Note the Client ID and the key credential – this will be used to configure the Azure Automation scheduled job.The scheduled job needs required permissions to manage keys of all Storage Accounts in the subscription and write secrets in the Key Vault.You can grant access to Azure Active Directory users and services to access the Key Vault and perform encrypt/decrypt operations on private keys or read/write secrets.Here’s how we’ll use a Key Vault to secure Azure Storage keys: We will keep Azure Storage keys in a Key Vault.
One of the advantages of central access management is quick access revocation – access of the user/service can be revoked by simply disabling the account in the directory.
Ok, now the identity of the Scheduled Job has the permission to regenerate keys of all Storage Accounts in the subscription, and the permission to create and update secrets in the Key Vaults.
We now have everything we need to create a scheduled job, that will regenerate the keys of Storage Accounts in the subscription and write the new key value to the Key Vault.
Then, grant secret management rights on the Key Vaults to the identity of the scheduled job.
This will allow it to create and update secrets in the Key Vaults.
Can I manage access to Azure Storage data using AD too?