Share via

Migrating the Azure Key Vault to use Role Based Access Control in bulk

EnterpriseArchitect 6,161 Reputation points
2025-07-30T13:57:57.93+00:00

I have several (395+) Azure KeyVaults that are still using the default Access Policies (i.e., RBAC is disabled).

Would it be possible to use a PowerShell script to bulk migrate them all in one go to make it secure as a manual task to convert them is taking too much time.

What would be the caveats when performing it all at once?

Thank you.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akpesiri Ogbebor 2,700 Reputation points
    2025-07-30T15:22:31.3033333+00:00

    Hello EnterpriseArchitect,

    Thanks for reaching out to MS Q&A. I can help you with fixing your issues.

    Here's a high-level PowerShell script idea to automate this,

    Note: Test in a non-prod environment before using in a prod environment.

    # Connect to Azure
Connect-AzAccount
# Get all Key Vaults in all subscriptions (or scope to one if needed)
$subscriptions = Get-AzSubscription
foreach ($sub in $subscriptions) {
    Set-AzContext -SubscriptionId $sub.Id
    $vaults = Get-AzKeyVault
    foreach ($vault in $vaults) {
        if ($vault.EnableRbacAuthorization -eq $false) {
            Write-Host "Migrating Key Vault: $($vault.VaultName) in $($vault.ResourceGroupName)"
            # Enable RBAC (irreversible)
            Update-AzKeyVault -VaultName $vault.VaultName -ResourceGroupName $vault.ResourceGroupName -EnableRbacAuthorization $true
        }
    }
}

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Siri

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.