Azure Key Vault Contributors are not allowed access to Key Vault data. But did you know they can still gain access to Key Vault keys, secrets, and certificates when a key vault is using access policies?
I recently published a post explaining this on Datadog Security Labs:
The permission this relates to has been well documented in previous research. What’s interesting here is that an Azure built-in role that should not have access to Key Vault data included this permission. This risk was not previously called out in Microsoft documentation, but has been recently updated to state it more clearly.
Hope you find it interesting!