Skip to content

Microsoft.KeyVault/vaults/accessPolicies/write

Azure

Microsoft.KeyVault/vaults/accessPolicies/write

service: Azure - Key Vault
techniques:

Event

Modifies Key Vault access policies, potentially granting unauthorized access to secrets, keys, and certificates.

Security Context

  • Key Vault access policies control who can read, list, and manage secrets, keys, and certificates; modifying them can grant an adversary access to stored credentials, encryption keys, and TLS certificates.
  • Adversaries modify access policies to grant themselves or a compromised identity permissions to retrieve secrets, which often contain database connection strings, API keys, and other sensitive credentials.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud adds his own objectId to the kv-bowtruckle-prod vault’s access policy with secrets: get/list and keys: get/list, granting himself read access to every secret and key in the BOWTRUCKLE secrets vault. The requestbody carries the add mode update with the new policy entry.

{
"authorization": {
"action": "Microsoft.KeyVault/vaults/accessPolicies/write",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "kvAccPol202ExampleUti",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100000000",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100000001",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T17:46:55.8174302Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod/events/90000000-0000-4000-8000-000100000001/ticks/638798225158174302",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100000010",
"operationName": {
"value": "Microsoft.KeyVault/vaults/accessPolicies/write",
"localizedValue": "Update Access Policy"
},
"resourceGroupName": "rg-bowtruckle-vault",
"resourceProviderName": {
"value": "Microsoft.KeyVault",
"localizedValue": "Microsoft.KeyVault"
},
"resourceType": {
"value": "Microsoft.KeyVault/vaults/accessPolicies",
"localizedValue": "Microsoft.KeyVault/vaults/accessPolicies"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T17:46:56.4023881Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod",
"message": "Microsoft.KeyVault/vaults/accessPolicies/write",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001",
"requestbody": "{\"properties\":{\"accessPolicies\":[{\"tenantId\":\"10000000-0000-4000-8000-000000000001\",\"objectId\":\"30000000-0000-4000-8000-001010011010\",\"permissions\":{\"keys\":[\"get\",\"list\"],\"secrets\":[\"get\",\"list\"],\"certificates\":[]}}]}}"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Credential Access

Techniques:
  • T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make the...