I want to create an Azure key vault with fairly restricted access (one or two of our apps). I've created the Key Vault through the Azure portal, but when I look at the Access Control section, I find that several Apps and Users have the Contributor role (inherited from the subscription) for the key vault, which gives them more access than they should have.
Since the subscription is the highest level at which access control can be set, there is no way for me to revoke access for these apps/users without revoking it at the subscription level, and this would probably cause all sorts of problems. (it's not really clear what permissions these need, so it'd be a bit painful to have to give those permissions at a resource group or resource level). What's more, there'd be nothing stopping someone who comes along later from adding contributor roles at the subscription level (for some new app, for instance), and breaking the security of the key vault.
So with all of this in mind, what would be the best way to limit access to an azure key vault, so that only the apps/users I want have access to it, despite the fact that several apps/users already have these permissions at the subscription level?
More info: We're using the Azure Resource Manager model, and everything is currently stored in one subscription.
