove-AzureRmKeyVaultAccessPolicy
SYNOPSIS
Grants or modifies existing permissions for a user, application, or security group to perform operations with a key vault.
SYNTAX
Set-AzureRmKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <String>] [-ApplicationId <Guid>] [-BypassObjectIdValidation]
[-DefaultProfile <IAzureContextContainer>] -ObjectId <String> [-PassThru] [-PermissionsToCertificates {get | list | delete | create | import |
update | managecontacts | getissuers | listissuers | setissuers | deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys
{decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete | backup | restore | recover | purge |
all}] [-PermissionsToSecrets {get | list | set | delete | backup | restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete |
set | update | regeneratekey | getsas | listsas | deletesas | setsas | all}] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-InputObject] <PSKeyVault> [-ApplicationId <Guid>] [-BypassObjectIdValidation] [-DefaultProfile
<IAzureContextContainer>] -ObjectId <String> [-PassThru] [-PermissionsToCertificates {get | list | delete | create | import | update |
managecontacts | getissuers | listissuers | setissuers | deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys {decrypt |
encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete | backup | restore | recover | purge | all}]
[-PermissionsToSecrets {get | list | set | delete | backup | restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete | set |
update | regeneratekey | getsas | listsas | deletesas | setsas | all}] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <String>] [-DefaultProfile <IAzureContextContainer>] -EmailAddress
<String> [-PassThru] [-PermissionsToCertificates {get | list | delete | create | import | update | managecontacts | getissuers | listissuers |
setissuers | deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign
| get | list | update | create | import | delete | backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete |
backup | restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas |
deletesas | setsas | all}] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-InputObject] <PSKeyVault> [-DefaultProfile <IAzureContextContainer>] -EmailAddress <String> [-PassThru]
[-PermissionsToCertificates {get | list | delete | create | import | update | managecontacts | getissuers | listissuers | setissuers |
deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list
| update | create | import | delete | backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete | backup |
restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas | deletesas |
setsas | all}] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <String>] [-DefaultProfile <IAzureContextContainer>]
[-EnabledForDeployment] [-EnabledForDiskEncryption] [-EnabledForTemplateDeployment] [-PassThru] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-InputObject] <PSKeyVault> [-DefaultProfile <IAzureContextContainer>] [-EnabledForDeployment]
[-EnabledForDiskEncryption] [-EnabledForTemplateDeployment] [-PassThru] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-InputObject] <PSKeyVault> [-DefaultProfile <IAzureContextContainer>] [-PassThru] [-PermissionsToCertificates
{get | list | delete | create | import | update | managecontacts | getissuers | listissuers | setissuers | deleteissuers | manageissuers | recover
| purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete |
backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete | backup | restore | recover | purge | all}]
[-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas | deletesas | setsas | all}] -ServicePrincipalName
<String> [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-InputObject] <PSKeyVault> [-DefaultProfile <IAzureContextContainer>] [-PassThru] [-PermissionsToCertificates
{get | list | delete | create | import | update | managecontacts | getissuers | listissuers | setissuers | deleteissuers | manageissuers | recover
| purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete |
backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete | backup | restore | recover | purge | all}]
[-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas | deletesas | setsas | all}] -UserPrincipalName
<String> [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <String>] [-DefaultProfile <IAzureContextContainer>] [-PassThru]
[-PermissionsToCertificates {get | list | delete | create | import | update | managecontacts | getissuers | listissuers | setissuers |
deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list
| update | create | import | delete | backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete | backup |
restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas | deletesas |
setsas | all}] -UserPrincipalName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Set-AzureRmKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <String>] [-DefaultProfile <IAzureContextContainer>] [-PassThru]
[-PermissionsToCertificates {get | list | delete | create | import | update | managecontacts | getissuers | listissuers | setissuers |
deleteissuers | manageissuers | recover | purge | all}] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list
| update | create | import | delete | backup | restore | recover | purge | all}] [-PermissionsToSecrets {get | list | set | delete | backup |
restore | recover | purge | all}] [-PermissionsToStorage {get | list | delete | set | update | regeneratekey | getsas | listsas | deletesas |
setsas | all}] -ServicePrincipalName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Set-AzureRmKeyVaultAccessPolicy cmdlet grants or modifies existing permissions for a user, application, or security group to perform the
specified operations with a key vault. It does not modify the permissions that other users, applications, or security groups have on the key vault.
If you are setting permissions for a security group, this operation affects only users in that security group.
The following directories must all be the same Azure directory: - The default directory of the Azure subscription in which the key vault resides.
- The Azure directory that contains the user or application group that you are granting permissions to.
Examples of scenarios when these conditions are not met and this cmdlet will not work are:
- Authorizing a user from a different organization to manage your key vault. Each organization has its own directory. - Your Azure account has
multiple directories. If you register an application in a directory other than the default directory, you cannot authorize that application to use
your key vault. The application must be in the default directory.
Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance.
PARAMETERS
-ApplicationId <Guid>
For future use.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-BypassObjectIdValidation [<SwitchParameter>]
Enables you to specify an object ID without validating that the object exists in Azure Active Directory.
Use this parameter only if you want to grant access to your key vault to an object ID that refers to a delegated security group from another
Azure tenant.
Required? false
Position? named
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-DefaultProfile <IAzureContextContainer>
The credentials, account, tenant, and subscription used for communication with azure
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-EmailAddress <String>
Specifies the user email address of the user to whom to grant permissions.
This email address must exist in the directory associated with the current subscription and be unique.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-EnabledForDeployment [<SwitchParameter>]
Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource
creation, for example when creating a virtual machine.
Required? false
Position? named
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-EnabledForDiskEncryption [<SwitchParameter>]
Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault.
Required? false
Position? named
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-EnabledForTemplateDeployment [<SwitchParameter>]
Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.
Required? false
Position? named
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-InputObject <PSKeyVault>
Key Vault Object
Required? true
Position? 0
Default value None
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
-ObjectId <String>
Specifies the object ID of the user or service principal in Azure Active Directory for which to grant permissions.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PassThru [<SwitchParameter>]
Returns an object representing the item with which you are working.
By default, this cmdlet does not generate any output.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-PermissionsToCertificates <String[]>
Specifies an array of certificate permissions to grant to a user or service principal.
The acceptable values for this parameter:
- Get
- List
- Delete
- Create
- Import
- Update
- Managecontacts
- Getissuers
- Listissuers
- Setissuers
- Deleteissuers
- Manageissuers
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PermissionsToKeys <String[]>
Specifies an array of key operation permissions to grant to a user or service principal.
The acceptable values for this parameter:
- Decrypt
- Encrypt
- UnwrapKey
- WrapKey
- Verify
- Sign
- Get
- List
- Update
- Create
- Import
- Delete
- Backup
- Restore
- Recover
- Purge
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PermissionsToSecrets <String[]>
Specifies an array of secret operation permissions to grant to a user or service principal.
The acceptable values for this parameter:
- Get
- List
- Set
- Delete
- Backup
- Restore
- Recover
- Purge
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PermissionsToStorage <String[]>
Specifies managed storage account and SaS-definition operation permissions to grant to a user or service principal.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceGroupName <String>
Specifies the name of a resource group.
Required? false
Position? 1
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ServicePrincipalName <String>
Specifies the service principal name of the application to which to grant permissions.
Specify the application ID, also known as client ID, registered for the application in AzureActive Directory. The application with the service
principal name that this parameter specifies must be registered in the Azure directory that contains your current subscription.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-UserPrincipalName <String>
Specifies the user principal name of the user to whom to grant permissions.
This user principal name must exist in the directory associated with the current subscription.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-VaultName <String>
Specifies the name of a key vault.
This cmdlet modifies the access policy for the key vault that this parameter specifies.
Required? true
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
String, Guid, String[], Switch
OUTPUTS
Microsoft.Azure.Commands.KeyVault.Models.PSKeyVault
NOTES
Example 1: Grant permissions to a user for a key vault and modify the permissions
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PermissionsToKeys
create,import,delete,list -PermissionsToSecrets set,delete
PS C:\\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PermissionsToSecrets
set,delete,get -PassThru
PS C:\\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PermissionsToKeys @() -PassThru
The first command grants permissions for a user in your Azure Active Directory, PattiFuller@contoso.com, to perform operations on keys and secrets
with a key vault named Contoso03Vault.
The second command modifies the permissions that were granted to PattiFuller@contoso.com in the first command, to now allow getting secrets in
addition to setting and deleting them. The permissions to key operations remain unchanged after this command. The PassThru parameter results in
the updated object being returned by the cmdlet.
The final command further modifies the existing permissions for PattiFuller@contoso.com to remove all permissions to key operations. The
permissions to secret operations remain unchanged after this command. The PassThru parameter results in the updated object being returned by the
cmdlet.
Example 2: Grant permissions for an application service principal to read and write secrets
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ServicePrincipalName 'http://payroll.contoso.com' -PermissionsToSecrets Get,Set
This command grants permissions for an application for a key vault named Contoso03Vault.
The ServicePrincipalName parameter specifies the application. The application must be registered in your Azure Active Directory. The value of the
ServicePrincipalName parameter must be either the service principal name of the application or the application ID GUID.
This example specifies the service principal name http://payroll.contoso.com, and the command grants the application permissions to read and write
secrets.
Example 3: Grant permissions for an application using its object ID
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets Get,Set
This command grants the application permissions to read and write secrets.
This example specifies the application using the object ID of the service principal of the application.
Example 4: Grant permissions for a user principal name
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PermissionsToSecrets Get,List,Set
This command grants get, list, and set permissions for the specified user principal name for access to secrets.
Example 5: Enable secrets to be retrieved from a key vault vault by the Microsoft.Compute resource provider
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -EnabledForDeployment
This command grants the permissions for secrets to be retrieved from the Contoso03Vault key vault by the Microsoft.Compute resource provider.
Example 6: Grant permissions to a security group
PS C:\\>Get-AzureRmADGroup
PS C:\\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'myownvault' -ObjectId (Get-AzureRmADGroup -SearchString 'group2')[0].Id -PermissionsToKeys All
-PermissionsToSecrets All
DisplayName Type ObjectId
----------- ---- --------
group1 96a0daa6-9841-4a9c-bdeb-e7062276c688
group2 b8a401eb-63ad-4a30-b0e1-a7461969fe54
group3 da07a6be-2c1e-4e42-934d-ceb57cf652b4
The first command uses the Get-AzureRmADGroup cmdlet to get all Active Directory groups. From the output, you see 3 groups returned, named group1
, group2 , and group3 . Multiple groups can have the same name but always have a unique ObjectId. When more than one group that has the same name
is returned, use the ObjectId in the output to identify the one you want to use.
You then use the output of this command with Set-AzureRmKeyVaultAccessPolicy to grant permissions to group2 for your key vault, named myownvault .
This example enumerates the groups named 'group2' inline in the same command line.
There may be multiple groups in the returned list that are named 'group2'. This example picks the first one, indicated by index [0] in the
returned list.
Example 7: Grant Azure Information Protection access to the customer-managed tenant key (BYOK)
PS C:\\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso04Vault' -ServicePrincipalName 00000012-0000-0000-c000-000000000000 -PermissionsToKeys
decrypt,sign,get
This command authorizes Azure Information Protection to use a customer-managed key (the bring your own key, or "BYOK" scenario) as the Azure
Information Protection tenant key.
When you run this command, specify your own key vault name but you must specify the ServicePrincipalName parameter with the GUID
00000012-0000-0000-c000-000000000000 and specify the permissions in the example.
RELATED LINKS
Online Version: https://docs.microsoft.com/en-us/powers ... cesspolicy
Get-AzureRmKeyVault
Remove-AzureRmKeyVaultAccessPolicy