![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 45%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAI%3C/text%3E%3C/svg%3E)
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 14.000000000000002%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 54%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Hi @Altaf Ingar
Thank you for reaching out to Microsoft Q&A.
Yes, you can be 100% confident on this point.
Adding new secrets, updating secrets, rotating certificates, importing or renewing certificates in existing Key Vaults that use legacy access policies is NOT impacted by this change, as long as the vault itself is not recreated or switched to Azure RBAC.
The confusion is caused by Microsoft retiring older Azure Key Vault API versions (prior to 2026-02-01) on 27 February 2027 and introducing Azure RBAC as the default access control model for newly created Key Vaults starting with API version 2026-02-01. This change often raises concerns about whether existing Key Vaults using legacy access policies will stop functioning. However, the change does not alter the behavior of existing Key Vaults. Vaults that are already created will continue to operate with their current access configuration. Day‑to‑day data‑plane operations—such as adding new secrets, updating secrets, managing keys, or renewing certificates—are unaffected unless the vault is recreated or explicitly migrated to Azure RBAC. Problems typically occur only when new vaults are created or when infrastructure templates unintentionally default to RBAC, resulting in access‑denied (HTTP 403) errors due to missing role assignments. Existing vault usage remains supported and stable.
Refer below points to resolve this issue or this is the workaround:
No change required for existing Key Vaults using access policies All existing Key Vaults will retain their current access control model. You can continue adding or updating secrets and certificates without interruption, provided the vault is not deleted, recreated, or reconfigured.
Explicit configuration required only for new Key Vault creation If new Key Vaults are created using ARM, Bicep, Terraform, Azure CLI, or PowerShell with API version 2026-02-01 or later, access policies must be explicitly enabled (enableRbacAuthorization = false) if RBAC is not desired. Otherwise, RBAC will be applied by default.
Azure RBAC migration can be planned later (recommended but optional) Microsoft recommends migrating to Azure RBAC for improved security and centralized access management, but this is not mandatory for existing vaults. Migration can be scheduled independently without impacting current operations.