You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/key-vault/general/best-practices.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,12 +29,14 @@ Key vaults define security boundaries for stored secrets. Grouping secrets into
29
29
Encryption keys and secrets like certificates, connection strings, and passwords are sensitive and business critical. You need to secure access to your key vaults by allowing only authorized applications and users. [Azure Key Vault security features](security-features.md) provides an overview of the Key Vault access model. It explains authentication and authorization. It also describes how to secure access to your key vaults.
30
30
31
31
Recommendations for controlling access to your vault are as follows:
32
-
- Lock down access to your subscription, resource group, and key vaults using role-based access control (RBAC).
32
+
- Lock down access to your subscription, resource group, and key vaults using role-based access control (RBAC) permission model for data plane.
33
33
- Assign RBAC roles at Key Vault scope for applications, services, and workloads requiring persistent access to Key Vault
34
34
- Assign just-in-time eligible RBAC roles for operators, administrators and other user accounts requiring privileged access to Key Vault using [Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md)
35
35
- Require at least one approver
36
36
- Enforce multi-factor authentication
37
37
- Restrict network access with [Private Link](private-link-service.md), [firewall and virtual networks](network-security.md)
38
+
> [!IMPORTANT]
39
+
> Legacy Access Policies permission model has known security vulnerabilities and lack of Priviliged Identity Management support and should not be used for critical data and workloads.
38
40
39
41
## Turn on data protection for your vault
40
42
@@ -54,7 +56,7 @@ For more information about backup, see [Azure Key Vault backup and restore](back
54
56
55
57
## Multitenant solutions and Key Vault
56
58
57
-
A multitenant solution is built on an architecture where components are used to serve multiple customers or tenants. Multitenant solutions are often used to support software as a service (SaaS) solutions. If you're building a multitenant solution that includes Key Vault, review [Multitenancy and Azure Key Vault](/azure/architecture/guide/multitenant/service/key-vault).
59
+
A multitenant solution is built on an architecture where components are used to serve multiple customers or tenants. Multitenant solutions are often used to support software as a service (SaaS) solutions. If you're building a multitenant solution that includes Key Vault, it is recommended to use one Key Vault per customer to provide isolation for customers data and workloads, review [Multitenancy and Azure Key Vault](/azure/architecture/guide/multitenant/service/key-vault).
58
60
59
61
## Frequently Asked Questions:
60
62
### Can I use Key Vault role-based access control (RBAC) permission model object-scope assignments to provide isolation for application teams within Key Vault?
0 commit comments