Granting KeyVault Access via Azure AD Groups

Lo, it was told that sometimes you need to be able to delegate access to Azure AD GROUPS to do things with KeyVault, not just users or service principals. Case in point: granting the ability of your Dev teams to read from a KeyVault while developing your application. Standard sanity practices for all things security related always include this nugget:

"Manage security at the group level, not the user level."

That bit of sanity applies most acutely to SharePoint but I digress. So, how does one go about granting said permissions to a KeyVault and an Azure AD Group? A wonderful gent here at Microsoft, Greg Kostal, a PSE in Data Protection shows us:

Get-AzureRmContext

Environment : AzureCloud Account : me@derekmartin.org
TenantId : tenantId
SubscriptionId : subid
SubscriptionName : Test Subscription
CurrentStorageAccount :

Note the Tenant and Sub Ids - Tenant here refers to the Azure AD environment we're attached to.

New-AzureRmKeyVault -VaultName TestAzureKV -ResourceGroupName MyRG -Location westus -Sku premium

Vault Name : TestAzureKV Resource Group Name : MyRg
Location : westus
Resource ID : /subscriptions/subid/resourceGroups/MyRg/providers/Microsoft.KeyVault/vaults/TestAzureKV
Vault URI : https://TestAzureKV.vault.azure.net
Tenant ID : tenantId
SKU : premium
Enabled For Deployment? : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : False
Access Policies :
Tenant ID : tenantId Object ID : big guid Application ID : Display Name : Derek Martin (me@derekmartin.org) Permissions to Keys : get, create, delete, list, update, import, backup, restore Permissions to Secrets : all Tags :

When one creates an Azure KeyVault, that person by default gets admin rights on it. In this case, Derek Martin, which is represented in tenantId as Object ID big guid above. Now, let's confirm that bit:

Get-AzureRmADUser -SearchString "Derek Martin"

DisplayName Type ObjectId ----------- ---- -------- Derek Martin
big guid (just like above, that's me represented as a GUID in MY tenant).

Now, let's go create a group in Azure AD (I assume you know how to do that) and then get his Object ID.

Get-AzureRmADGroup -SearchString "Dev Team Group"

DisplayName Type ObjectId ----------- ---- -------- Dev Team Group devTeamGroupID

Now, just to see things, let's enumerate group members:

Get-AzureRmADGroupMember -GroupObjectId **devTeamGroupID**

DisplayName Type ObjectId ----------- ---- -------- Fred Smith User FredsObjectID

Now, let's grant Dev Team Group access to this Vault:

Set-AzureRmKeyVaultAccessPolicy -VaultName TestAzureKV -ResourceGroupName MyRG -ObjectId **devTeamGroupID** -PermissionsToKeys all -PermissionsToSecrets all

And confirm that it took:

Get-AzureRmKeyVault -VaultName TestAzureKV

Vault Name : TestAzureKV Resource Group Name : MyRG
Location : westus
Resource ID : /subscriptions/subid/resourceGroups/MyRg/provide
rs/Microsoft.KeyVault/vaults/TestAzureKV Vault URI : https://TestAzureKV.vault.azure.net/
Tenant ID : tenantId
SKU : premium
Enabled For Deployment? : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : False
Access Policies :
Tenant ID : tenantId Object ID : big guid Application ID : Display Name : Derek Martin (me@derekmartin.org) Permissions to Keys : get, create, delete, list, update, import, backup, restore Permissions to Secrets : all

                               Tenant ID                :    **tenantId**
                               Object ID                :    **devTeamGroupID**
                               Application ID           :
                               Display Name             :
                               Permissions to Keys      :    all
                               Permissions to Secrets   :    all

Tags :

Note - the "Display Name" of the Group will likely not enumerate - no big deal, just make sure your Object IDs are correct cause that's what matters.