This is an automated archive made by the Lemmit Bot.

The original was posted on /r/azure by /u/kaldareta on 2023-08-31 02:55:23.

We are designing our Azure Landing Zone. We try to achieve best practice, so while going through scenarios, this is what I came up upon.

1. Require all KeyVault (KV) to be stored in the same KV specific Resource group (i.e RG-KV).
2. A restrictive custom KV Reader is required in RG-KV level so Teams/ServicePrincipal can list KVs (without being able to list names for secrets, certs & keys).
3. A KV Admin role to their respective KV-App to manage it.
4. Set up Private Links for their respective KV-App.
5. Set up Azure Policy to restrict KV creation in other Management Groups

Thoughts? Does anyone have a similar scenario? Any roadblock/hardships/conflicts you can foresee? 😅