Microsoft.KeyVault/vaults/accessPolicies/write
Azure
Microsoft.KeyVault/vaults/accessPolicies/write
Event
Modifies Key Vault access policies, potentially granting unauthorized access to secrets, keys, and certificates.
Security Context
- Key Vault access policies control who can read, list, and manage secrets, keys, and certificates; modifying them can grant an adversary access to stored credentials, encryption keys, and TLS certificates.
- Adversaries modify access policies to grant themselves or a compromised identity permissions to retrieve secrets, which often contain database connection strings, API keys, and other sensitive credentials.
Log Source
Azure Activity Log
Sample Event
Adversarial. draco@fantasticlogs.cloud adds his own objectId to the kv-bowtruckle-prod vault’s access policy with secrets: get/list and keys: get/list, granting himself read access to every secret and key in the BOWTRUCKLE secrets vault. The requestbody carries the add mode update with the new policy entry.
{ "authorization": { "action": "Microsoft.KeyVault/vaults/accessPolicies/write", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "kvAccPol202ExampleUti", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100000000", "description": "", "eventDataId": "90000000-0000-4000-8000-000100000001", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T17:46:55.8174302Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod/events/90000000-0000-4000-8000-000100000001/ticks/638798225158174302", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100000010", "operationName": { "value": "Microsoft.KeyVault/vaults/accessPolicies/write", "localizedValue": "Update Access Policy" }, "resourceGroupName": "rg-bowtruckle-vault", "resourceProviderName": { "value": "Microsoft.KeyVault", "localizedValue": "Microsoft.KeyVault" }, "resourceType": { "value": "Microsoft.KeyVault/vaults/accessPolicies", "localizedValue": "Microsoft.KeyVault/vaults/accessPolicies" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T17:46:56.4023881Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod", "message": "Microsoft.KeyVault/vaults/accessPolicies/write", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001", "requestbody": "{\"properties\":{\"accessPolicies\":[{\"tenantId\":\"10000000-0000-4000-8000-000000000001\",\"objectId\":\"30000000-0000-4000-8000-001010011010\",\"permissions\":{\"keys\":[\"get\",\"list\"],\"secrets\":[\"get\",\"list\"],\"certificates\":[]}}]}}" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Credential Access
Techniques:
- T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make the...