Teams & org
Your organization is the top-level home for everyone at your company on Keyvault. Within it, you use groups and roles to decide who belongs to which teams and what they are allowed to do. Getting this structure right means access to vaults stays correct as people join, move, and leave — without anyone editing shares by hand.
Organization structure
An organization contains:
- Members — the people in your company with a Keyvault account.
- Groups — collections of members, usually mapped to real teams like Engineering or Finance.
- Vaults — shared containers of secrets, granted to groups or individuals. See Vaults.
The clean pattern most teams settle on: a group per team, a vault per set of secrets that team owns, and the group granted access to its vaults. People get everything they need the moment they join the group.
Groups
Groups are the backbone of access at scale. Instead of adding ten people to five vaults, you add one group to each vault and manage membership in one place.
Creating a group
- In the admin console, open Groups and select New group.
- Name it after the team it represents, such as
EngineeringorOn-call. - Add members, then grant the group access to its vaults at the appropriate level — see Sharing & permissions.
Roles
Roles set what a member can do at the organization level, separate from their access to any particular vault.
| Role | Can do |
|---|---|
| Member | Use the vaults they are given; manage their own personal vault |
| Vault manager | Create vaults and manage access for the vaults they own |
| Admin | Manage members, groups, roles, and organization settings |
| Owner | Full control, including billing and transferring ownership |
Keep the number of admins and owners small. A role grants organization-wide capability, so it is the most powerful thing to hand out.
Inviting members
- In the admin console, open Members and select Invite.
- Enter the person's work email. If you use SSO, they will sign in through your identity provider.
- Add them to the right groups so they inherit vault access immediately.
- Send the invite. They set up their account and master password on first sign-in.
When someone leaves
Remove the member (or let your directory remove them via SSO). Their access to every vault ends, and their personal vault is handled according to your organization's offboarding policy. Rotate any shared secrets they had access to that were sensitive — see Sharing & permissions.
Break-glass vaults
A break-glass vault holds emergency credentials that are normally out of reach and only used when something is on fire — for example, recovery access an on-call engineer needs during an incident when the usual path is down.
Treat these vaults with extra care:
- Restrict membership — grant the break-glass group to a small, deliberate set of people, usually the on-call rotation.
- Require strong sign-in — enforce a second factor and, where possible, SSO for anyone in the group.
- Make use visible — because access is rare, opening a break-glass item should be a notable, reviewable event for your team.
- Rotate after use — once an emergency credential has been used, plan to rotate it so the emergency copy is fresh for next time.
Reviewing access
On a regular cadence, review group membership, vault access, and who holds elevated roles. Access reviews catch the drift that naturally builds up as teams reorganize, and they keep sensitive vaults limited to the people who genuinely need them.
Next steps
- Deploy to your team — roll Keyvault out across the organization.
- Single sign-on — connect your identity provider and sync groups.