Skip to content

Commit 5411a78

Browse files
msmbaldwinCopilot
andcommitted
Improve access-control-default.md clarity and accuracy
- Add clarification that vaults continue to exist after API retirement (per PM request) - Replace internal cloud names (Mooncake/Fairfax) with customer-facing names - Fix product name casing: BICEP → Bicep (6 occurrences) - Normalize 'Control Plane'/'Data Plane' casing in IMPORTANT callout - Rename misleading section heading for subscription-level vault check - Update ms.date Co-authored-by: Copilot <[email protected]>
1 parent d4e77f9 commit 5411a78

1 file changed

Lines changed: 11 additions & 11 deletions

File tree

articles/key-vault/general/access-control-default.md

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ ms.author: mbaldwin
66
ms.service: azure-key-vault
77
ms.subservice: general
88
ms.topic: how-to
9-
ms.date: 04/02/2026
9+
ms.date: 04/10/2026
1010
ms.custom: devx-track-azurepowershell, devx-track-azurecli, sfi-image-nochange
1111

1212
#customer intent: As an Azure Key Vault administrator, I want to migrate from access policies to Azure RBAC so that I can improve security and simplify access management.
@@ -15,13 +15,13 @@ ms.custom: devx-track-azurepowershell, devx-track-azurecli, sfi-image-nochange
1515

1616
# Prepare for Key Vault API version 2026-02-01 and later: Azure RBAC as default access control
1717

18-
Azure Key Vault API version 2026-02-01 and later change the default access control model for new vaults to Azure RBAC, consistent with the Azure portal experience. Both Azure RBAC and access policies remain fully supported. API version 2026-02-01 is available in public Azure regions, Mooncake, and Fairfax.
18+
Azure Key Vault API version 2026-02-01 and later change the default access control model for new vaults to Azure RBAC, consistent with the Azure portal experience. Both Azure RBAC and access policies remain fully supported. API version 2026-02-01 is available in public Azure regions, Azure operated by 21Vianet, and Azure Government.
1919

2020
- **New key vault creation behavior**: When you create a new vault with API version `2026-02-01` or later, the default access control model is Azure RBAC (`enableRbacAuthorization = true`). This default applies only to **create** operations. To use access policies for new vaults, set `enableRbacAuthorization` to `false` at creation time.
2121
- **Existing key vault behavior**: Existing vaults keep their current access control model unless you explicitly change `enableRbacAuthorization`. Using API version `2026-02-01` or later to update a vault does not automatically change access control. Vaults where `enableRbacAuthorization` is `null` (from older API versions) continue using access policies.
2222

2323
> [!IMPORTANT]
24-
> All Key Vault Control Plane API versions before 2026-02-01 retire on February 27, 2027. Data Plane APIs are not affected.
24+
> All Key Vault control plane API versions before 2026-02-01 retire on February 27, 2027. Your key vaults will continue to exist and remain manageable with control plane API versions 2026-02-01 or later. Data plane APIs are not affected.
2525
2626
Preview API versions (except 2026-04-01-preview) are being deprecated with a 90-day notice period. Azure Cloud Shell always uses the latest API version. If you have scripts that run in Cloud Shell, ensure they're compatible with API version 2026-02-01 or later. For a list of supported API versions, see [Supported control plane API versions](whats-new.md#supported-control-plane-api-versions). For SDK package details, see [What's new for Azure Key Vault](whats-new.md#control-plane-sdk-releases).
2727

@@ -32,7 +32,7 @@ We encourage you to migrate key vaults that currently use access policies (legac
3232
If you already know your vault's access control model, skip to [Determine your next steps](#determine-your-next-steps). Otherwise, [check your current configuration](#check-your-current-configuration) first.
3333

3434
> [!IMPORTANT]
35-
> To change the `enableRbacAuthorization` property for a key vault, you must have the `Microsoft.Authorization/roleAssignments/write` permission. This permission is included in roles such as Owner and User Access Administrator. For more information, see [Enable Azure RBAC permissions on Key Vault](rbac-guide.md#enable-azure-rbac-permissions-on-key-vault).
35+
> To change the `enableRbacAuthorization` property for a key vault, you must have the `Microsoft.KeyVault/vaults/write` permission (included in roles such as Contributor and Owner). The Azure portal additionally requires `Microsoft.Authorization/roleAssignments/write` (included in roles such as Owner and User Access Administrator) to ensure you can assign Key Vault RBAC roles after the change and avoid lockout. For more information, see [Enable Azure RBAC permissions on Key Vault](rbac-guide.md#enable-azure-rbac-permissions-on-key-vault).
3636
3737
## Check your current configuration
3838

@@ -116,7 +116,7 @@ az keyvault list --resource-group <resource-group> --query "[].{name:name, rbacE
116116

117117
---
118118

119-
### Check multiple vaults by subscription ID
119+
### Check multiple vaults across your subscription
120120

121121
# [Azure CLI](#tab/azure-cli)
122122

@@ -169,7 +169,7 @@ Based on your current access control model, follow the appropriate guidance belo
169169

170170
### Vaults using Azure RBAC
171171

172-
If your key vaults already use Azure RBAC, no access control changes are needed. However, you must update all Key Vault control plane management SDKs, ARM, BICEP, Terraform templates, and [REST API](/rest/api/keyvault/) calls to use API version 2026-02-01 or later before February 27, 2027, when older control plane API versions retire.
172+
If your key vaults already use Azure RBAC, no access control changes are needed. However, you must update all Key Vault control plane management SDKs, ARM, Bicep, Terraform templates, and [REST API](/rest/api/keyvault/) calls to use API version 2026-02-01 or later before February 27, 2027, when older control plane API versions retire.
173173

174174
### Vaults using access policies
175175

@@ -186,25 +186,25 @@ Choose your path:
186186

187187
Use this opportunity to increase your security posture by migrating from vault access policies to Azure RBAC. For detailed migration guidance, see [Migrate from vault access policy to an Azure role-based access control permission model](rbac-migration.md).
188188

189-
After migrating, update all Key Vault control plane management SDKs, ARM, BICEP, Terraform templates, and REST API calls to use API version 2026-02-01 or later.
189+
After migrating, update all Key Vault control plane management SDKs, ARM, Bicep, Terraform templates, and REST API calls to use API version 2026-02-01 or later.
190190

191191
<a name="step-5-continue-using-access-policies"></a>
192192

193193
#### Continue using access policies
194194

195195
Access policies remain a fully supported access control model.
196196

197-
- **Existing vaults**: Vaults already using access policies continue to work without changes. Just ensure your control plane management SDKs, ARM, BICEP, Terraform templates, and REST API calls use API version 2026-02-01 or later before February 27, 2027.
197+
- **Existing vaults**: Vaults already using access policies continue to work without changes. Just ensure your control plane management SDKs, ARM, Bicep, Terraform templates, and REST API calls use API version 2026-02-01 or later before February 27, 2027.
198198
- **New vaults**: When creating new vaults with API version 2026-02-01 or later, you must explicitly set `enableRbacAuthorization` to `false` to use access policies, as described below.
199199

200200
Choose one of the following methods based on your scenario:
201-
- [Using ARM, BICEP, Terraform templates](#using-arm-bicep-terraform-templates)
201+
- [Using ARM, Bicep, Terraform templates](#using-arm-bicep-terraform-templates)
202202
- [Using Create Key Vault commands](#using-create-key-vault-commands)
203203
- [Using Create Resource commands](#using-create-resource-commands)
204204

205-
##### Using ARM, BICEP, Terraform templates
205+
##### Using ARM, Bicep, Terraform templates
206206

207-
When creating new key vaults by using API version 2026-02-01 or later, set `enableRbacAuthorization` to `false` in all Key Vault ARM, BICEP, Terraform templates, and [REST API](/rest/api/keyvault/) calls to use access policies (legacy).
207+
When creating new key vaults by using API version 2026-02-01 or later, set `enableRbacAuthorization` to `false` in all Key Vault ARM, Bicep, Terraform templates, and [REST API](/rest/api/keyvault/) calls to use access policies (legacy).
208208

209209
##### Using Create Key Vault commands
210210

0 commit comments

Comments
 (0)