Azure · alex-frankel · May 6, 2026 · Apr 10, 2026 · Apr 10, 2026 · Apr 24, 2026
diff --git a/quickstarts/microsoft.keyvault/key-vault-secret-create/README.md b/quickstarts/microsoft.keyvault/key-vault-secret-create/README.md
@@ -26,7 +26,7 @@ languages:
 [![Deploy To Azure US Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.keyvault%2Fkey-vault-secret-create%2Fazuredeploy.json)
 [![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.svg?sanitize=true)](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.keyvault%2Fkey-vault-secret-create%2Fazuredeploy.json)
 
-This template creates a key vault with a multiple access policies, and a list of secrets. Instead of just using an array for the secret creation, this template wraps an array in a [secureObject](https://docs.microsoft.com/azure/azure-resource-manager/resource-group-authoring-templates#parameters). Using a secureObject instead of an array type means that the values you pass, cannot be read back in the portal after the deployment.
+This template creates a key vault with RBAC authorization enabled, and a list of secrets. The vault uses Azure role-based access control (Azure RBAC) instead of access policies for authorization. Instead of just using an array for the secret creation, this template wraps an array in a [secureObject](https://docs.microsoft.com/azure/azure-resource-manager/resource-group-authoring-templates#parameters). Using a secureObject instead of an array type means that the values you pass, cannot be read back in the portal after the deployment.
 
 Resource iteration is used in this template. For more information, see
 

diff --git a/quickstarts/microsoft.keyvault/key-vault-secret-create/azuredeploy.json b/quickstarts/microsoft.keyvault/key-vault-secret-create/azuredeploy.json
diff --git a/quickstarts/microsoft.keyvault/key-vault-secret-create/azuredeploy.parameters.json b/quickstarts/microsoft.keyvault/key-vault-secret-create/azuredeploy.parameters.json
@@ -5,9 +5,6 @@
     "keyVaultName": {
       "value": "GEN-UNIQUE"
     },
-    "objectId": {
-      "value": "GEN-AZUREAD-OBJECTID"
-    },
     "secretsObject": {
       "value": {
         "secrets": [

diff --git a/quickstarts/microsoft.keyvault/key-vault-secret-create/main.bicep b/quickstarts/microsoft.keyvault/key-vault-secret-create/main.bicep
@@ -16,19 +16,6 @@ param enabledForTemplateDeployment bool = false
 @description('Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet.')
 param tenantId string = subscription().tenantId
 
-@description('Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets.')
-param objectId string
-
-@description('Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge.')
-param keysPermissions array = [
-  'list'
-]
-
-@description('Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge.')
-param secretsPermissions array = [
-  'list'
-]
-
 @description('Specifies whether the key vault is a standard vault or a premium vault.')
 @allowed([
   'standard'
@@ -47,17 +34,10 @@ resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
     enabledForDeployment: enabledForDeployment
     enabledForTemplateDeployment: enabledForTemplateDeployment
     enabledForDiskEncryption: enabledForDiskEncryption
+    enableRbacAuthorization: true
     tenantId: tenantId
-    accessPolicies: [
-      {
-        objectId: objectId
-        tenantId: tenantId
-        permissions: {
-          keys: keysPermissions
-          secrets: secretsPermissions
-        }
-      }
-    ]
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 90
     sku: {
       name: skuName
       family: 'A'

diff --git a/quickstarts/microsoft.keyvault/key-vault-secret-create/metadata.json b/quickstarts/microsoft.keyvault/key-vault-secret-create/metadata.json
@@ -2,8 +2,8 @@
   "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#",
   "type": "QuickStart",
   "itemDisplayName": "Create a Key Vault and a list of secrets",
-  "description": "This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters",
-  "summary": "Creates a Key Vault with a list of secrets",
+  "description": "This template creates a Key Vault with RBAC authorization enabled and a list of secrets within the key vault as passed along with the parameters",
+  "summary": "Creates a Key Vault with Azure RBAC authorization and a list of secrets",
   "githubUsername": "rahulpnath",
-  "dateUpdated": "2024-03-05"
-}
+  "dateUpdated": "2026-04-10"
+}