Back to Operation

Key Vault Administrator

Azure Built-in Role

Role Information

Details and metadata

Role ID
00482a5a-887f-4fb3-b363-3b7fe8e74483
Type
BuiltInRole
Last Updated (Azure)
2021-11-11 20:14:30

Change History

Track all modifications to this role since 2025-12-15 01:08:16+00:00

2021-11-11 20:14:30 Initial Scan
View details 
{
  "properties": {
    "roleName": "Key Vault Administrator",
    "type": "BuiltInRole",
    "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*",
          "Microsoft.KeyVault/checkNameAvailability/read",
          "Microsoft.KeyVault/deletedVaults/read",
          "Microsoft.KeyVault/locations/*/read",
          "Microsoft.KeyVault/vaults/*/read",
          "Microsoft.KeyVault/operations/read"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.KeyVault/vaults/*"
        ],
        "notDataActions": []
      }
    ],
    "createdOn": "2020-05-19T17:52:46.234Z",
    "updatedOn": "2021-11-11T20:14:30.254Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483"
}

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Key Vault Administrator",
    "type": "BuiltInRole",
    "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*",
          "Microsoft.KeyVault/checkNameAvailability/read",
          "Microsoft.KeyVault/deletedVaults/read",
          "Microsoft.KeyVault/locations/*/read",
          "Microsoft.KeyVault/vaults/*/read",
          "Microsoft.KeyVault/operations/read"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.KeyVault/vaults/*"
        ],
        "notDataActions": []
      }
    ],
    "createdOn": "2020-05-19T17:52:46.234Z",
    "updatedOn": "2021-11-11T20:14:30.254Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483"
}

Effective Permissions

Operations granted by this role (130 total)

Permission Patterns (from role definition)

Actions 10 patterns
Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read
Data Actions 1 pattern
Microsoft.KeyVault/vaults/*

Control Plane Operations (78)

Data Plane Operations (52)