| external help file | Module Name | online version | schema |
|---|---|---|---|
Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll-Help.xml |
Az.KeyVault |
2.0.0 |
Assigns the specified RBAC role to the specified principal, at the specified scope.
New-AzKeyVaultRoleAssignment [-HsmName] <String> [-Scope <String>] -RoleDefinitionName <String>
-SignInName <String> [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
[-Confirm] [<CommonParameters>]
New-AzKeyVaultRoleAssignment [-HsmName] <String> [-Scope <String>] -RoleDefinitionName <String>
-ApplicationId <String> [-DefaultProfile <IAzureContextContainer>]
[-WhatIf] [-Confirm] [<CommonParameters>]
New-AzKeyVaultRoleAssignment [-HsmName] <String> [-Scope <String>] -RoleDefinitionName <String>
-ObjectId <String> [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
[-Confirm] [<CommonParameters>]
New-AzKeyVaultRoleAssignment [-HsmName] <String> [-Scope <String>] -RoleDefinitionId <String>
-ApplicationId <String> [-DefaultProfile <IAzureContextContainer>]
[-WhatIf] [-Confirm] [<CommonParameters>]
New-AzKeyVaultRoleAssignment [-HsmName] <String> [-Scope <String>] -RoleDefinitionId <String>
-ObjectId <String> [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
[-Confirm] [<CommonParameters>]
New-AzKeyVaultRoleAssignment [-HsmName] <String> [-Scope <String>] -RoleDefinitionId <String>
-SignInName <String> [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
[-Confirm] [<CommonParameters>]
Use the New-AzKeyVaultRoleAssignment command to grant access.
Access is granted by assigning the appropriate RBAC role to them at the right scope.
The subject of the assignment must be specified.
To specify a user, use SignInName or Microsoft Entra ObjectId parameters.
To specify a security group, use Microsoft Entra ObjectId parameter.
And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters.
The role that is being assigned must be specified using the RoleDefinitionName pr RoleDefinitionId parameter. The scope at which access is being granted may be specified. It defaults to the selected subscription.
The cmdlet may call below Microsoft Graph API according to input parameters:
- GET /directoryObjects/{id}
- GET /users/{id}
- GET /servicePrincipals/{id}
- GET /servicePrincipals
- GET /groups/{id}
New-AzKeyVaultRoleAssignment -HsmName bez-hsm -RoleDefinitionName "Managed Hsm Crypto User" -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxThis example assigns role "Managed Hsm Crypto User" to user "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" at top scope. If user wants to perform operations on keys. "Managed Hsm Crypto *" role is required for that user.
New-AzKeyVaultRoleAssignment -HsmName myHsm -RoleDefinitionName "Managed HSM Policy Administrator" -SignInName user1@microsoft.comRoleDefinitionName DisplayName ObjectType Scope
------------------ ----------- ---------- -----
Managed HSM Policy Administrator User 1 (user1@microsoft.com) User /
This example assigns role "Managed HSM Policy Administrator" to user "user1@microsoft.com" at top scope.
The app SPN.
Type: System.String
Parameter Sets: DefinitionNameApplicationId, DefinitionIdApplicationId
Aliases: SPN, ServicePrincipalName
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThe credentials, account, tenant, and subscription used for communication with Azure.
Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Parameter Sets: (All)
Aliases: AzContext, AzureRmContext, AzureCredential
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseName of the HSM.
Type: System.String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThe user or group object id.
Type: System.String
Parameter Sets: DefinitionNameObjectId, DefinitionIdObjectId
Aliases: Id, PrincipalId
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseRole Id the principal is assigned to.
Type: System.String
Parameter Sets: DefinitionIdApplicationId, DefinitionIdObjectId, DefinitionIdSignInName
Aliases: RoleId
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseName of the RBAC role to assign the principal with.
Type: System.String
Parameter Sets: DefinitionNameSignInName, DefinitionNameApplicationId, DefinitionNameObjectId
Aliases: RoleName
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseScope at which the role assignment or definition applies to, e.g., '/' or '/keys' or '/keys/{keyName}'. '/' is used when omitted.
Type: System.String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThe user SignInName.
Type: System.String
Parameter Sets: DefinitionNameSignInName, DefinitionIdSignInName
Aliases: Email, UserPrincipalName
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalsePrompts you for confirmation before running the cmdlet.
Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseShows what would happen if the cmdlet runs. The cmdlet is not run.
Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.