Feedback to add the required RBAC permissions to allow users/SPNs to backup/restore Key Vault Objects

[NoorKhaldi]

Would be great if we can help our customers and explain what type of RBAC permissions for this to work. I have prepared the following that can be used in the public documentation:

_The following JSON template can be used to create an RBAC custom role that allows a user or a service principal to backup/restore objects from a Key Vault. Note that this will only work if your Key Vault is using the permission model "Azure role-based access control (recommended)".

The list of permissions are as follows:

{ "id": "/subscriptions/XXXXXXX/providers/Microsoft.Authorization/roleDefinitions/XXXXX", "properties": { "roleName": "Key Vault Backup and Restore", "description": "", "assignableScopes": [ "/subscriptions/XXXXXXX" ], "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/certificates/backup/action", "Microsoft.KeyVault/vaults/certificates/read", "Microsoft.KeyVault/vaults/certificates/restore/action", "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/restore/action", "Microsoft.KeyVault/vaults/keys/backup/action", "Microsoft.KeyVault/vaults/secrets/backup/action", "Microsoft.KeyVault/vaults/secrets/readMetadata/action", "Microsoft.KeyVault/vaults/secrets/restore/action" ], "notDataActions": [] } ] } }_

For more information on how to use the Azure Portal to create an RBAC custom role, please follow this link: https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: ad2bf482-5cf7-30b5-d685-7e4aa646bbe8
• Version Independent ID: 07d0e1f7-9d6d-dfd2-b4df-d9a7336063b0
• Content: Back up a secret, key, or certificate stored in Azure Key Vault
• Content Source: articles/key-vault/general/backup.md
• Service: key-vault
• Sub-service: general
• GitHub Login: @msmbaldwin
• Microsoft Alias: mbaldwin

[PesalaPavan]

@NoorKhaldi Thanks for your feedback! We will investigate and update as appropriate.

[ManoharLakkoju-MSFT]

@NoorKhaldi Thank you for your suggestion. It would be helpful to provide your ideas in the below link so our product team will work on it. https://feedback.azure.com/d365community

[ManoharLakkoju-MSFT]

@NoorKhaldi Thank you for bringing this to our attention. I've delegated this to content author @msmbaldwin, who will review it and offer their insightful opinions.