Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,314 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
Yes, the Key Vault Certificate User and Key Vault Certificates Officer built-in roles were intentionally designed with their specific permissions.
The "Key Vault Certificate User" role is designed to allow users to read certificates, keys, and secrets from the Key Vault. This role is primarily designed for users who need to interact with certificates stored in Azure Key Vault.
The "Key Vault Certificates Officer" role, on the other hand, is designed to allow users to manage certificates and certificate authorities in the Key Vault. This role is intended for users who need to create, update, or delete certificates and certificate authorities, but do not need access to the keys and secrets associated with those certificates.
By giving "Key Vault Certificate User" is limited to read-only access for keys and secrets, it does not have the permission to modify or delete them. This restriction ensures that the role is utilized strictly for its designated purpose and mitigates potential security risks.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.