Teams & org

Your organization is the top-level home for everyone at your company on Keyvault. Within it, you use groups and roles to decide who belongs to which teams and what they are allowed to do. Getting this structure right means access to vaults stays correct as people join, move, and leave — without anyone editing shares by hand.

Organization structure

An organization contains:

  • Members — the people in your company with a Keyvault account.
  • Groups — collections of members, usually mapped to real teams like Engineering or Finance.
  • Vaults — shared containers of secrets, granted to groups or individuals. See Vaults.

The clean pattern most teams settle on: a group per team, a vault per set of secrets that team owns, and the group granted access to its vaults. People get everything they need the moment they join the group.

Groups

Groups are the backbone of access at scale. Instead of adding ten people to five vaults, you add one group to each vault and manage membership in one place.

Creating a group

  1. In the admin console, open Groups and select New group.
  2. Name it after the team it represents, such as Engineering or On-call.
  3. Add members, then grant the group access to its vaults at the appropriate level — see Sharing & permissions.
If you use single sign-on, you can often sync groups from your identity provider so Keyvault membership mirrors your directory automatically. See Single sign-on.

Roles

Roles set what a member can do at the organization level, separate from their access to any particular vault.

RoleCan do
MemberUse the vaults they are given; manage their own personal vault
Vault managerCreate vaults and manage access for the vaults they own
AdminManage members, groups, roles, and organization settings
OwnerFull control, including billing and transferring ownership

Keep the number of admins and owners small. A role grants organization-wide capability, so it is the most powerful thing to hand out.

Inviting members

  1. In the admin console, open Members and select Invite.
  2. Enter the person's work email. If you use SSO, they will sign in through your identity provider.
  3. Add them to the right groups so they inherit vault access immediately.
  4. Send the invite. They set up their account and master password on first sign-in.

When someone leaves

Remove the member (or let your directory remove them via SSO). Their access to every vault ends, and their personal vault is handled according to your organization's offboarding policy. Rotate any shared secrets they had access to that were sensitive — see Sharing & permissions.

Break-glass vaults

A break-glass vault holds emergency credentials that are normally out of reach and only used when something is on fire — for example, recovery access an on-call engineer needs during an incident when the usual path is down.

Treat these vaults with extra care:

  • Restrict membership — grant the break-glass group to a small, deliberate set of people, usually the on-call rotation.
  • Require strong sign-in — enforce a second factor and, where possible, SSO for anyone in the group.
  • Make use visible — because access is rare, opening a break-glass item should be a notable, reviewable event for your team.
  • Rotate after use — once an emergency credential has been used, plan to rotate it so the emergency copy is fresh for next time.
Break-glass access is meant to be rare and accountable. Keep the vault small, keep the group tight, and review who is in it on a regular schedule.

Reviewing access

On a regular cadence, review group membership, vault access, and who holds elevated roles. Access reviews catch the drift that naturally builds up as teams reorganize, and they keep sensitive vaults limited to the people who genuinely need them.

Next steps