Merge pull request #2712 from msmbaldwin/akv-overhaul

v-regandowner · web-flow · commit f6e20e9e6040 · 2026-04-09T14:51:09.000-04:00
Key Vault docset audit: fix broken links, update SDKs, clean up orphans
diff --git a/articles/key-vault/certificates/how-to-integrate-certificate-authority.md b/articles/key-vault/certificates/how-to-integrate-certificate-authority.md
@@ -87,7 +87,7 @@ DigiCertCA is now in the certificate authority list.
 3.	Select the **Certificate Authorities** tab:
 :::image type="content" source="../media/certificates/how-to-integrate-certificate-authority/select-certificate-authorities.png" alt-text="Screenshot that shows selecting the Certificate Authorities tab.":::
 4.	Select **Add**:
-:::image type="content" source="../media/certificates/how-to-integrate-certificate-authority/add-global-sign-certificate-authority.jpg" alt-text="Screenshot that shows the Add button on the Global Sign Certificate Authorities tab.":::
+:::image type="content" source="../media/certificates/how-to-integrate-certificate-authority/add-globalsign-ca.jpg" alt-text="Screenshot that shows the Add button on the Global Sign Certificate Authorities tab.":::
 5.	Under **Create a certificate authority**, enter these values:
     - 	**Name**: An identifiable issuer name. For example, **GlobalSignCA**.
     - 	**Provider**: **GlobalSign**.
diff --git a/articles/key-vault/general/assign-access-policy.md b/articles/key-vault/general/assign-access-policy.md
@@ -17,7 +17,7 @@ ms.author: mbaldwin
 
 [!INCLUDE [contributor-role-warning.md](~/reusable-content/ce-skilling/azure/includes/key-vault/key-vault-contributor-role-warning.md)]
 
-A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault [secrets](../secrets/index.yml), [keys](../keys/index.yml), and [certificates](../certificates/index.yml). You can assign access policies using the [Azure portal](assign-access-policy-portal.md), the Azure CLI, or [Azure PowerShell](assign-access-policy-powershell.md).
+A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault [secrets](../secrets/index.yml), [keys](../keys/index.yml), and [certificates](../certificates/index.yml). You can assign access policies using the Azure portal, the Azure CLI, or Azure PowerShell.
 
 Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal. Because of this limitation, we recommend assigning access policies to groups of users, where possible, rather than individual users. Using groups makes it much easier to manage permissions for multiple people in your organization. For more information, see [Manage app and resource access using Microsoft Entra groups](/entra/fundamentals/how-to-manage-groups).
 
diff --git a/articles/key-vault/general/authentication.md b/articles/key-vault/general/authentication.md
@@ -102,7 +102,7 @@ More information about best practices and developer examples, see [Authenticate
 ## Next Steps
 
 - [Key Vault developer's guide](developers-guide.md)
-- [Assign a Key Vault access policy using the Azure portal](assign-access-policy-portal.md)
+- [Assign a Key Vault access policy](assign-access-policy.md)
 - [Assign Azure RBAC role to Key Vault](rbac-guide.md)
 - [Key Vault access policy troubleshooting](troubleshooting-access-issues.md)
 - [Key Vault REST API error codes](rest-error-codes.md)
diff --git a/articles/key-vault/general/move-subscription.md b/articles/key-vault/general/move-subscription.md
@@ -101,9 +101,7 @@ az keyvault update -n myvault --set Properties.tenantId=$tenantId          # Upd
 Now that your vault is associated with the correct tenant ID and old access policy entries or role assignments are removed, set new access policy entries or role assignments.
 
 For assigning policies, see:
-- [Assign an access policy using Portal](assign-access-policy-portal.md)
-- [Assign an access policy using Azure CLI](assign-access-policy-cli.md)
-- [Assign an access policy using PowerShell](assign-access-policy-powershell.md)
+- [Assign a Key Vault access policy](assign-access-policy.md)
 
 For adding role assignments, see:
 - [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal)
diff --git a/articles/key-vault/general/rbac-guide.md b/articles/key-vault/general/rbac-guide.md
@@ -32,7 +32,7 @@ The **control plane** is where you manage Key Vault itself. Operations in this p
 
 The **data plane** is where you work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates.
 
-Both planes use [Microsoft Entra ID](/entra/fundamentals/whatis) for authentication. For authorization, the control plane uses [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview) and the data plane uses a [Key Vault access policy](./assign-access-policy-portal.md) (legacy) or [Azure RBAC for Key Vault data plane operations](./rbac-guide.md).
+Both planes use [Microsoft Entra ID](/entra/fundamentals/whatis) for authentication. For authorization, the control plane uses [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview) and the data plane uses a [Key Vault access policy](./assign-access-policy.md) (legacy) or [Azure RBAC for Key Vault data plane operations](./rbac-guide.md).
 
 To access a key vault in either plane, all callers (users or applications) must have proper authentication and authorization. Authentication establishes the identity of the caller. Authorization determines which operations the caller can execute.
 
diff --git a/articles/key-vault/general/troubleshooting-access-issues.md b/articles/key-vault/general/troubleshooting-access-issues.md
@@ -15,7 +15,7 @@ ms.topic: how-to
 
 ### I'm not able to list or get secrets/keys/certificate. I'm seeing a "something went wrong" error
 
-If you're having problem with listing/getting/creating or accessing secret, make sure that you have the appropriate Azure RBAC role assigned. See [Azure RBAC for Key Vault](./rbac-guide.md). If you're using the legacy access policy model, see [Key Vault Access Policies](./assign-access-policy-cli.md).
+If you're having problem with listing/getting/creating or accessing secret, make sure that you have the appropriate Azure RBAC role assigned. See [Azure RBAC for Key Vault](./rbac-guide.md). If you're using the legacy access policy model, see [Assign a Key Vault access policy](./assign-access-policy.md).
 
 ### How can I identify how and when key vaults are accessed?
 
@@ -52,7 +52,7 @@ If you're creating an on-premises application, doing local development, or other
 Give the AD group permissions to your key vault using Azure RBAC with the Azure CLI `az role assignment create` command, or the Azure PowerShell `New-AzRoleAssignment` cmdlet. See [Azure RBAC for Key Vault data plane operations](rbac-guide.md).
 
 > [!NOTE]
-> If you are using legacy access policies, you can use the Azure CLI `az keyvault set-policy` command or the Azure PowerShell `Set-AzKeyVaultAccessPolicy` cmdlet. However, Azure RBAC is the recommended authorization model. See [Assign an access policy - CLI](assign-access-policy-cli.md) and [Assign an access policy - PowerShell](assign-access-policy-powershell.md).
+> If you are using legacy access policies, you can use the Azure CLI `az keyvault set-policy` command or the Azure PowerShell `Set-AzKeyVaultAccessPolicy` cmdlet. However, Azure RBAC is the recommended authorization model. See [Assign a Key Vault access policy](assign-access-policy.md).
 
 The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault. Otherwise it will not be able to log in and will fail with insufficient rights to access the subscription. Microsoft Entra groups with Managed Identities may require many hours to refresh tokens and become effective. See [Limitation of using managed identities for authorization](/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations#limitation-of-using-managed-identities-for-authorization)
 
@@ -67,7 +67,7 @@ Another option that can help for this scenario is using Azure RBAC and roles as
 * HTTP 401: Unauthenticated Request - [Troubleshooting steps](rest-error-codes.md#http-401-unauthenticated-request)
 * HTTP 403: Insufficient Permissions - [Troubleshooting steps](rest-error-codes.md#http-403-insufficient-permissions)
 * HTTP 429: Too Many Requests - [Troubleshooting steps](rest-error-codes.md#http-429-too-many-requests)
-* Check if you've delete access permission to key vault: See [Azure RBAC for Key Vault](./rbac-guide.md). If using legacy access policies, see [Assign an access policy - CLI](assign-access-policy-cli.md), [Assign an access policy - PowerShell](assign-access-policy-powershell.md), or [Assign an access policy - Portal](assign-access-policy-portal.md).
+* Check if you've delete access permission to key vault: See [Azure RBAC for Key Vault](./rbac-guide.md). If using legacy access policies, see [Assign a Key Vault access policy](assign-access-policy.md).
 * If you have problem with authenticate to key vault in code, use [Authentication SDK](https://azure.github.io/azure-sdk/posts/2020-02-25/defaultazurecredentials.html)
 
 ### What are the best practices I should implement when key vault is getting throttled?
diff --git a/articles/key-vault/key-vault-insights-overview.md b/articles/key-vault/key-vault-insights-overview.md
@@ -148,7 +148,7 @@ There's a limit of 200 key vaults that can be selected and viewed. Regardless of
 
 We only show subscriptions that contain key vaults, chosen from the selected subscription filter, which are selected in the "Directory + Subscription" in the Azure portal header.
 
-![Screenshot of subscription filter](./media/key-vaults-insights-overview/Subscriptions.png)
+![Screenshot of subscription filter](./media/key-vaults-insights-overview/subscription-filter.png)
 
 ### I want to make changes or add more visualizations to Key Vault Insights, how do I do so
 
diff --git a/articles/key-vault/media/certificates/how-to-integrate-certificate-authority/add-globalsign-ca.jpg b/articles/key-vault/media/certificates/how-to-integrate-certificate-authority/add-globalsign-ca.jpg
diff --git a/articles/key-vault/media/key-vaults-insights-overview/subscription-filter.png b/articles/key-vault/media/key-vaults-insights-overview/subscription-filter.png
diff --git a/articles/key-vault/secrets/about-secrets.md b/articles/key-vault/secrets/about-secrets.md
@@ -67,10 +67,8 @@ Use the following permissions, on a per-principal basis, in the secrets access c
 For more information on working with secrets, see [Secret operations in the Key Vault REST API reference](/rest/api/keyvault). For information on establishing permissions, see [Vaults - Create or Update](/rest/api/keyvault/keyvault/vaults/create-or-update) and [Vaults - Update Access Policy](/rest/api/keyvault/keyvault/vaults/update-access-policy). 
 
 How-to guides to control access in Key Vault:
-- [Assign a Key Vault access policy using CLI](../general/assign-access-policy-cli.md)
-- [Assign a Key Vault access policy using PowerShell](../general/assign-access-policy-powershell.md)
-- [Assign a Key Vault access policy using the Azure portal](../general/assign-access-policy-portal.md)
-- [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](../general/rbac-guide.md)
+- [Provide access to Key Vault keys, certificates, and secrets with Azure role-based access control](../general/rbac-guide.md) (recommended)
+- [Assign a Key Vault access policy](../general/assign-access-policy.md) (legacy)
 
 ## Secret tags  
 You can specify more application-specific metadata in the form of tags. Key Vault supports up to 15 tags, each of which can have a 512-character name and a 512-character value.  
diff --git a/articles/key-vault/secrets/javascript-developer-guide-get-started.md b/articles/key-vault/secrets/javascript-developer-guide-get-started.md
@@ -21,15 +21,15 @@ This article shows you how to connect to Azure Key Vault by using the Azure Key
 ## Prerequisites  
   
 - An Azure subscription - [create one for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
-- [Azure Key Vault](../general/quick-create-cli.md) instance. Review [the access policies](../general/assign-access-policy.md) on your Key Vault to include the permissions necessary for the specific tasks performed in code.
+- [Azure Key Vault](../general/quick-create-cli.md) instance. Ensure the identity running your code has the appropriate [Azure RBAC role](../general/rbac-guide.md) for the specific tasks performed in code.
 - [Node.js version LTS](https://nodejs.org/)  
 
 ## Set up your project
 
-1. Open a command prompt and change into your project folder. Change `YOUR-DIRECTORY` to your folder name:
+1. Open a command prompt and change into your project folder. Change `<project-directory>` to your folder name:
 
     ```bash
-    cd YOUR-DIRECTORY
+    cd <project-directory>
     ```
 
 1. If you don't have a `package.json` file already in your directory, initialize the project to create the file:
diff --git a/articles/key-vault/secrets/quick-create-bicep.md b/articles/key-vault/secrets/quick-create-bicep.md
@@ -31,7 +31,7 @@ ms.author: mbaldwin
         ```azurecli-interactive
         echo "Enter your email address that is used to sign in to Azure:" &&
         read upn &&
-        az ad user show --id $upn --query "objectId" &&
+        az ad user show --id $upn --query "id" &&
         echo "Press [ENTER] to continue ..."
         ```
 
diff --git a/articles/key-vault/secrets/quick-create-java.md b/articles/key-vault/secrets/quick-create-java.md
@@ -103,13 +103,13 @@ Open the *pom.xml* file in your text editor. Add the following dependency elemen
     <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-security-keyvault-secrets</artifactId>
-      <version>4.2.3</version>
+      <version>4.10.6</version>
     </dependency>
 
     <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>
-      <version>1.2.0</version>
+      <version>1.13.1</version>
     </dependency>
 ```
 
diff --git a/articles/key-vault/secrets/quick-create-node.md b/articles/key-vault/secrets/quick-create-node.md
@@ -214,9 +214,9 @@ This code uses the following [Key Vault Secret classes and methods](/javascript/
             "enabled": true,
             "recoverableDays": 90,
             "recoveryLevel": "Recoverable+Purgeable",
-            "id": "https: //YOUR-KEYVAULT-ENDPOINT.vault.azure.net/secrets/secret1637692472606/YOUR-VERSION",
-            "vaultUrl": "https: //YOUR-KEYVAULT-ENDPOINT.vault.azure.net",
-            "version": "YOUR-VERSION",
+            "id": "https://<vault-name>.vault.azure.net/secrets/secret1637692472606/e13f3558b4ca4363a8e402e11e7b193c",
+            "vaultUrl": "https://<vault-name>.vault.azure.net",
+            "version": "e13f3558b4ca4363a8e402e11e7b193c",
             "name": "secret1637692472606"
         }
     }
@@ -230,9 +230,9 @@ This code uses the following [Key Vault Secret classes and methods](/javascript/
     "enabled": true,
     "recoverableDays": 90,
     "recoveryLevel": "Recoverable+Purgeable",
-    "id": "https: //YOUR-KEYVAULT-ENDPOINT/secrets/secret1637692472606/YOUR-VERSION",
-    "vaultUrl": "https: //YOUR-KEYVAULT-ENDPOINT",
-    "version": "YOUR-VERSION",
+    "id": "https://<vault-name>.vault.azure.net/secrets/secret1637692472606/e13f3558b4ca4363a8e402e11e7b193c",
+    "vaultUrl": "https://<vault-name>.vault.azure.net",
+    "version": "e13f3558b4ca4363a8e402e11e7b193c",
     "name": "secret1637692472606"
     ```
 ::: zone-end
@@ -267,9 +267,9 @@ This code uses the following [Key Vault Secret classes and methods](/javascript/
             "enabled": true,
             "recoverableDays": 90,
             "recoveryLevel": "Recoverable+Purgeable",
-            "id": "https: //YOUR-KEYVAULT-ENDPOINT.vault.azure.net/secrets/secret1637692472606/YOUR-VERSION",
-            "vaultUrl": "https: //YOUR-KEYVAULT-ENDPOINT.vault.azure.net",
-            "version": "YOUR-VERSION",
+            "id": "https://<vault-name>.vault.azure.net/secrets/secret1637692472606/e13f3558b4ca4363a8e402e11e7b193c",
+            "vaultUrl": "https://<vault-name>.vault.azure.net",
+            "version": "e13f3558b4ca4363a8e402e11e7b193c",
             "name": "secret1637692472606"
         }
     }
@@ -283,9 +283,9 @@ This code uses the following [Key Vault Secret classes and methods](/javascript/
     "enabled": true,
     "recoverableDays": 90,
     "recoveryLevel": "Recoverable+Purgeable",
-    "id": "https: //YOUR-KEYVAULT-ENDPOINT/secrets/secret1637692472606/YOUR-VERSION",
-    "vaultUrl": "https: //YOUR-KEYVAULT-ENDPOINT",
-    "version": "YOUR-VERSION",
+    "id": "https://<vault-name>.vault.azure.net/secrets/secret1637692472606/e13f3558b4ca4363a8e402e11e7b193c",
+    "vaultUrl": "https://<vault-name>.vault.azure.net",
+    "version": "e13f3558b4ca4363a8e402e11e7b193c",
     "name": "secret1637692472606"
     ```
 ::: zone-end
diff --git a/articles/key-vault/secrets/tutorial-rotation-dual.md b/articles/key-vault/secrets/tutorial-rotation-dual.md
@@ -82,7 +82,7 @@ Next, you'll create a function app with a system-managed identity, in addition t
 The function app rotation function requires the following components and configuration:
 - An Azure App Service plan
 - A storage account to manage function app triggers
-- An access policy to access secrets in Key Vault
+- An Azure RBAC role assignment to access secrets in Key Vault
 - The Storage Account Key Operator Service role assigned to the function app so it can access storage account access keys
 - A key rotation function with an event trigger and an HTTP trigger (on-demand rotation)
 - An Event Grid event subscription for the **SecretNearExpiry** event
diff --git a/articles/key-vault/secrets/tutorial-rotation.md b/articles/key-vault/secrets/tutorial-rotation.md
@@ -79,7 +79,7 @@ The function app requires these components:
 - An Azure App Service plan
 - A Function App with SQL password rotation functions with event trigger and http trigger 
 - A storage account required for function app trigger management
-- An access policy for Function App identity to access secrets in Key Vault
+- An Azure RBAC role assignment for the function app identity to access secrets in Key Vault
 - An Event Grid event subscription for **SecretNearExpiry** event
 
 1. Select the Azure template deployment link:
@@ -118,7 +118,7 @@ akvrotation-fnapp        akvrotation       eastus      Microsoft.Web/sites
 akvrotation-fnapp        akvrotation       eastus      Microsoft.insights/components
 ```
 
-For information on how to create a function app and use managed identity to access Key Vault, see [Create a function app from the Azure portal](/azure/azure-functions/functions-create-function-app-portal), [How to use managed identity for App Service and Azure Functions](/azure/app-service/overview-managed-identity), and [Assign a Key Vault access policy using the Azure portal](../general/assign-access-policy-portal.md).
+For information on how to create a function app and use managed identity to access Key Vault, see [Create a function app from the Azure portal](/azure/azure-functions/functions-create-function-app-portal), [How to use managed identity for App Service and Azure Functions](/azure/app-service/overview-managed-identity), and [Provide access to Key Vault with Azure RBAC](../general/rbac-guide.md).
 
 ### Rotation function
 Deployed in previous step function uses an event to trigger the rotation of a secret by updating Key Vault and the SQL database. 
