diff --git a/eng/.docsettings.yml b/eng/.docsettings.yml
index cc07234ec979..708b726e87cf 100644
--- a/eng/.docsettings.yml
+++ b/eng/.docsettings.yml
@@ -135,6 +135,7 @@ known_content_issues:
   - ['sdk/eventhubs/README.md', '#3113']
   - ['sdk/formrecognizer/azure-ai-formrecognizer/swagger/README.md', '#3113']
   - ['sdk/keyvault/README.md', '#3113']
+  - ['sdk/keyvault/azure-security-keyvault-administration/README.md', '#3113']
   - ['sdk/loganalytics/microsoft-azure-loganalytics/README.md', '#3113']
   - ['sdk/parents/azure-client-sdk-parent/README.md', '#3113']
   - ['sdk/search/azure-search-documents/swagger/readme.md', '#3113']
diff --git a/eng/jacoco-test-coverage/pom.xml b/eng/jacoco-test-coverage/pom.xml
index a1714e5c7f39..1859e75b95e3 100644
--- a/eng/jacoco-test-coverage/pom.xml
+++ b/eng/jacoco-test-coverage/pom.xml
@@ -166,6 +166,11 @@
       <artifactId>azure-search-documents</artifactId>
       <version>11.1.0-beta.2</version> <!-- {x-version-update;com.azure:azure-search-documents;current} -->
     </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-security-keyvault-administration</artifactId>
+      <version>4.0.0-beta.1</version> <!-- {x-version-update;com.azure:azure-security-keyvault-administration;current} -->
+    </dependency>
     <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-security-keyvault-certificates</artifactId>
diff --git a/eng/versioning/version_client.txt b/eng/versioning/version_client.txt
index a88688b0b358..2b0a2fb0f294 100644
--- a/eng/versioning/version_client.txt
+++ b/eng/versioning/version_client.txt
@@ -37,6 +37,7 @@ com.azure:azure-messaging-eventhubs-checkpointstore-blob;1.1.2;1.2.0-beta.3
 com.azure:azure-messaging-servicebus;7.0.0-beta.5;7.0.0-beta.6
 com.azure:azure-search-documents;11.0.0;11.1.0-beta.2
 com.azure:azure-search-perf;1.0.0-beta.1;1.0.0-beta.1
+com.azure:azure-security-keyvault-administration;4.0.0-beta.1;4.0.0-beta.1
 com.azure:azure-security-keyvault-certificates;4.1.0;4.2.0-beta.1
 com.azure:azure-security-keyvault-keys;4.2.0;4.3.0-beta.1
 com.azure:azure-security-keyvault-secrets;4.2.0;4.3.0-beta.1
diff --git a/sdk/keyvault/azure-security-keyvault-administration/CHANGELOG.md b/sdk/keyvault/azure-security-keyvault-administration/CHANGELOG.md
new file mode 100644
index 000000000000..6844fbdfbbd0
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/CHANGELOG.md
@@ -0,0 +1,3 @@
+# Release History
+## 4.0.0-beta.1 (Unreleased)
+- Added `KeyVaultAccessControlClient`.
diff --git a/sdk/keyvault/azure-security-keyvault-administration/README.md b/sdk/keyvault/azure-security-keyvault-administration/README.md
new file mode 100644
index 000000000000..ad6226a67d83
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/README.md
@@ -0,0 +1,308 @@
+# Azure Key Vault Administration library for Java
+
+## Getting started
+### Adding the package to your project
+Maven dependency for the Azure Key Vault Administration library. Add it to your project's POM file.
+
+[//]: # ({x-version-update-start;com.azure:azure-security-keyvault-administration;current})
+```xml
+<dependency>
+    <groupId>com.azure</groupId>
+    <artifactId>azure-security-keyvault-administration</artifactId>
+    <version>4.0.0-beta.1</version>
+</dependency>
+```
+[//]: # ({x-version-update-end})
+
+### Prerequisites
+- Java Development Kit (JDK) with version 8 or above
+- [Azure Subscription][azure_subscription]
+- An existing [Azure Key Vault][azure_keyvault]. If you need to create a Key Vault, you can use the [Azure Cloud Shell](https://shell.azure.com/bash) to create one with this Azure CLI command. Replace `<your-resource-group-name>` and `<your-key-vault-name>` with your own, unique names:
+
+    ```Bash
+    az keyvault create --resource-group <your-resource-group-name> --name <your-key-vault-name>
+    ```
+
+### Authenticate the client
+In order to interact with the Azure Key Vault service, you'll need to create an instance of the [KeyVaultAccessControlClient](#create-access-control-client) class. You would need a **vault url** and **client secret credentials (client id, client secret, tenant id)** to instantiate a client object using the default `DefaultAzureCredential` examples shown in this document.
+
+The `DefaultAzureCredential` way of authentication by providing client secret credentials is being used in this getting started section but you can find more ways to authenticate with [azure-identity][azure_identity].
+
+#### Create/Get credentials
+To create/get client secret credentials you can use the [Azure Portal][azure_create_application_in_portal], [Azure CLI][azure_keyvault_cli_full] or [Azure Cloud Shell](https://shell.azure.com/bash)
+
+Here is an [Azure Cloud Shell](https://shell.azure.com/bash) snippet below to
+
+ * Create a service principal and configure its access to Azure resources:
+
+    ```Bash
+    az ad sp create-for-rbac -n <your-application-name> --skip-assignment
+    ```
+
+    Output:
+
+    ```json
+    {
+        "appId": "generated-app-ID",
+        "displayName": "dummy-app-name",
+        "name": "http://dummy-app-name",
+        "password": "random-password",
+        "tenant": "tenant-ID"
+    }
+    ```
+
+* Use the above returned credentials information to set the **AZURE_CLIENT_ID** (appId), **AZURE_CLIENT_SECRET** (password), and **AZURE_TENANT_ID** (tenantId) environment variables. The following example shows a way to do this in Bash:
+
+    ```Bash
+    export AZURE_CLIENT_ID="generated-app-ID"
+    export AZURE_CLIENT_SECRET="random-password"
+    export AZURE_TENANT_ID="tenant-ID"
+    ```
+
+* Take note of the service principal objectId
+    ```Bash
+    az ad sp show --id <appId> --query objectId
+    ```
+  
+    Output:
+    ```
+    "<your-service-principal-object-id>"
+    ```
+
+* Use the aforementioned Key Vault name to retrieve details of your Key Vault, which also contain your Key Vault URL:
+
+    ```Bash
+    az keyvault show --name <your-key-vault-name>
+    ```
+
+#### Create Access Control client
+Once you've populated the **AZURE_CLIENT_ID**, **AZURE_CLIENT_SECRET**, and **AZURE_TENANT_ID** environment variables and replaced **your-key-vault-url** with the URI returned above, you can create the KeyVaultAccessControlClient:
+
+```Java
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.security.keyvault.administration.KeyVaultAccessControlClient;
+import com.azure.security.keyvault.administration.KeyVaultAccessControlClientBuilder;
+
+KeyVaultAccessControlClient accessControlClient = new KeyVaultAccessControlClientBuilder()
+    .vaultUrl("<your-key-vault-url>")
+    .credential(new DefaultAzureCredentialBuilder().build())
+    .buildClient();
+```
+
+> NOTE: For using an asynchronous client use KeyVaultAccessControlAsyncClient instead of KeyVaultAccessControlClient and call `buildAsyncClient()`
+
+## Key concepts
+### Role Definition
+A role definition is a collection of permissions. It defines the operations that can be performed, such as read, write, and delete. It can also define the operations that are excluded from allowed operations.
+
+Role definitions can be listed and specified as part of a role assignment.
+
+### Role Assignment
+A role assignment is the association of a role definition to a service principal. They can be created, listed, fetched individually, and deleted.
+
+### Key Vault Access Control client:
+The Key Vault Access Control client performs the interactions with the Azure Key Vault service for getting, setting, deleting, and listing role assignments, as well as listing role definitions. Asynchronous (KeyVaultAccessControlAsyncClient) and synchronous (KeyVaultAccessControlClient) clients exist in the SDK allowing for the selection of a client based on an application's use case. Once you've initialized a role assignment, you can interact with the primary resource types in Key Vault.
+
+## Examples
+### Sync API
+The following sections provide several code snippets covering some of the most common Azure Key Vault Access Control service tasks, including:
+- [List role definitions](#list-role-definitions)
+- [List role assignments](#list-role-assignments)
+- [Create a role assignment](#create-a-role-assignment)
+- [Retrieve a role assignment](#retrieve-a-role-assignment)
+- [Delete a role assignment](#delete-a-role-assignment)
+
+### List role definitions
+List the role definitions in the key vault by calling `listRoleDefinitions`.
+
+```java
+KeyVaultRoleAssignmentScope roleAssignmentScope = KeyVaultRoleAssignmentScope.GLOBAL;
+
+for (KeyVaultRoleDefinition roleDefinition : accessControlClient.listRoleDefinitions(roleAssignmentScope)) {
+    System.out.printf("Retrieved role definition with name \"%s\" and type \"%s\"%n", roleDefinition.getName(),
+        roleDefinition.getType());
+}
+```
+
+### List role assignments
+List the role assignments in the key vault by calling `listRoleAssignments`.
+
+```java
+KeyVaultRoleAssignmentScope roleAssignmentScope = KeyVaultRoleAssignmentScope.GLOBAL;
+
+for (KeyVaultRoleAssignment roleAssignment : accessControlClient.listRoleAssignments(roleAssignmentScope)) {
+    System.out.printf("Retrieved role assignment with name \"%s\" and type \"%s\"%n", roleAssignment.getName(),
+        roleAssignment.getType());
+}
+```
+
+### Create a role assignment
+Create a role assignment to in the Azure Key Vault. To do this a role definition ID and a service principal object ID are required.
+
+A role definition ID can be obtained from the 'id' property of one of the role definitions returned from `listRoleDefinitions`.
+
+See the [Create/Get Credentials section](#createget-credentials) for links and instructions on how to generate a new service principal and obtain it's object ID. You can also get the object ID for your currently signed in account by running the following Azure CLI command:
+
+```Bash
+az ad signed-in-user show --query objectId
+```
+
+```java
+String roleDefinitionIdToAssign = "<role-definition-id>";
+String servicePrincipalObjectId = "<object-id>";
+
+KeyVaultRoleAssignmentProperties properties =
+    new KeyVaultRoleAssignmentProperties(roleDefinitionIdToAssign, servicePrincipalObjectId);
+KeyVaultRoleAssignment createdAssignment =
+    accessControlClient.createRoleAssignment(KeyVaultRoleAssignmentScope.GLOBAL, properties);
+
+System.out.printf("Created role assignment with name \"%s\" and type \"%s\"%n", createdAssignment.getName(),
+    createdAssignment.getType());
+```
+
+### Retrieve a role assignment
+Get an existing role assignment. To do this, the 'name' property from an existing role assignment is required. Let's use the `createdAssignment` from the previous example.
+
+```java
+KeyVaultRoleAssignment retrievedAssignment =
+    accessControlClient.getRoleAssignment(KeyVaultRoleAssignmentScope.GLOBAL, createdAssignment.getName());
+
+System.out.printf("Retrieved role assignment with name \"%s\" and type \"%s\"%n", retrievedAssignment.getName(),
+    retrievedAssignment.getType());
+```
+### Delete a role assignment
+To remove a role assignment from a service principal, the role assignment must be deleted. Let's delete the `createdAssignment` from the previous example.
+
+```java
+KeyVaultRoleAssignment deletedAssignment =
+    accessControlClient.deleteRoleAssignment(KeyVaultRoleAssignmentScope.GLOBAL, createdAssignment.getName());
+
+System.out.printf("Deleted role assignment with name \"%s\" and type \"%s\"%n", deletedAssignment.getName(),
+    deletedAssignment.getType());
+```
+
+### Async API
+The following sections provide several code snippets covering some of the most common asynchronous Azure Key Vault Access Control service tasks, including:
+- [List role definitions asynchronously](#list-role-definitions-asynchronously)
+- [List role assignments asynchronously](#list-role-assignments-asynchronously)
+- [Create a role assignment asynchronously](#create-a-role-assignment-asynchronously)
+- [Retrieve a role assignment asynchronously](#retrieve-a-role-assignment-asynchronously)
+- [Delete a role assignment asynchronously](#delete-a-role-assignment-asynchronously)
+
+> Note : You should add `System.in.read()` or `Thread.sleep()` after the function calls in the main class/thread to allow async functions/operations to execute and finish before the main application/thread exits.
+
+### List role definitions asynchronously
+List the role definitions in the key vault by calling `listRoleDefinitions`.
+
+```java
+KeyVaultRoleAssignmentScope roleAssignmentScope = KeyVaultRoleAssignmentScope.GLOBAL;
+
+accessControlAsyncClient.listRoleDefinitions(roleAssignmentScope))
+    .subscribe(roleDefinition ->
+        System.out.printf("Retrieved role definition with name \"%s\" and type \"%s\"%n", roleDefinition.getName(),
+                roleDefinition.getType()));
+```
+
+### List role assignments asynchronously
+List the role assignments in the key vault by calling `listRoleAssignments`.
+
+```java
+KeyVaultRoleAssignmentScope roleAssignmentScope = KeyVaultRoleAssignmentScope.GLOBAL;
+
+accessControlAsyncClient.listRoleAssignments(roleAssignmentScope))
+    .subscribe(roleAssignment ->
+        System.out.printf("Retrieved role assignment with name \"%s\" and type \"%s\"%n", roleAssignment.getName(),
+            roleAssignment.getType()));
+```
+
+### Create a role assignment asynchronously
+Create a role assignment to in the Azure Key Vault. To do this a role definition ID and a service principal object ID are required.
+
+A role definition ID can be obtained from the 'id' property of one of the role definitions returned from `listRoleDefinitions`.
+
+See the [Create/Get Credentials section](#createget-credentials) for links and instructions on how to generate a new service principal and obtain it's object ID. You can also get the object ID for your currently signed in account by running the following Azure CLI command:
+
+```Bash
+az ad signed-in-user show --query objectId
+```
+
+```java
+String roleDefinitionIdToAssign = "<role-definition-id>";
+String servicePrincipalObjectId = "<object-id>";
+
+KeyVaultRoleAssignmentProperties properties =
+    new KeyVaultRoleAssignmentProperties(roleDefinitionIdToAssign, servicePrincipalObjectId);
+
+accessControlAsyncClient.createRoleAssignment(KeyVaultRoleAssignmentScope.GLOBAL, properties)
+    .subscribe(createdAssignment ->
+        System.out.printf("Created role assignment with name \"%s\" and type \"%s\"%n", createdAssignment.getName(),
+            createdAssignment.getType()));
+```
+
+### Retrieve a role assignment asynchronously
+Get an existing role assignment. To do this, the 'name' property from an existing role assignment is required. Let's use the `createdAssignment` from the previous example.
+
+```java
+accessControlAsyncClient.getRoleAssignment(KeyVaultRoleAssignmentScope.GLOBAL, createdAssignment.getName())
+    .subscribe(retrievedAssignment ->
+        System.out.printf("Retrieved role assignment with name \"%s\" and type \"%s\"%n", retrievedAssignment.getName(),
+            retrievedAssignment.getType()));
+```
+### Delete a role assignment asynchronously
+To remove a role assignment from a service principal, the role assignment must be deleted. Let's delete the `createdAssignment` from the previous example.
+
+```java
+accessControlAsyncClient.deleteRoleAssignment(KeyVaultRoleAssignmentScope.GLOBAL, createdAssignment.getName())
+    .subscribe(deletedAssignment ->
+        System.out.printf("Deleted role assignment with name \"%s\" and type \"%s\"%n", deletedAssignment.getName(),
+            deletedAssignment.getType()));
+```
+
+## Troubleshooting
+### General
+Azure Key Vault Access Control clients raise exceptions. For example, if you try to retrieve a role assignment after it is deleted a `404` error is returned, indicating the resource was not found. In the following snippet, the error is handled gracefully by catching the exception and displaying additional information about the error.
+
+```java
+try {
+    accessControlClient.getRoleAssignment(KeyVaultRoleAssignmentScope.GLOBAL, "<deleted-role-assginment-name>")
+} catch (HttpResponseException e) {
+    System.out.println(e.getMessage());
+}
+```
+
+### Default HTTP client
+All client libraries by default use the Netty HTTP client. Adding the above dependency will automatically configure the client library to use the Netty HTTP client. Configuring or changing the HTTP client is detailed in the [HTTP clients wiki](https://github.com/Azure/azure-sdk-for-java/wiki/HTTP-clients).
+
+### Default SSL library
+All client libraries, by default, use the Tomcat-native Boring SSL library to enable native-level performance for SSL operations. The Boring SSL library is an Uber JAR containing native libraries for Linux / macOS / Windows, and provides better performance compared to the default SSL implementation within the JDK. For more information, including how to reduce the dependency size, refer to the [performance tuning][performance_tuning] section of the wiki.
+
+## Next steps
+Several Key Vault Java SDK samples are available to you in the SDK's GitHub repository. These samples provide example code for additional scenarios commonly encountered while working with Azure Key Vault.
+
+###  Additional documentation
+For more extensive documentation on Azure Key Vault, see the [API reference documentation][azkeyvault_rest].
+
+## Contributing
+This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
+
+When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the Code of Conduct FAQ or contact <opencode@microsoft.com> with any additional questions or comments.
+
+<!-- LINKS -->
+[source_code]: src
+[api_documentation]: https://azure.github.io/azure-sdk-for-java
+[azkeyvault_docs]: https://docs.microsoft.com/azure/key-vault/
+[azure_identity]: https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/identity/azure-identity
+[maven]: https://maven.apache.org/
+[azure_subscription]: https://azure.microsoft.com/
+[azure_keyvault]: https://docs.microsoft.com/azure/key-vault/quick-create-portal
+[azure_cli]: https://docs.microsoft.com/cli/azure
+[rest_api]: https://docs.microsoft.com/rest/api/keyvault/
+[azkeyvault_rest]: https://docs.microsoft.com/rest/api/keyvault/
+[azure_create_application_in_portal]: https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
+[azure_keyvault_cli]: https://docs.microsoft.com/azure/key-vault/quick-create-cli
+[azure_keyvault_cli_full]: https://docs.microsoft.com/cli/azure/keyvault?view=azure-cli-latest
+[performance_tuning]: https://github.com/Azure/azure-sdk-for-java/wiki/Performance-Tuning
+
+![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-java%2Fsdk%2Fkeyvault%2Fazure-security-keyvault-administration%2FREADME.png)
diff --git a/sdk/keyvault/azure-security-keyvault-administration/pom.xml b/sdk/keyvault/azure-security-keyvault-administration/pom.xml
new file mode 100644
index 000000000000..08da987d5cab
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/pom.xml
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <groupId>com.azure</groupId>
+    <artifactId>azure-client-sdk-parent</artifactId>
+    <version>1.7.0</version> <!-- {x-version-update;com.azure:azure-client-sdk-parent;current} -->
+    <relativePath>../../parents/azure-client-sdk-parent</relativePath>
+  </parent>
+
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.azure</groupId>
+  <artifactId>azure-security-keyvault-administration</artifactId>
+  <version>4.0.0-beta.1</version> <!-- {x-version-update;com.azure:azure-security-keyvault-administration;current} -->
+
+  <name>Microsoft Azure client library for KeyVault Administration</name>
+  <description>This module contains client library for Microsoft Azure KeyVault Administration.</description>
+  <url>https://github.com/Azure/azure-sdk-for-java</url>
+
+  <distributionManagement>
+    <site>
+      <id>azure-java-build-docs</id>
+      <url>${site.url}/site/${project.artifactId}</url>
+    </site>
+  </distributionManagement>
+
+  <scm>
+    <url>scm:git:https://github.com/Azure/azure-sdk-for-java</url>
+    <connection>scm:git:git@github.com:Azure/azure-sdk-for-java.git</connection>
+    <tag>HEAD</tag>
+  </scm>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-core</artifactId>
+      <version>1.8.0</version> <!-- {x-version-update;com.azure:azure-core;dependency} -->
+    </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-core-http-netty</artifactId>
+      <version>1.6.0</version> <!-- {x-version-update;com.azure:azure-core-http-netty;dependency} -->
+    </dependency>
+    <!-- Test dependencies -->
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <version>5.6.2</version> <!-- {x-version-update;org.junit.jupiter:junit-jupiter-api;external_dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-engine</artifactId>
+      <version>5.6.2</version> <!-- {x-version-update;org.junit.jupiter:junit-jupiter-engine;external_dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-params</artifactId>
+      <version>5.6.2</version> <!-- {x-version-update;org.junit.jupiter:junit-jupiter-params;external_dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.hamcrest</groupId>
+      <artifactId>hamcrest-library</artifactId>
+      <version>2.2</version> <!-- {x-version-update;org.hamcrest:hamcrest-library;external_dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.projectreactor</groupId>
+      <artifactId>reactor-test</artifactId>
+      <version>3.3.9.RELEASE</version> <!-- {x-version-update;io.projectreactor:reactor-test;external_dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-core-test</artifactId>
+      <version>1.4.1</version> <!-- {x-version-update;com.azure:azure-core-test;dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-core-http-okhttp</artifactId>
+      <version>1.3.0</version> <!-- {x-version-update;com.azure:azure-core-http-okhttp;dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-identity</artifactId>
+      <version>1.1.0</version> <!-- {x-version-update;com.azure:azure-identity;dependency} -->
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <profiles>
+    <profile>
+      <id>java-lts</id>
+      <activation>
+        <jdk>[11,)</jdk>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-surefire-plugin</artifactId>
+            <version>3.0.0-M3</version> <!-- {x-version-update;org.apache.maven.plugins:maven-surefire-plugin;external_dependency} -->
+            <configuration>
+              <argLine>
+                --add-exports com.azure.core/com.azure.core.implementation.http=ALL-UNNAMED
+
+                --add-opens com.azure.security.keyvault.administration/com.azure.security.keyvault.administration=ALL-UNNAMED
+              </argLine>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
+</project>
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlAsyncClient.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlAsyncClient.java
new file mode 100644
index 000000000000..ba8ccdb048ea
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlAsyncClient.java
@@ -0,0 +1,628 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration;
+
+import com.azure.core.annotation.ReturnType;
+import com.azure.core.annotation.ServiceClient;
+import com.azure.core.annotation.ServiceMethod;
+import com.azure.core.http.HttpHeaders;
+import com.azure.core.http.HttpPipeline;
+import com.azure.core.http.HttpRequest;
+import com.azure.core.http.rest.PagedFlux;
+import com.azure.core.http.rest.PagedResponse;
+import com.azure.core.http.rest.Response;
+import com.azure.core.util.Context;
+import com.azure.core.util.FluxUtil;
+import com.azure.core.util.IterableStream;
+import com.azure.core.util.logging.ClientLogger;
+import com.azure.security.keyvault.administration.implementation.KeyVaultAccessControlClientImpl;
+import com.azure.security.keyvault.administration.implementation.KeyVaultAccessControlClientImplBuilder;
+import com.azure.security.keyvault.administration.implementation.KeyVaultErrorCodeStrings;
+import com.azure.security.keyvault.administration.implementation.models.*;
+import com.azure.security.keyvault.administration.models.*;
+import reactor.core.publisher.Mono;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+import java.util.UUID;
+
+import static com.azure.core.util.FluxUtil.monoError;
+import static com.azure.core.util.FluxUtil.withContext;
+import static com.azure.core.util.tracing.Tracer.AZ_TRACING_NAMESPACE_KEY;
+
+/**
+ * The {@link KeyVaultAccessControlAsyncClient} provides asynchronous methods to view and manage Role Based Access
+ * for the Azure Key Vault. The client supports creating, listing, updating, and deleting
+ * {@link KeyVaultRoleAssignment role assignments}. Additionally, the client supports listing
+ * {@link KeyVaultRoleDefinition role definitions}.
+ */
+@ServiceClient(builder = KeyVaultAccessControlClientBuilder.class, isAsync = true)
+public final class KeyVaultAccessControlAsyncClient {
+    // Please see <a href=https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers>here</a>
+    // for more information on Azure resource provider namespaces.
+    private static final String KEYVAULT_TRACING_NAMESPACE_VALUE = "Microsoft.KeyVault";
+
+    /**
+     * The logger to be used.
+     */
+    private final ClientLogger logger = new ClientLogger(KeyVaultAccessControlAsyncClient.class);
+
+    /**
+     * The underlying AutoRest client used to interact with the Key Vault service.
+     */
+    private final KeyVaultAccessControlClientImpl clientImpl;
+
+    /**
+     * The Kay Vault URL this client is associated to.
+     */
+    private final String vaultUrl;
+
+    /**
+     * Package private constructor to be used by {@link KeyVaultAccessControlClientBuilder}.
+     */
+    KeyVaultAccessControlAsyncClient(URL vaultUrl, HttpPipeline httpPipeline) {
+        Objects.requireNonNull(vaultUrl,
+            KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.VAULT_END_POINT_REQUIRED));
+
+        this.vaultUrl = vaultUrl.toString();
+
+        clientImpl = new KeyVaultAccessControlClientImplBuilder()
+            .pipeline(httpPipeline)
+            .buildClient();
+    }
+
+    /**
+     * Gets the URL for the Key Vault this client is associated with.
+     *
+     * @return The Key Vault URL.
+     */
+    public String getVaultUrl() {
+        return vaultUrl;
+    }
+
+    /**
+     * Lists all {@link KeyVaultRoleDefinition role definitions} that are applicable at the given
+     * {@link KeyVaultRoleAssignmentScope roleScope} and above.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleDefinition role
+     * definitions}.
+     * @return A {@link PagedFlux} containing the {@link KeyVaultRoleDefinition role definitions} for the given
+     * {@link KeyVaultRoleAssignmentScope roleScope}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} is {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.COLLECTION)
+    public PagedFlux<KeyVaultRoleDefinition> listRoleDefinitions(KeyVaultRoleAssignmentScope roleScope) {
+        return new PagedFlux<>(
+            () -> withContext(context -> listRoleDefinitionsFirstPage(vaultUrl, roleScope, context)),
+            continuationToken -> withContext(context -> listRoleDefinitionsNextPage(continuationToken, context)));
+    }
+
+    /**
+     * Lists all {@link KeyVaultRoleDefinition role definitions} that are applicable at the given
+     * {@link KeyVaultRoleAssignmentScope roleScope} and above.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleDefinition role
+     * definitions}.
+     * @param context Additional {@link Context} that is passed through the HTTP pipeline during the service call.
+     * @return A {@link PagedFlux} containing the {@link KeyVaultRoleDefinition role definitions} for the given
+     * {@link KeyVaultRoleAssignmentScope roleScope}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} is {@code null}.
+     */
+    PagedFlux<KeyVaultRoleDefinition> listRoleDefinitions(KeyVaultRoleAssignmentScope roleScope, Context context) {
+        return new PagedFlux<>(
+            () -> listRoleDefinitionsFirstPage(vaultUrl, roleScope, context),
+            continuationToken -> listRoleDefinitionsNextPage(continuationToken, context));
+    }
+
+    /**
+     * Lists all {@link KeyVaultRoleDefinition role definitions} in the first page that are applicable at the given
+     * {@link KeyVaultRoleAssignmentScope roleScope} and above.
+     *
+     * @param vaultUrl The URL for the Key Vault this client is associated with.
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleDefinition}.
+     * @param context Additional context that is passed through the HTTP pipeline during the service call.
+     * @return A {@link Mono} containing a {@link PagedResponse} of {@link KeyVaultRoleDefinition role definitions}
+     * for the given {@link KeyVaultRoleAssignmentScope roleScope} from the first page of results.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} is {@code null}.
+     */
+    Mono<PagedResponse<KeyVaultRoleDefinition>> listRoleDefinitionsFirstPage(String vaultUrl, KeyVaultRoleAssignmentScope roleScope, Context context) {
+        Objects.requireNonNull(roleScope,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'roleScope'"));
+
+        try {
+            return clientImpl.getRoleDefinitions()
+                .listSinglePageAsync(vaultUrl, roleScope.toString(), null,
+                    context.addData(AZ_TRACING_NAMESPACE_KEY, KEYVAULT_TRACING_NAMESPACE_VALUE))
+                .doOnRequest(ignored -> logger.info("Listing role definitions for roleScope - {}", roleScope))
+                .doOnSuccess(response -> logger.info("Listed role definitions for roleScope - {}", roleScope))
+                .doOnError(error -> logger.warning(String.format("Failed to list role definitions for roleScope - %s",
+                    roleScope), error))
+                .map(this::transformRoleDefinitionsPagedResponse);
+        } catch (RuntimeException e) {
+            return monoError(logger, e);
+        }
+    }
+
+    /**
+     * Lists all {@link KeyVaultRoleDefinition role definitions} given by the {@code nextPageLink} that was retrieved
+     * from a call to
+     * {@link KeyVaultAccessControlAsyncClient#listRoleDefinitionsFirstPage(String, KeyVaultRoleAssignmentScope, Context)}.
+     *
+     * @param continuationToken The {@link PagedResponse#getContinuationToken() continuationToken} from a previous,
+     * successful call to one of the {@code listKeyVaultRoleDefinitions} operations.
+     * @param context Additional context that is passed through the HTTP pipeline during the service call.
+     * @return A {@link Mono} containing a {@link PagedResponse} of {@link KeyVaultRoleDefinition role definitions}
+     * for the given {@link KeyVaultRoleAssignmentScope roleScope} from the next page of results.
+     */
+    Mono<PagedResponse<KeyVaultRoleDefinition>> listRoleDefinitionsNextPage(String continuationToken, Context context) {
+        try {
+            return clientImpl.getRoleDefinitions()
+                .listNextSinglePageAsync(continuationToken, context.addData(AZ_TRACING_NAMESPACE_KEY,
+                    KEYVAULT_TRACING_NAMESPACE_VALUE))
+                .doOnRequest(ignored -> logger.info("Listing next role definitions page - Page {}", continuationToken))
+                .doOnSuccess(response -> logger.info("Listed next role definitions page - Page {}", continuationToken))
+                .doOnError(error -> logger.warning("Failed to list next role definitions page - Page {}",
+                    continuationToken, error))
+                .map(this::transformRoleDefinitionsPagedResponse);
+        } catch (RuntimeException e) {
+            return monoError(logger, e);
+        }
+    }
+
+    /**
+     * Lists all {@link KeyVaultRoleAssignment role assignments} that are applicable at the given
+     * {@link KeyVaultRoleAssignmentScope roleScope} and above.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @return A {@link PagedFlux} containing the {@link KeyVaultRoleAssignment role assignments} for the given
+     * {@link KeyVaultRoleAssignmentScope roleScope}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} is {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.COLLECTION)
+    public PagedFlux<KeyVaultRoleAssignment> listRoleAssignments(KeyVaultRoleAssignmentScope roleScope) {
+        return new PagedFlux<>(
+            () -> withContext(context -> listRoleAssignmentsFirstPage(vaultUrl, roleScope, context)),
+            continuationToken -> withContext(context -> listRoleAssignmentsNextPage(continuationToken, context)));
+    }
+
+    /**
+     * Lists all {@link KeyVaultRoleAssignment role assignments} that are applicable at the given
+     * {@link KeyVaultRoleAssignmentScope roleScope} and above.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param context Additional context that is passed through the HTTP pipeline during the service call.
+     * @return A {@link PagedFlux} containing the {@link KeyVaultRoleAssignment role assignments} for the given
+     * {@link KeyVaultRoleAssignmentScope roleScope}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} is {@code null}.
+     */
+    PagedFlux<KeyVaultRoleAssignment> listRoleAssignments(KeyVaultRoleAssignmentScope roleScope, Context context) {
+        return new PagedFlux<>(
+            () -> listRoleAssignmentsFirstPage(vaultUrl, roleScope, context),
+            continuationToken -> listRoleAssignmentsNextPage(continuationToken, context));
+    }
+
+    /**
+     * Lists all {@link KeyVaultRoleAssignment role assignments} in the first page that are applicable at
+     * the given {@link KeyVaultRoleAssignmentScope roleScope} and above.
+     *
+     * @param vaultUrl The URL for the Key Vault this client is associated with.
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param context Additional context that is passed through the HTTP pipeline during the service call.
+     * @return A {@link Mono} containing a {@link PagedResponse} of {@link KeyVaultRoleAssignment role assignments}
+     * in the given {@link KeyVaultRoleAssignmentScope roleScope} from the first page of results.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} is {@code null}.
+     */
+    Mono<PagedResponse<KeyVaultRoleAssignment>> listRoleAssignmentsFirstPage(String vaultUrl, KeyVaultRoleAssignmentScope roleScope, Context context) {
+        Objects.requireNonNull(roleScope,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'roleScope'"));
+
+        try {
+            return clientImpl.getRoleAssignments()
+                .listForScopeSinglePageAsync(vaultUrl, roleScope.toString(), null,
+                    context.addData(AZ_TRACING_NAMESPACE_KEY, KEYVAULT_TRACING_NAMESPACE_VALUE))
+                .doOnRequest(ignored -> logger.info("Listing role assignments for roleScope - {}", roleScope))
+                .doOnSuccess(response -> logger.info("Listed role assignments for roleScope - {}", roleScope))
+                .doOnError(error -> logger.warning(String.format("Failed to list role assignments for roleScope - %s",
+                    roleScope), error))
+                .map(this::transformRoleAssignmentsPagedResponse);
+        } catch (RuntimeException e) {
+            return monoError(logger, e);
+        }
+    }
+
+    /**
+     * Lists all {@link KeyVaultRoleAssignment role assignments} given by the {@code nextPageLink} that was
+     * retrieved from a call to
+     * {@link KeyVaultAccessControlAsyncClient#listRoleAssignments(KeyVaultRoleAssignmentScope)}.
+     *
+     * @param continuationToken The {@link PagedResponse#getContinuationToken() continuationToken} from a previous,
+     * successful call to one of the {@code listKeyVaultRoleAssignments} operations.
+     * @param context Additional context that is passed through the HTTP pipeline during the service call.
+     * @return A {@link Mono} containing a {@link PagedResponse} of {@link KeyVaultRoleAssignment role assignments}
+     * for the given {@link KeyVaultRoleAssignmentScope roleScope} from the first page of results.
+     */
+    Mono<PagedResponse<KeyVaultRoleAssignment>> listRoleAssignmentsNextPage(String continuationToken, Context context) {
+        try {
+            return clientImpl.getRoleAssignments()
+                .listForScopeNextSinglePageAsync(continuationToken, context.addData(AZ_TRACING_NAMESPACE_KEY,
+                    KEYVAULT_TRACING_NAMESPACE_VALUE))
+                .doOnRequest(ignored -> logger.info("Listing next role assignments page - Page {}", continuationToken))
+                .doOnSuccess(response -> logger.info("Listed next role assignments page - Page {}", continuationToken))
+                .doOnError(error -> logger.warning("Failed to list next role assignments page - Page {}",
+                    continuationToken, error))
+                .map(this::transformRoleAssignmentsPagedResponse);
+        } catch (RuntimeException e) {
+            return monoError(logger, e);
+        }
+    }
+
+    /**
+     * Creates a {@link KeyVaultRoleAssignment} with a randomly generated {@link UUID name}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment} to
+     * create.
+     * @param properties Properties for the {@link KeyVaultRoleAssignment}.
+     * @return A {@link Mono} containing the created {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or
+     * {@link KeyVaultRoleAssignmentProperties properties} are {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<KeyVaultRoleAssignment> createRoleAssignment(KeyVaultRoleAssignmentScope roleScope, KeyVaultRoleAssignmentProperties properties) {
+        return createRoleAssignment(roleScope, UUID.randomUUID(), properties);
+    }
+
+    /**
+     * Creates a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment} to
+     * create.
+     * @param name The name used to create the {@link KeyVaultRoleAssignment}. It can be any valid UUID.
+     * @param properties Properties for the {@link KeyVaultRoleAssignment}.
+     * @return A {@link Mono} containing the created {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope}, {@link UUID name} or
+     * {@link KeyVaultRoleAssignmentProperties properties} are {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<KeyVaultRoleAssignment> createRoleAssignment(KeyVaultRoleAssignmentScope roleScope, UUID name, KeyVaultRoleAssignmentProperties properties) {
+        return createRoleAssignmentWithResponse(roleScope, name, properties).flatMap(FluxUtil::toMono);
+    }
+
+    /**
+     * Creates a {@link KeyVaultRoleAssignment} with a randomly generated {@link UUID name}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment} to
+     * create.
+     * @param properties Properties for the {@link KeyVaultRoleAssignment}.
+     * @return A {@link Mono} containing a {@link Response} whose {@link Response#getValue() value} contains the created
+     * {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or
+     * {@link KeyVaultRoleAssignmentProperties properties} are {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<Response<KeyVaultRoleAssignment>> createRoleAssignmentWithResponse(KeyVaultRoleAssignmentScope roleScope, KeyVaultRoleAssignmentProperties properties) {
+        return createRoleAssignmentWithResponse(roleScope, UUID.randomUUID(), properties);
+    }
+
+    /**
+     * Creates a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment} to
+     * create.
+     * @param name The name used to create the {@link KeyVaultRoleAssignment}. It can be any valid UUID.
+     * @param properties Properties for the {@link KeyVaultRoleAssignment}.
+     * @return A {@link Mono} containing a {@link Response} whose {@link Response#getValue() value} contains the created
+     * {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope}, {@link UUID name} or
+     * {@link KeyVaultRoleAssignmentProperties properties} are {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<Response<KeyVaultRoleAssignment>> createRoleAssignmentWithResponse(KeyVaultRoleAssignmentScope roleScope, UUID name, KeyVaultRoleAssignmentProperties properties) {
+        return withContext(context -> createRoleAssignmentWithResponse(roleScope, name, properties, context));
+    }
+
+    /**
+     * Creates a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment} to
+     * create.
+     * @param name The name used to create the {@link KeyVaultRoleAssignment}. It can be any valid UUID.
+     * @param properties Properties for the {@link KeyVaultRoleAssignment}.
+     * @param context Additional context that is passed through the HTTP pipeline during the service call.
+     * @return A {@link Mono} containing a {@link Response} whose {@link Response#getValue() value} contains the created
+     * {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope}, {@link UUID name} or
+     * {@link KeyVaultRoleAssignmentProperties properties} are {@code null}.
+     */
+    Mono<Response<KeyVaultRoleAssignment>> createRoleAssignmentWithResponse(KeyVaultRoleAssignmentScope roleScope, UUID name, KeyVaultRoleAssignmentProperties properties, Context context) {
+        Objects.requireNonNull(roleScope,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'roleScope'"));
+        Objects.requireNonNull(name,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'name'"));
+        Objects.requireNonNull(properties,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'properties'"));
+
+        RoleAssignmentProperties roleAssignmentProperties =
+            new RoleAssignmentProperties()
+                .setRoleDefinitionId(properties.getRoleDefinitionId())
+                .setPrincipalId(properties.getPrincipalId());
+        RoleAssignmentCreateParameters parameters =
+            new RoleAssignmentCreateParameters()
+                .setProperties(roleAssignmentProperties);
+
+        return clientImpl.getRoleAssignments()
+            .createWithResponseAsync(vaultUrl, roleScope.toString(), name.toString(), parameters,
+                context.addData(AZ_TRACING_NAMESPACE_KEY, KEYVAULT_TRACING_NAMESPACE_VALUE))
+            .doOnRequest(ignored -> logger.info("Creating role assignment - {}", name))
+            .doOnSuccess(response -> logger.info("Created role assignment - {}", response.getValue().getName()))
+            .doOnError(error -> logger.warning("Failed to create role assignment - {}", name, error))
+            .map(this::transformRoleAssignmentResponse);
+    }
+
+    /**
+     * Gets a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param name The name used of the {@link KeyVaultRoleAssignment}.
+     * @return A {@link Mono} containing the {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or {@link String name} are
+     * {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<KeyVaultRoleAssignment> getRoleAssignment(KeyVaultRoleAssignmentScope roleScope, String name) {
+        return getRoleAssignmentWithResponse(roleScope, name).flatMap(FluxUtil::toMono);
+    }
+
+    /**
+     * Gets a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param name The name of the {@link KeyVaultRoleAssignment}.
+     * @return A {@link Mono} containing a {@link Response} whose {@link Response#getValue() value} contains the
+     * {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or {@link String name} are
+     * {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<Response<KeyVaultRoleAssignment>> getRoleAssignmentWithResponse(KeyVaultRoleAssignmentScope roleScope, String name) {
+        return withContext(context -> getRoleAssignmentWithResponse(roleScope, name, context));
+    }
+
+    /**
+     * Gets a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param name The name of the {@link KeyVaultRoleAssignment}.
+     * @param context Additional context that is passed through the HTTP pipeline during the service call.
+     * @return A {@link Mono} containing a {@link Response} whose {@link Response#getValue() value} contains the
+     * {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or {@link String name} are
+     * {@code null}.
+     */
+    Mono<Response<KeyVaultRoleAssignment>> getRoleAssignmentWithResponse(KeyVaultRoleAssignmentScope roleScope, String name, Context context) {
+        Objects.requireNonNull(roleScope,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'roleScope'"));
+        Objects.requireNonNull(name,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'name'"));
+
+        try {
+            return clientImpl.getRoleAssignments()
+                .getWithResponseAsync(vaultUrl, roleScope.toString(), name, context.addData(AZ_TRACING_NAMESPACE_KEY,
+                    KEYVAULT_TRACING_NAMESPACE_VALUE))
+                .doOnRequest(ignored -> logger.info("Retrieving role assignment - {}", name))
+                .doOnSuccess(response -> logger.info("Retrieved role assignment - {}", response.getValue().getName()))
+                .doOnError(error -> logger.warning("Failed to retrieved role assignment - {}", name, error))
+                .map(this::transformRoleAssignmentResponse);
+        } catch (RuntimeException e) {
+            return monoError(logger, e);
+        }
+    }
+
+    /**
+     * Deletes a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param name The name of the {@link KeyVaultRoleAssignment}.
+     * @return A {@link Mono} containing the {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or {@link String name} are
+     * {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<KeyVaultRoleAssignment> deleteRoleAssignment(KeyVaultRoleAssignmentScope roleScope, String name) {
+        return deleteRoleAssignmentWithResponse(roleScope, name).flatMap(FluxUtil::toMono);
+    }
+
+    /**
+     * Deletes a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param name The name of the {@link KeyVaultRoleAssignment}.
+     * @return A {@link Mono} containing a {@link Response} whose {@link Response#getValue() value} contains the
+     * {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or {@link String name} are
+     * {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<Response<KeyVaultRoleAssignment>> deleteRoleAssignmentWithResponse(KeyVaultRoleAssignmentScope roleScope, String name) {
+        return withContext(context -> deleteRoleAssignmentWithResponse(roleScope, name, context));
+    }
+
+    /**
+     * Deletes a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param name The name of the {@link KeyVaultRoleAssignment}.
+     * @param context Additional context that is passed through the HTTP pipeline during the service call.
+     * @return A {@link Mono} containing a {@link Response} whose {@link Response#getValue() value} contains the
+     * {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or {@link String name} are
+     * {@code null}.
+     */
+    Mono<Response<KeyVaultRoleAssignment>> deleteRoleAssignmentWithResponse(KeyVaultRoleAssignmentScope roleScope, String name, Context context) {
+        Objects.requireNonNull(roleScope,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'roleScope'"));
+        Objects.requireNonNull(name,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'name'"));
+
+        try {
+            return clientImpl.getRoleAssignments()
+                .deleteWithResponseAsync(vaultUrl, roleScope.toString(), name, context.addData(AZ_TRACING_NAMESPACE_KEY,
+                    KEYVAULT_TRACING_NAMESPACE_VALUE))
+                .doOnRequest(ignored -> logger.info("Deleting role assignment - {}", name))
+                .doOnSuccess(response -> logger.info("Deleted role assignment - {}", response.getValue().getName()))
+                .doOnError(error -> logger.warning("Failed to delete role assignment - {}", name, error))
+                .map(this::transformRoleAssignmentResponse);
+        } catch (RuntimeException e) {
+            return monoError(logger, e);
+        }
+    }
+
+    private PagedResponse<KeyVaultRoleDefinition> transformRoleDefinitionsPagedResponse(PagedResponse<RoleDefinition> pagedResponse) {
+        List<KeyVaultRoleDefinition> keyVaultRoleDefinitions = new ArrayList<>();
+
+        for (RoleDefinition roleDefinition : pagedResponse.getValue()) {
+            keyVaultRoleDefinitions.add(roleDefinitionToKeyVaultRoleDefinition(roleDefinition));
+        }
+
+        return new PagedResponse<KeyVaultRoleDefinition>() {
+            @Override
+            public void close() throws IOException {
+            }
+
+            @Override
+            public IterableStream<KeyVaultRoleDefinition> getElements() {
+                return new IterableStream<>(keyVaultRoleDefinitions);
+            }
+
+            @Override
+            public String getContinuationToken() {
+                return pagedResponse.getContinuationToken();
+            }
+
+            @Override
+            public int getStatusCode() {
+                return pagedResponse.getStatusCode();
+            }
+
+            @Override
+            public HttpHeaders getHeaders() {
+                return pagedResponse.getHeaders();
+            }
+
+            @Override
+            public HttpRequest getRequest() {
+                return pagedResponse.getRequest();
+            }
+
+            @Override
+            public List<KeyVaultRoleDefinition> getValue() {
+                return keyVaultRoleDefinitions;
+            }
+        };
+    }
+
+    private Response<KeyVaultRoleAssignment> transformRoleAssignmentResponse(Response<RoleAssignment> response) {
+        KeyVaultRoleAssignment keyVaultRoleAssignment = roleAssignmentToKeyVaultRoleAssignment(response.getValue());
+
+        return new Response<KeyVaultRoleAssignment>() {
+            @Override
+            public int getStatusCode() {
+                return response.getStatusCode();
+            }
+
+            @Override
+            public HttpHeaders getHeaders() {
+                return response.getHeaders();
+            }
+
+            @Override
+            public HttpRequest getRequest() {
+                return response.getRequest();
+            }
+
+            @Override
+            public KeyVaultRoleAssignment getValue() {
+                return keyVaultRoleAssignment;
+            }
+        };
+    }
+
+    private KeyVaultRoleDefinition roleDefinitionToKeyVaultRoleDefinition(RoleDefinition roleDefinition) {
+        List<KeyVaultPermission> keyVaultPermissions = new ArrayList<>();
+
+        for (Permission permission : roleDefinition.getPermissions()) {
+            keyVaultPermissions.add(
+                new KeyVaultPermission(permission.getActions(), permission.getDataActions(),
+                    permission.getDataActions(), permission.getNotDataActions()));
+        }
+
+        return new KeyVaultRoleDefinition(roleDefinition.getId(), roleDefinition.getName(), roleDefinition.getType(),
+            new KeyVaultRoleDefinitionProperties(roleDefinition.getRoleName(),
+                roleDefinition.getDescription(), roleDefinition.getRoleType(), keyVaultPermissions,
+                roleDefinition.getAssignableScopes()));
+    }
+
+    private PagedResponse<KeyVaultRoleAssignment> transformRoleAssignmentsPagedResponse(PagedResponse<RoleAssignment> pagedResponse) {
+        List<KeyVaultRoleAssignment> keyVaultRoleAssignments = new ArrayList<>();
+
+        for (RoleAssignment roleAssignment : pagedResponse.getValue()) {
+            keyVaultRoleAssignments.add(roleAssignmentToKeyVaultRoleAssignment(roleAssignment));
+        }
+
+        return new PagedResponse<KeyVaultRoleAssignment>() {
+            @Override
+            public void close() throws IOException {
+            }
+
+            @Override
+            public IterableStream<KeyVaultRoleAssignment> getElements() {
+                return new IterableStream<>(keyVaultRoleAssignments);
+            }
+
+            @Override
+            public String getContinuationToken() {
+                return pagedResponse.getContinuationToken();
+            }
+
+            @Override
+            public int getStatusCode() {
+                return pagedResponse.getStatusCode();
+            }
+
+            @Override
+            public HttpHeaders getHeaders() {
+                return pagedResponse.getHeaders();
+            }
+
+            @Override
+            public HttpRequest getRequest() {
+                return pagedResponse.getRequest();
+            }
+
+            @Override
+            public List<KeyVaultRoleAssignment> getValue() {
+                return keyVaultRoleAssignments;
+            }
+        };
+    }
+
+    private KeyVaultRoleAssignment roleAssignmentToKeyVaultRoleAssignment(RoleAssignment roleAssignment) {
+        RoleAssignmentPropertiesWithScope propertiesWithScope = roleAssignment.getProperties();
+
+        return new KeyVaultRoleAssignment(roleAssignment.getId(), roleAssignment.getName(), roleAssignment.getType(),
+            new KeyVaultRoleAssignmentProperties(propertiesWithScope.getRoleDefinitionId(),
+                propertiesWithScope.getPrincipalId()), KeyVaultRoleAssignmentScope.fromString(propertiesWithScope.getScope()));
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlClient.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlClient.java
new file mode 100644
index 000000000000..d4cdcff2808a
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlClient.java
@@ -0,0 +1,209 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration;
+
+import com.azure.core.annotation.ReturnType;
+import com.azure.core.annotation.ServiceClient;
+import com.azure.core.annotation.ServiceMethod;
+import com.azure.core.http.rest.PagedIterable;
+import com.azure.core.http.rest.Response;
+import com.azure.core.util.Context;
+import com.azure.security.keyvault.administration.models.*;
+import reactor.core.publisher.Mono;
+
+import java.util.UUID;
+
+/**
+ * The {@link KeyVaultAccessControlClient} provides synchronous methods to view and manage Role Based Access for the
+ * Azure Key Vault. The client supports creating, listing, updating, and deleting {@link KeyVaultRoleAssignment role
+ * assignments}. Additionally, the client supports listing {@link KeyVaultRoleDefinition role definitions}.
+ */
+@ServiceClient(builder = KeyVaultAccessControlClientBuilder.class)
+public final class KeyVaultAccessControlClient {
+    private final KeyVaultAccessControlAsyncClient asyncClient;
+
+    /**
+     * Creates an {@link KeyVaultAccessControlClient} that uses a {@link com.azure.core.http.HttpPipeline pipeline}
+     * to service requests.
+     *
+     * @param asyncClient The {@link KeyVaultAccessControlAsyncClient} that this client routes its request through.
+     */
+    KeyVaultAccessControlClient(KeyVaultAccessControlAsyncClient asyncClient) {
+        this.asyncClient = asyncClient;
+    }
+
+    /**
+     * Gets the URL for the Key Vault this client is associated with.
+     *
+     * @return The Key Vault URL.
+     */
+    public String getVaultUrl() {
+        return asyncClient.getVaultUrl();
+    }
+
+    /**
+     * Get all {@link KeyVaultRoleDefinition role definitions} that are applicable at the given
+     * {@link KeyVaultRoleAssignmentScope roleScope} and above.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleDefinition role
+     * definitions}.
+     * @return A {@link PagedIterable} containing the {@link KeyVaultRoleDefinition role definitions} for the given
+     * {@link KeyVaultRoleAssignmentScope roleScope}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} is {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.COLLECTION)
+    public PagedIterable<KeyVaultRoleDefinition> listRoleDefinitions(KeyVaultRoleAssignmentScope roleScope) {
+        return new PagedIterable<>(asyncClient.listRoleDefinitions(roleScope, Context.NONE));
+    }
+
+    /**
+     * Get all {@link KeyVaultRoleDefinition role definitions} that are applicable at the given
+     * {@link KeyVaultRoleAssignmentScope roleScope} and above.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleDefinition role
+     * definitions}.
+     * @param context Additional {@link Context} that is passed through the HTTP pipeline during the service call.
+     * @return A {@link PagedIterable} containing the {@link KeyVaultRoleDefinition role definitions} for the given
+     * {@link KeyVaultRoleAssignmentScope roleScope}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} is {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.COLLECTION)
+    public PagedIterable<KeyVaultRoleDefinition> listRoleDefinitions(KeyVaultRoleAssignmentScope roleScope, Context context) {
+        return new PagedIterable<>(asyncClient.listRoleDefinitions(roleScope, context));
+    }
+
+    /**
+     * Get all {@link KeyVaultRoleAssignment role assignments} that are applicable at the given
+     * {@link KeyVaultRoleAssignmentScope roleScope} and above.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @return A {@link PagedIterable} containing the {@link KeyVaultRoleAssignment role assignments} for the given
+     * {@link KeyVaultRoleAssignmentScope roleScope}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} is {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.COLLECTION)
+    public PagedIterable<KeyVaultRoleAssignment> listRoleAssignments(KeyVaultRoleAssignmentScope roleScope) {
+        return new PagedIterable<>(asyncClient.listRoleAssignments(roleScope, Context.NONE));
+    }
+
+    /**
+     * Get all {@link KeyVaultRoleAssignment role assignments} that are applicable at the given
+     * {@link KeyVaultRoleAssignmentScope roleScope} and above.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param context Additional context that is passed through the HTTP pipeline during the service call.
+     * @return A {@link PagedIterable} containing the {@link KeyVaultRoleAssignment role assignments} for the given
+     * {@link KeyVaultRoleAssignmentScope roleScope}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} is {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.COLLECTION)
+    public PagedIterable<KeyVaultRoleAssignment> listRoleAssignments(KeyVaultRoleAssignmentScope roleScope, Context context) {
+        return new PagedIterable<>(asyncClient.listRoleAssignments(roleScope, context));
+    }
+
+    /**
+     * Creates a {@link KeyVaultRoleAssignment} with a randomly generated {@link UUID name}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment} to
+     * create.
+     * @param properties Properties for the {@link KeyVaultRoleAssignment}.
+     * @return The created {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or
+     * {@link KeyVaultRoleAssignmentProperties properties} are {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public KeyVaultRoleAssignment createRoleAssignment(KeyVaultRoleAssignmentScope roleScope, KeyVaultRoleAssignmentProperties properties) {
+        return createRoleAssignmentWithResponse(roleScope, UUID.randomUUID(), properties, Context.NONE).getValue();
+    }
+
+    /**
+     * Creates a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment} to
+     * create.
+     * @param name The name used to create the {@link KeyVaultRoleAssignment}. It can be any valid UUID.
+     * @param properties Properties for the {@link KeyVaultRoleAssignment}.
+     * @return The created {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope}, {@link UUID name} or
+     * {@link KeyVaultRoleAssignmentProperties properties} are {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public KeyVaultRoleAssignment createRoleAssignment(KeyVaultRoleAssignmentScope roleScope, UUID name, KeyVaultRoleAssignmentProperties properties) {
+        return createRoleAssignmentWithResponse(roleScope, name, properties, Context.NONE).getValue();
+    }
+
+    /**
+     * Creates a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment} to
+     * create.
+     * @param name The name used to create the {@link KeyVaultRoleAssignment}. It can be any valid UUID.
+     * @param properties Properties for the {@link KeyVaultRoleAssignment}.
+     * @param context Additional context that is passed through the HTTP pipeline during the service call.
+     * @return A {@link Mono} containing a {@link Response} whose {@link Response#getValue() value} contains the created
+     * {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope}, {@link UUID name} or
+     * {@link KeyVaultRoleAssignmentProperties properties} are {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Response<KeyVaultRoleAssignment> createRoleAssignmentWithResponse(KeyVaultRoleAssignmentScope roleScope, UUID name, KeyVaultRoleAssignmentProperties properties, Context context) {
+        return asyncClient.createRoleAssignmentWithResponse(roleScope, name, properties, context).block();
+    }
+
+    /**
+     * Gets a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param name The name of the {@link KeyVaultRoleAssignment}.
+     * @return The {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or {@link UUID name} are
+     * {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public KeyVaultRoleAssignment getRoleAssignment(KeyVaultRoleAssignmentScope roleScope, String name) {
+        return getRoleAssignmentWithResponse(roleScope, name, Context.NONE).getValue();
+    }
+
+    /**
+     * Gets a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param name The name of the {@link KeyVaultRoleAssignment}.
+     * @return The {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or {@link UUID name} are
+     * {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Response<KeyVaultRoleAssignment> getRoleAssignmentWithResponse(KeyVaultRoleAssignmentScope roleScope, String name, Context context) {
+        return asyncClient.getRoleAssignmentWithResponse(roleScope, name, context).block();
+    }
+
+    /**
+     * Deletes a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param name The name of the {@link KeyVaultRoleAssignment}.
+     * @return The {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or {@link UUID name} are
+     * {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public KeyVaultRoleAssignment deleteRoleAssignment(KeyVaultRoleAssignmentScope roleScope, String name) {
+        return deleteRoleAssignmentWithResponse(roleScope, name, Context.NONE).getValue();
+    }
+
+    /**
+     * Deletes a {@link KeyVaultRoleAssignment}.
+     *
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope roleScope} of the {@link KeyVaultRoleAssignment}.
+     * @param name The name of the {@link KeyVaultRoleAssignment}.
+     * @return The {@link KeyVaultRoleAssignment}.
+     * @throws NullPointerException if the {@link KeyVaultRoleAssignmentScope roleScope} or {@link UUID name} are
+     * {@code null}.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Response<KeyVaultRoleAssignment> deleteRoleAssignmentWithResponse(KeyVaultRoleAssignmentScope roleScope, String name, Context context) {
+        return asyncClient.deleteRoleAssignmentWithResponse(roleScope, name, context).block();
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlClientBuilder.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlClientBuilder.java
new file mode 100644
index 000000000000..2bfa61f3a75f
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlClientBuilder.java
@@ -0,0 +1,287 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration;
+
+import com.azure.core.annotation.ServiceClientBuilder;
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.http.HttpClient;
+import com.azure.core.http.HttpPipeline;
+import com.azure.core.http.HttpPipelineBuilder;
+import com.azure.core.http.policy.*;
+import com.azure.core.util.Configuration;
+import com.azure.core.util.CoreUtils;
+import com.azure.core.util.logging.ClientLogger;
+import com.azure.security.keyvault.administration.implementation.KeyVaultCredentialPolicy;
+import com.azure.security.keyvault.administration.implementation.KeyVaultErrorCodeStrings;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * This class provides a fluent builder API to help aid the configuration and instantiation of the
+ * {@link KeyVaultAccessControlAsyncClient} and {@link KeyVaultAccessControlClient}, by calling
+ * {@link KeyVaultAccessControlClientBuilder#buildAsyncClient()} and
+ * {@link KeyVaultAccessControlClientBuilder#buildClient()} respectively. It constructs an instance of the desired
+ * client.
+ *
+ * <p> The minimal configuration options required by {@link KeyVaultAccessControlClientBuilder} to build an
+ * an {@link KeyVaultAccessControlAsyncClient} are {@link String vaultUrl} and {@link TokenCredential credential}.</p>
+ *
+ * <p>The {@link HttpLogDetailLevel}, multiple custom {@link HttpLoggingPolicy policies} and custom
+ * {@link HttpClient} can be optionally configured in the {@link KeyVaultAccessControlClientBuilder}.</p>
+ *
+ * <p>Alternatively, a custom {@link HttpPipeline} with custom {@link HttpPipelinePolicy} policies and {@link String
+ * vaultUrl} can be specified. It provides finer control over the construction of
+ * {@link KeyVaultAccessControlAsyncClient} and {@link KeyVaultAccessControlClient} instances.</p>
+ *
+ * <p> The minimal configuration options required by {@link KeyVaultAccessControlClientBuilder} to build an
+ * {@link KeyVaultAccessControlClient} are {@link String vaultUrl} and {@link TokenCredential credential}. </p>
+ *
+ * @see KeyVaultAccessControlAsyncClient
+ * @see KeyVaultAccessControlClient
+ */
+@ServiceClientBuilder(serviceClients = {KeyVaultAccessControlClient.class, KeyVaultAccessControlAsyncClient.class})
+public final class KeyVaultAccessControlClientBuilder {
+    // This is the properties file name.
+    private static final String AZURE_KEY_VAULT_RBAC = "azure-key-vault-administration.properties";
+    private static final String SDK_NAME = "name";
+    private static final String SDK_VERSION = "version";
+
+    private final ClientLogger logger = new ClientLogger(KeyVaultAccessControlClientBuilder.class);
+    private final List<HttpPipelinePolicy> policies;
+    private final Map<String, String> properties;
+
+    private TokenCredential credential;
+    private HttpPipeline pipeline;
+    private URL vaultUrl;
+    private HttpClient httpClient;
+    private HttpLogOptions httpLogOptions;
+    private RetryPolicy retryPolicy;
+    private Configuration configuration;
+
+    /**
+     * Creates a {@link KeyVaultAccessControlClientBuilder} instance that is able to configure and construct
+     * instances of {@link KeyVaultAccessControlClient} and {@link KeyVaultAccessControlAsyncClient}.
+     */
+    public KeyVaultAccessControlClientBuilder() {
+        retryPolicy = new RetryPolicy();
+        httpLogOptions = new HttpLogOptions();
+        policies = new ArrayList<>();
+        properties = CoreUtils.getProperties(AZURE_KEY_VAULT_RBAC);
+    }
+
+    /**
+     * Creates an {@link KeyVaultAccessControlClient} based on options set in the Builder. Every time {@code
+     * buildClient()} is called a new instance of {@link KeyVaultAccessControlClient} is created.
+     * <p>
+     * If {@link #pipeline(HttpPipeline) pipeline} is set, then only the {@code pipeline} and
+     * {@link #vaultUrl(String) vaultUrl} are used to create the {@link KeyVaultAccessControlClient client}. All other
+     * builder settings are ignored.
+     *
+     * @return An {@link KeyVaultAccessControlClient} with the options set from the builder.
+     * @throws NullPointerException If {@code vaultUrl} is {@code null}.
+     */
+    public KeyVaultAccessControlClient buildClient() {
+        return new KeyVaultAccessControlClient(buildAsyncClient());
+    }
+
+    /**
+     * Creates a {@link KeyVaultAccessControlAsyncClient} based on options set in the Builder. Every time {@code
+     * buildAsyncClient()} is called a new instance of {@link KeyVaultAccessControlAsyncClient} is created.
+     * <p>
+     * If {@link #pipeline(HttpPipeline) pipeline} is set, then only the {@code pipeline} and
+     * {@link #vaultUrl(String) endpoint} are used to create the {@link KeyVaultAccessControlAsyncClient client}. All
+     * other builder settings are ignored.
+     *
+     * @return An {@link KeyVaultAccessControlAsyncClient} with the options set from the builder.
+     * @throws NullPointerException If {@code vaultUrl} is {@code null}.
+     */
+    public KeyVaultAccessControlAsyncClient buildAsyncClient() {
+        Configuration buildConfiguration = (configuration == null)
+            ? Configuration.getGlobalConfiguration().clone()
+            : configuration;
+
+        URL buildEndpoint = getBuildEndpoint(buildConfiguration);
+
+        if (buildEndpoint == null) {
+            throw logger.logExceptionAsError(
+                new IllegalStateException(
+                    KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.VAULT_END_POINT_REQUIRED)));
+        }
+
+        if (pipeline != null) {
+            return new KeyVaultAccessControlAsyncClient(vaultUrl, pipeline);
+        }
+
+        // Closest to API goes first, closest to wire goes last.
+        final List<HttpPipelinePolicy> policies = new ArrayList<>();
+
+        String clientName = properties.getOrDefault(SDK_NAME, "UnknownName");
+        String clientVersion = properties.getOrDefault(SDK_VERSION, "UnknownVersion");
+
+        policies.add(new UserAgentPolicy(httpLogOptions.getApplicationId(), clientName, clientVersion,
+            buildConfiguration));
+        HttpPolicyProviders.addBeforeRetryPolicies(policies);
+        policies.add(retryPolicy == null ? new RetryPolicy() : retryPolicy);
+        this.policies.add(new KeyVaultCredentialPolicy(credential));
+        policies.addAll(this.policies);
+        HttpPolicyProviders.addAfterRetryPolicies(policies);
+        policies.add(new HttpLoggingPolicy(httpLogOptions));
+
+        HttpPipeline buildPipeline = new HttpPipelineBuilder()
+            .policies(policies.toArray(new HttpPipelinePolicy[0]))
+            .httpClient(httpClient)
+            .build();
+
+        return new KeyVaultAccessControlAsyncClient(vaultUrl, buildPipeline);
+    }
+
+    /**
+     * Sets the URL to the Key Vault on which the client operates. Appears as "DNS Name" in the Azure portal.
+     *
+     * @param vaultUrl The vault URL is used as destination on Azure to send requests to.
+     * @return The updated {@link KeyVaultAccessControlClientBuilder} object.
+     * @throws IllegalArgumentException If {@code vaultUrl} is null or it cannot be parsed into a valid URL.
+     */
+    public KeyVaultAccessControlClientBuilder vaultUrl(String vaultUrl) {
+        try {
+            this.vaultUrl = new URL(vaultUrl);
+        } catch (MalformedURLException e) {
+            throw logger.logExceptionAsWarning(
+                new IllegalArgumentException("The Azure Key Vault URL is malformed.", e));
+        }
+
+        return this;
+    }
+
+    /**
+     * Sets the credential to use when authenticating HTTP requests.
+     *
+     * @param credential The credential to use for authenticating HTTP requests.
+     * @return The updated {@link KeyVaultAccessControlClientBuilder} object.
+     * @throws NullPointerException If {@code credential} is {@code null}.
+     */
+    public KeyVaultAccessControlClientBuilder credential(TokenCredential credential) {
+        Objects.requireNonNull(credential);
+
+        this.credential = credential;
+
+        return this;
+    }
+
+    /**
+     * Sets the logging configuration for HTTP requests and responses.
+     *
+     * <p> If logLevel is not provided, default value of {@link HttpLogDetailLevel#NONE} is set.</p>
+     *
+     * @param logOptions The logging configuration to use when sending and receiving HTTP requests/responses.
+     * @return The updated {@link KeyVaultAccessControlClientBuilder} object.
+     */
+    public KeyVaultAccessControlClientBuilder httpLogOptions(HttpLogOptions logOptions) {
+        httpLogOptions = logOptions;
+
+        return this;
+    }
+
+    /**
+     * Adds a policy to the set of existing policies that are executed after and {@link KeyVaultAccessControlClient}
+     * {@link KeyVaultAccessControlAsyncClient} required policies.
+     *
+     * @param policy The {@link HttpPipelinePolicy policy} to be added.
+     * @return The updated {@link KeyVaultAccessControlClientBuilder} object.
+     * @throws NullPointerException If {@code policy} is {@code null}.
+     */
+    public KeyVaultAccessControlClientBuilder addPolicy(HttpPipelinePolicy policy) {
+        Objects.requireNonNull(policy);
+
+        policies.add(policy);
+
+        return this;
+    }
+
+    /**
+     * Sets the HTTP client to use for sending and receiving requests to and from the service.
+     *
+     * @param client The HTTP client to use for requests.
+     * @return The updated {@link KeyVaultAccessControlClientBuilder} object.
+     * @throws NullPointerException If {@code client} is {@code null}.
+     */
+    public KeyVaultAccessControlClientBuilder httpClient(HttpClient client) {
+        Objects.requireNonNull(client);
+
+        this.httpClient = client;
+
+        return this;
+    }
+
+    /**
+     * Sets the HTTP pipeline to use for the service client.
+     * <p>
+     * If {@code pipeline} is set, all other settings are ignored, aside from
+     * {@link KeyVaultAccessControlClientBuilder#vaultUrl(String) vaultUrl} to build {@link KeyVaultAccessControlClient}
+     * or {@link KeyVaultAccessControlAsyncClient}.
+     *
+     * @param pipeline The HTTP pipeline to use for sending service requests and receiving responses.
+     * @return The updated {@link KeyVaultAccessControlClientBuilder} object.
+     */
+    public KeyVaultAccessControlClientBuilder pipeline(HttpPipeline pipeline) {
+        Objects.requireNonNull(pipeline);
+        this.pipeline = pipeline;
+        return this;
+    }
+
+    /**
+     * Sets the configuration store that is used during construction of the service client.
+     * <p>
+     * The default configuration store is a clone of the {@link Configuration#getGlobalConfiguration() global
+     * configuration store}, use {@link Configuration#NONE} to bypass using configuration settings during construction.
+     *
+     * @param configuration The configuration store used to get configuration details.
+     * @return The updated {@link KeyVaultAccessControlClientBuilder} object.
+     */
+    public KeyVaultAccessControlClientBuilder configuration(Configuration configuration) {
+        this.configuration = configuration;
+
+        return this;
+    }
+
+    /**
+     * Sets the {@link RetryPolicy} that is used when each request is sent.
+     * <p>
+     * The default retry policy will be used in the pipeline, if not provided.
+     *
+     * @param retryPolicy User's retry policy applied to each request.
+     * @return The updated {@link KeyVaultAccessControlClientBuilder} object.
+     * @throws NullPointerException If the specified {@code retryPolicy} is null.
+     */
+    public KeyVaultAccessControlClientBuilder retryPolicy(RetryPolicy retryPolicy) {
+        Objects.requireNonNull(retryPolicy, "The retry policy cannot be bull");
+
+        this.retryPolicy = retryPolicy;
+
+        return this;
+    }
+
+    private URL getBuildEndpoint(Configuration configuration) {
+        if (vaultUrl != null) {
+            return vaultUrl;
+        }
+
+        String configEndpoint = configuration.get("AZURE_KEYVAULT_ENDPOINT");
+
+        if (CoreUtils.isNullOrEmpty(configEndpoint)) {
+            return null;
+        }
+
+        try {
+            return new URL(configEndpoint);
+        } catch (MalformedURLException ex) {
+            return null;
+        }
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultAccessControlClientImpl.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultAccessControlClientImpl.java
new file mode 100644
index 000000000000..1eedce941db5
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultAccessControlClientImpl.java
@@ -0,0 +1,108 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation;
+
+import com.azure.core.http.HttpPipeline;
+import com.azure.core.http.HttpPipelineBuilder;
+import com.azure.core.http.policy.CookiePolicy;
+import com.azure.core.http.policy.RetryPolicy;
+import com.azure.core.http.policy.UserAgentPolicy;
+import com.azure.core.util.serializer.JacksonAdapter;
+import com.azure.core.util.serializer.SerializerAdapter;
+
+/** Initializes a new instance of the KeyVaultAccessControlClient type. */
+public final class KeyVaultAccessControlClientImpl {
+    /** Api Version. */
+    private final String apiVersion;
+
+    /**
+     * Gets Api Version.
+     *
+     * @return the apiVersion value.
+     */
+    public String getApiVersion() {
+        return this.apiVersion;
+    }
+
+    /** The HTTP pipeline to send requests through. */
+    private final HttpPipeline httpPipeline;
+
+    /**
+     * Gets The HTTP pipeline to send requests through.
+     *
+     * @return the httpPipeline value.
+     */
+    public HttpPipeline getHttpPipeline() {
+        return this.httpPipeline;
+    }
+
+    /** The serializer to serialize an object into a string. */
+    private final SerializerAdapter serializerAdapter;
+
+    /**
+     * Gets The serializer to serialize an object into a string.
+     *
+     * @return the serializerAdapter value.
+     */
+    public SerializerAdapter getSerializerAdapter() {
+        return this.serializerAdapter;
+    }
+
+    /** The RoleDefinitionsImpl object to access its operations. */
+    private final RoleDefinitionsImpl roleDefinitions;
+
+    /**
+     * Gets the RoleDefinitionsImpl object to access its operations.
+     *
+     * @return the RoleDefinitionsImpl object.
+     */
+    public RoleDefinitionsImpl getRoleDefinitions() {
+        return this.roleDefinitions;
+    }
+
+    /** The RoleAssignmentsImpl object to access its operations. */
+    private final RoleAssignmentsImpl roleAssignments;
+
+    /**
+     * Gets the RoleAssignmentsImpl object to access its operations.
+     *
+     * @return the RoleAssignmentsImpl object.
+     */
+    public RoleAssignmentsImpl getRoleAssignments() {
+        return this.roleAssignments;
+    }
+
+    /** Initializes an instance of KeyVaultAccessControlClient client. */
+    KeyVaultAccessControlClientImpl() {
+        this(
+                new HttpPipelineBuilder()
+                        .policies(new UserAgentPolicy(), new RetryPolicy(), new CookiePolicy())
+                        .build(),
+                JacksonAdapter.createDefaultSerializerAdapter());
+    }
+
+    /**
+     * Initializes an instance of KeyVaultAccessControlClient client.
+     *
+     * @param httpPipeline The HTTP pipeline to send requests through.
+     */
+    KeyVaultAccessControlClientImpl(HttpPipeline httpPipeline) {
+        this(httpPipeline, JacksonAdapter.createDefaultSerializerAdapter());
+    }
+
+    /**
+     * Initializes an instance of KeyVaultAccessControlClient client.
+     *
+     * @param httpPipeline The HTTP pipeline to send requests through.
+     * @param serializerAdapter The serializer to serialize an object into a string.
+     */
+    KeyVaultAccessControlClientImpl(HttpPipeline httpPipeline, SerializerAdapter serializerAdapter) {
+        this.httpPipeline = httpPipeline;
+        this.serializerAdapter = serializerAdapter;
+        this.apiVersion = "7.2-preview";
+        this.roleDefinitions = new RoleDefinitionsImpl(this);
+        this.roleAssignments = new RoleAssignmentsImpl(this);
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultAccessControlClientImplBuilder.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultAccessControlClientImplBuilder.java
new file mode 100644
index 000000000000..d135ff4387b1
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultAccessControlClientImplBuilder.java
@@ -0,0 +1,69 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation;
+
+import com.azure.core.annotation.ServiceClientBuilder;
+import com.azure.core.http.HttpPipeline;
+import com.azure.core.http.HttpPipelineBuilder;
+import com.azure.core.http.policy.CookiePolicy;
+import com.azure.core.http.policy.RetryPolicy;
+import com.azure.core.http.policy.UserAgentPolicy;
+import com.azure.core.util.serializer.JacksonAdapter;
+import com.azure.core.util.serializer.SerializerAdapter;
+
+/** A builder for creating a new instance of the KeyVaultAccessControlClient type. */
+@ServiceClientBuilder(serviceClients = {KeyVaultAccessControlClientImpl.class})
+public final class KeyVaultAccessControlClientImplBuilder {
+    /*
+     * The HTTP pipeline to send requests through
+     */
+    private HttpPipeline pipeline;
+
+    /**
+     * Sets The HTTP pipeline to send requests through.
+     *
+     * @param pipeline the pipeline value.
+     * @return the KeyVaultAccessControlClientImplBuilder.
+     */
+    public KeyVaultAccessControlClientImplBuilder pipeline(HttpPipeline pipeline) {
+        this.pipeline = pipeline;
+        return this;
+    }
+
+    /*
+     * The serializer to serialize an object into a string
+     */
+    private SerializerAdapter serializerAdapter;
+
+    /**
+     * Sets The serializer to serialize an object into a string.
+     *
+     * @param serializerAdapter the serializerAdapter value.
+     * @return the KeyVaultAccessControlClientImplBuilder.
+     */
+    public KeyVaultAccessControlClientImplBuilder serializerAdapter(SerializerAdapter serializerAdapter) {
+        this.serializerAdapter = serializerAdapter;
+        return this;
+    }
+
+    /**
+     * Builds an instance of KeyVaultAccessControlClientImpl with the provided parameters.
+     *
+     * @return an instance of KeyVaultAccessControlClientImpl.
+     */
+    public KeyVaultAccessControlClientImpl buildClient() {
+        if (pipeline == null) {
+            this.pipeline =
+                    new HttpPipelineBuilder()
+                            .policies(new UserAgentPolicy(), new RetryPolicy(), new CookiePolicy())
+                            .build();
+        }
+        if (serializerAdapter == null) {
+            this.serializerAdapter = JacksonAdapter.createDefaultSerializerAdapter();
+        }
+        KeyVaultAccessControlClientImpl client = new KeyVaultAccessControlClientImpl(pipeline, serializerAdapter);
+        return client;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultCredentialPolicy.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultCredentialPolicy.java
new file mode 100644
index 000000000000..947721a0cdc4
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultCredentialPolicy.java
@@ -0,0 +1,125 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration.implementation;
+
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.core.http.HttpPipelineCallContext;
+import com.azure.core.http.HttpPipelineNextPolicy;
+import com.azure.core.http.HttpResponse;
+import com.azure.core.http.policy.HttpPipelinePolicy;
+import com.azure.core.util.CoreUtils;
+import com.azure.core.util.logging.ClientLogger;
+import reactor.core.publisher.Mono;
+
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * A policy that authenticates requests with Azure Key Vault service. The content added by this policy is leveraged
+ * in {@link TokenCredential} to get and set the correct "Authorization" header value.
+ *
+ * @see TokenCredential
+ */
+public final class KeyVaultCredentialPolicy implements HttpPipelinePolicy {
+    private final ClientLogger logger = new ClientLogger(KeyVaultCredentialPolicy.class);
+    private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
+    private static final String BEARER_TOKEN_PREFIX = "Bearer ";
+    private static final String AUTHORIZATION = "Authorization";
+    private final ScopeTokenCache cache;
+
+    /**
+     * Creates KeyVaultCredentialPolicy.
+     *
+     * @param credential the token credential to authenticate the request
+     */
+    public KeyVaultCredentialPolicy(TokenCredential credential) {
+        Objects.requireNonNull(credential);
+
+        this.cache = new ScopeTokenCache(credential::getToken);
+    }
+
+    /**
+     * Adds the required header to authenticate a request to Azure Key Vault service.
+     *
+     * @param context The request {@link HttpPipelineCallContext context}.
+     * @param next    The next HTTP pipeline policy to process the {@link HttpPipelineCallContext context's} request
+     *                after this policy completes.
+     * @return A {@link Mono} representing the {@link HttpResponse HTTP response} that will arrive asynchronously.
+     */
+    @Override
+    public Mono<HttpResponse> process(HttpPipelineCallContext context, HttpPipelineNextPolicy next) {
+        if (!context.getHttpRequest().getUrl().getProtocol().startsWith("https")) {
+            return Mono.error(new RuntimeException("Token credentials require a URL using the HTTPS protocol scheme"));
+        }
+
+        return next.clone().process()
+            .doOnNext(httpResponse -> {
+                // KV follows challenge based auth. Currently every service
+                // call hit the endpoint for challenge and then resend the
+                // request with token. The challenge response body is not
+                // consumed, not draining/closing the body will result in leak.
+                // Ref: https://github.com/Azure/azure-sdk-for-java/issues/7934
+                //      https://github.com/Azure/azure-sdk-for-java/issues/10467
+                try {
+                    httpResponse.getBody().subscribe().dispose();
+                } catch (RuntimeException ignored) {
+                    logger.logExceptionAsWarning(ignored);
+                }
+                // The ReactorNettyHttpResponse::close() should be sufficient
+                // and should take care similar body disposal but looks like that
+                // is not happening, need to re-visit the close() method.
+            })
+            .map(res -> res.getHeaderValue(WWW_AUTHENTICATE))
+            .map(header -> extractChallenge(header, BEARER_TOKEN_PREFIX))
+            .flatMap(map -> {
+                cache.setTokenRequest(new TokenRequestContext().addScopes(map.get("resource") + "/.default"));
+                return cache.getToken();
+            })
+            .flatMap(token -> {
+                context.getHttpRequest().setHeader(AUTHORIZATION, BEARER_TOKEN_PREFIX + token.getToken());
+                return next.process();
+            });
+    }
+
+    /**
+     * Extracts the challenge off the authentication header.
+     *
+     * @param authenticateHeader  The authentication header containing all the challenges.
+     * @param authChallengePrefix The authentication challenge name.
+     * @return A challenge map.
+     */
+    private static Map<String, String> extractChallenge(String authenticateHeader, String authChallengePrefix) {
+        if (!isValidChallenge(authenticateHeader, authChallengePrefix)) {
+            return null;
+        }
+
+        authenticateHeader =
+            authenticateHeader.toLowerCase(Locale.ROOT).replace(authChallengePrefix.toLowerCase(Locale.ROOT), "");
+
+        String[] challenges = authenticateHeader.split(", ");
+        Map<String, String> challengeMap = new HashMap<>();
+
+        for (String pair : challenges) {
+            String[] keyValue = pair.split("=");
+            challengeMap.put(keyValue[0].replaceAll("\"", ""), keyValue[1].replaceAll("\"", ""));
+        }
+
+        return challengeMap;
+    }
+
+    /**
+     * Verifies whether a challenge is bearer or not.
+     *
+     * @param authenticateHeader  The authentication header containing all the challenges.
+     * @param authChallengePrefix The authentication challenge name.
+     * @return A boolean indicating tha challenge is valid or not.
+     */
+    private static boolean isValidChallenge(String authenticateHeader, String authChallengePrefix) {
+        return (!CoreUtils.isNullOrEmpty(authenticateHeader)
+            && authenticateHeader.toLowerCase(Locale.ROOT).startsWith(authChallengePrefix.toLowerCase(Locale.ROOT)));
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultErrorCodeStrings.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultErrorCodeStrings.java
new file mode 100644
index 000000000000..9421a205af76
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultErrorCodeStrings.java
@@ -0,0 +1,53 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration.implementation;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
+
+public class KeyVaultErrorCodeStrings {
+    static final String ERROR_STRINGS_FILE_NAME = "kvErrorStrings.properties";
+    private static Properties errorStrings;
+
+    /**
+     * The property name of Azure Key Vault Credentials required error string.
+     */
+    public static final String CREDENTIAL_REQUIRED = "credential_required";
+
+    /**
+     * The property name of Azure Key Vault Endpoint required error string.
+     */
+    public static final String VAULT_END_POINT_REQUIRED = "vault_endpoint_required";
+
+    /**
+     * The property name of Azure Key Vault Parameter required error string.
+     */
+    public static final String PARAMETER_REQUIRED = "parameter_required";
+
+    /**
+     * Gets the error String for the specified property.
+     *
+     * @param propertyName the property name for which error string is required.
+     * @return The {@link String value} containing the error message.
+     */
+    public static String getErrorString(String propertyName) {
+        loadProperties();
+        return errorStrings.getProperty(propertyName);
+    }
+
+    private static synchronized void loadProperties() {
+        if (errorStrings == null) {
+            try (InputStream fileInputStream =
+                KeyVaultErrorCodeStrings.class.getClassLoader().getResource((ERROR_STRINGS_FILE_NAME)).openStream()) {
+                errorStrings = new Properties();
+                errorStrings.load(fileInputStream);
+            } catch (IOException ex) {
+                ex.printStackTrace();
+            }
+        }
+    }
+}
+
+
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/RoleAssignmentsImpl.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/RoleAssignmentsImpl.java
new file mode 100644
index 000000000000..ef7d31d6b48b
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/RoleAssignmentsImpl.java
@@ -0,0 +1,217 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation;
+
+import com.azure.core.annotation.BodyParam;
+import com.azure.core.annotation.Delete;
+import com.azure.core.annotation.ExpectedResponses;
+import com.azure.core.annotation.Get;
+import com.azure.core.annotation.Host;
+import com.azure.core.annotation.HostParam;
+import com.azure.core.annotation.PathParam;
+import com.azure.core.annotation.Put;
+import com.azure.core.annotation.QueryParam;
+import com.azure.core.annotation.ReturnType;
+import com.azure.core.annotation.ServiceInterface;
+import com.azure.core.annotation.ServiceMethod;
+import com.azure.core.annotation.UnexpectedResponseExceptionType;
+import com.azure.core.http.rest.PagedResponse;
+import com.azure.core.http.rest.PagedResponseBase;
+import com.azure.core.http.rest.Response;
+import com.azure.core.http.rest.RestProxy;
+import com.azure.core.util.Context;
+import com.azure.security.keyvault.administration.implementation.models.KeyVaultErrorException;
+import com.azure.security.keyvault.administration.implementation.models.RoleAssignment;
+import com.azure.security.keyvault.administration.implementation.models.RoleAssignmentCreateParameters;
+import com.azure.security.keyvault.administration.implementation.models.RoleAssignmentListResult;
+import reactor.core.publisher.Mono;
+
+/** An instance of this class provides access to all the operations defined in RoleAssignments. */
+public final class RoleAssignmentsImpl {
+    /** The proxy service used to perform REST calls. */
+    private final RoleAssignmentsService service;
+
+    /** The service client containing this operation class. */
+    private final KeyVaultAccessControlClientImpl client;
+
+    /**
+     * Initializes an instance of RoleAssignmentsImpl.
+     *
+     * @param client the instance of the service client containing this operation class.
+     */
+    RoleAssignmentsImpl(KeyVaultAccessControlClientImpl client) {
+        this.service =
+                RestProxy.create(RoleAssignmentsService.class, client.getHttpPipeline(), client.getSerializerAdapter());
+        this.client = client;
+    }
+
+    /**
+     * The interface defining all the services for KeyVaultAccessControlClientRoleAssignments to be used by the proxy
+     * service to perform REST calls.
+     */
+    @Host("{vaultBaseUrl}")
+    @ServiceInterface(name = "KeyVaultAccessContro")
+    private interface RoleAssignmentsService {
+        @Delete("/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}")
+        @ExpectedResponses({200})
+        @UnexpectedResponseExceptionType(KeyVaultErrorException.class)
+        Mono<Response<RoleAssignment>> delete(
+                @HostParam("vaultBaseUrl") String vaultBaseUrl,
+                @PathParam(value = "scope", encoded = true) String scope,
+                @PathParam("roleAssignmentName") String roleAssignmentName,
+                @QueryParam("api-version") String apiVersion,
+                Context context);
+
+        @Put("/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}")
+        @ExpectedResponses({201})
+        @UnexpectedResponseExceptionType(KeyVaultErrorException.class)
+        Mono<Response<RoleAssignment>> create(
+                @HostParam("vaultBaseUrl") String vaultBaseUrl,
+                @PathParam(value = "scope", encoded = true) String scope,
+                @PathParam("roleAssignmentName") String roleAssignmentName,
+                @QueryParam("api-version") String apiVersion,
+                @BodyParam("application/json") RoleAssignmentCreateParameters parameters,
+                Context context);
+
+        @Get("/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}")
+        @ExpectedResponses({200})
+        @UnexpectedResponseExceptionType(KeyVaultErrorException.class)
+        Mono<Response<RoleAssignment>> get(
+                @HostParam("vaultBaseUrl") String vaultBaseUrl,
+                @PathParam(value = "scope", encoded = true) String scope,
+                @PathParam("roleAssignmentName") String roleAssignmentName,
+                @QueryParam("api-version") String apiVersion,
+                Context context);
+
+        @Get("/{scope}/providers/Microsoft.Authorization/roleAssignments")
+        @ExpectedResponses({200})
+        @UnexpectedResponseExceptionType(KeyVaultErrorException.class)
+        Mono<Response<RoleAssignmentListResult>> listForScope(
+                @HostParam("vaultBaseUrl") String vaultBaseUrl,
+                @PathParam(value = "scope", encoded = true) String scope,
+                @QueryParam("$filter") String filter,
+                @QueryParam("api-version") String apiVersion,
+                Context context);
+
+        @Get("{nextLink}")
+        @ExpectedResponses({200})
+        @UnexpectedResponseExceptionType(KeyVaultErrorException.class)
+        Mono<Response<RoleAssignmentListResult>> listForScopeNext(
+                @PathParam(value = "nextLink", encoded = true) String nextLink, Context context);
+    }
+
+    /**
+     * Deletes a role assignment.
+     *
+     * @param vaultBaseUrl simple string.
+     * @param scope The scope of the role assignment to delete.
+     * @param roleAssignmentName The name of the role assignment to delete.
+     * @param context The context to associate with this operation.
+     * @throws IllegalArgumentException thrown if parameters fail the validation.
+     * @throws KeyVaultErrorException thrown if the request is rejected by server.
+     * @throws RuntimeException all other wrapped checked exceptions if the request fails to be sent.
+     * @return role Assignments.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<Response<RoleAssignment>> deleteWithResponseAsync(
+            String vaultBaseUrl, String scope, String roleAssignmentName, Context context) {
+        return service.delete(vaultBaseUrl, scope, roleAssignmentName, this.client.getApiVersion(), context);
+    }
+
+    /**
+     * Creates a role assignment.
+     *
+     * @param vaultBaseUrl simple string.
+     * @param scope The scope of the role assignment to create.
+     * @param roleAssignmentName The name of the role assignment to create. It can be any valid GUID.
+     * @param parameters Role assignment create parameters.
+     * @param context The context to associate with this operation.
+     * @throws IllegalArgumentException thrown if parameters fail the validation.
+     * @throws KeyVaultErrorException thrown if the request is rejected by server.
+     * @throws RuntimeException all other wrapped checked exceptions if the request fails to be sent.
+     * @return role Assignments.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<Response<RoleAssignment>> createWithResponseAsync(
+            String vaultBaseUrl,
+            String scope,
+            String roleAssignmentName,
+            RoleAssignmentCreateParameters parameters,
+            Context context) {
+        return service.create(
+                vaultBaseUrl, scope, roleAssignmentName, this.client.getApiVersion(), parameters, context);
+    }
+
+    /**
+     * Get the specified role assignment.
+     *
+     * @param vaultBaseUrl simple string.
+     * @param scope The scope of the role assignment.
+     * @param roleAssignmentName The name of the role assignment to get.
+     * @param context The context to associate with this operation.
+     * @throws IllegalArgumentException thrown if parameters fail the validation.
+     * @throws KeyVaultErrorException thrown if the request is rejected by server.
+     * @throws RuntimeException all other wrapped checked exceptions if the request fails to be sent.
+     * @return the specified role assignment.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<Response<RoleAssignment>> getWithResponseAsync(
+            String vaultBaseUrl, String scope, String roleAssignmentName, Context context) {
+        return service.get(vaultBaseUrl, scope, roleAssignmentName, this.client.getApiVersion(), context);
+    }
+
+    /**
+     * Gets role assignments for a scope.
+     *
+     * @param vaultBaseUrl simple string.
+     * @param scope The scope of the role assignments.
+     * @param filter The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or
+     *     above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope
+     *     for the specified principal.
+     * @param context The context to associate with this operation.
+     * @throws IllegalArgumentException thrown if parameters fail the validation.
+     * @throws KeyVaultErrorException thrown if the request is rejected by server.
+     * @throws RuntimeException all other wrapped checked exceptions if the request fails to be sent.
+     * @return role assignments for a scope.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<PagedResponse<RoleAssignment>> listForScopeSinglePageAsync(
+            String vaultBaseUrl, String scope, String filter, Context context) {
+        return service.listForScope(vaultBaseUrl, scope, filter, this.client.getApiVersion(), context)
+                .map(
+                        res ->
+                                new PagedResponseBase<>(
+                                        res.getRequest(),
+                                        res.getStatusCode(),
+                                        res.getHeaders(),
+                                        res.getValue().getValue(),
+                                        res.getValue().getNextLink(),
+                                        null));
+    }
+
+    /**
+     * Get the next page of items.
+     *
+     * @param nextLink The nextLink parameter.
+     * @param context The context to associate with this operation.
+     * @throws IllegalArgumentException thrown if parameters fail the validation.
+     * @throws KeyVaultErrorException thrown if the request is rejected by server.
+     * @throws RuntimeException all other wrapped checked exceptions if the request fails to be sent.
+     * @return role assignment list operation result.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<PagedResponse<RoleAssignment>> listForScopeNextSinglePageAsync(String nextLink, Context context) {
+        return service.listForScopeNext(nextLink, context)
+                .map(
+                        res ->
+                                new PagedResponseBase<>(
+                                        res.getRequest(),
+                                        res.getStatusCode(),
+                                        res.getHeaders(),
+                                        res.getValue().getValue(),
+                                        res.getValue().getNextLink(),
+                                        null));
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/RoleDefinitionsImpl.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/RoleDefinitionsImpl.java
new file mode 100644
index 000000000000..0bb245c326f4
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/RoleDefinitionsImpl.java
@@ -0,0 +1,121 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation;
+
+import com.azure.core.annotation.ExpectedResponses;
+import com.azure.core.annotation.Get;
+import com.azure.core.annotation.Host;
+import com.azure.core.annotation.HostParam;
+import com.azure.core.annotation.PathParam;
+import com.azure.core.annotation.QueryParam;
+import com.azure.core.annotation.ReturnType;
+import com.azure.core.annotation.ServiceInterface;
+import com.azure.core.annotation.ServiceMethod;
+import com.azure.core.annotation.UnexpectedResponseExceptionType;
+import com.azure.core.http.rest.PagedResponse;
+import com.azure.core.http.rest.PagedResponseBase;
+import com.azure.core.http.rest.Response;
+import com.azure.core.http.rest.RestProxy;
+import com.azure.core.util.Context;
+import com.azure.security.keyvault.administration.implementation.models.KeyVaultErrorException;
+import com.azure.security.keyvault.administration.implementation.models.RoleDefinition;
+import com.azure.security.keyvault.administration.implementation.models.RoleDefinitionListResult;
+import reactor.core.publisher.Mono;
+
+/** An instance of this class provides access to all the operations defined in RoleDefinitions. */
+public final class RoleDefinitionsImpl {
+    /** The proxy service used to perform REST calls. */
+    private final RoleDefinitionsService service;
+
+    /** The service client containing this operation class. */
+    private final KeyVaultAccessControlClientImpl client;
+
+    /**
+     * Initializes an instance of RoleDefinitionsImpl.
+     *
+     * @param client the instance of the service client containing this operation class.
+     */
+    RoleDefinitionsImpl(KeyVaultAccessControlClientImpl client) {
+        this.service =
+                RestProxy.create(RoleDefinitionsService.class, client.getHttpPipeline(), client.getSerializerAdapter());
+        this.client = client;
+    }
+
+    /**
+     * The interface defining all the services for KeyVaultAccessControlClientRoleDefinitions to be used by the proxy
+     * service to perform REST calls.
+     */
+    @Host("{vaultBaseUrl}")
+    @ServiceInterface(name = "KeyVaultAccessContro")
+    private interface RoleDefinitionsService {
+        @Get("/{scope}/providers/Microsoft.Authorization/roleDefinitions")
+        @ExpectedResponses({200})
+        @UnexpectedResponseExceptionType(KeyVaultErrorException.class)
+        Mono<Response<RoleDefinitionListResult>> list(
+                @HostParam("vaultBaseUrl") String vaultBaseUrl,
+                @PathParam(value = "scope", encoded = true) String scope,
+                @QueryParam("$filter") String filter,
+                @QueryParam("api-version") String apiVersion,
+                Context context);
+
+        @Get("{nextLink}")
+        @ExpectedResponses({200})
+        @UnexpectedResponseExceptionType(KeyVaultErrorException.class)
+        Mono<Response<RoleDefinitionListResult>> listNext(
+                @PathParam(value = "nextLink", encoded = true) String nextLink, Context context);
+    }
+
+    /**
+     * Get all role definitions that are applicable at scope and above.
+     *
+     * @param vaultBaseUrl simple string.
+     * @param scope The scope of the role definition.
+     * @param filter The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as
+     *     well.
+     * @param context The context to associate with this operation.
+     * @throws IllegalArgumentException thrown if parameters fail the validation.
+     * @throws KeyVaultErrorException thrown if the request is rejected by server.
+     * @throws RuntimeException all other wrapped checked exceptions if the request fails to be sent.
+     * @return all role definitions that are applicable at scope and above.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<PagedResponse<RoleDefinition>> listSinglePageAsync(
+            String vaultBaseUrl, String scope, String filter, Context context) {
+        return service.list(vaultBaseUrl, scope, filter, this.client.getApiVersion(), context)
+                .map(
+                        res ->
+                                new PagedResponseBase<>(
+                                        res.getRequest(),
+                                        res.getStatusCode(),
+                                        res.getHeaders(),
+                                        res.getValue().getValue(),
+                                        res.getValue().getNextLink(),
+                                        null));
+    }
+
+    /**
+     * Get the next page of items.
+     *
+     * @param nextLink The nextLink parameter.
+     * @param context The context to associate with this operation.
+     * @throws IllegalArgumentException thrown if parameters fail the validation.
+     * @throws KeyVaultErrorException thrown if the request is rejected by server.
+     * @throws RuntimeException all other wrapped checked exceptions if the request fails to be sent.
+     * @return role definition list operation result.
+     */
+    @ServiceMethod(returns = ReturnType.SINGLE)
+    public Mono<PagedResponse<RoleDefinition>> listNextSinglePageAsync(String nextLink, Context context) {
+        return service.listNext(nextLink, context)
+                .map(
+                        res ->
+                                new PagedResponseBase<>(
+                                        res.getRequest(),
+                                        res.getStatusCode(),
+                                        res.getHeaders(),
+                                        res.getValue().getValue(),
+                                        res.getValue().getNextLink(),
+                                        null));
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/ScopeTokenCache.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/ScopeTokenCache.java
new file mode 100644
index 000000000000..c7f1aaba7b6d
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/ScopeTokenCache.java
@@ -0,0 +1,60 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration.implementation;
+
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenRequestContext;
+import reactor.core.publisher.FluxSink;
+import reactor.core.publisher.Mono;
+import reactor.core.publisher.ReplayProcessor;
+
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.function.Function;
+
+/**
+ * A token cache that supports caching a token and refreshing it.
+ */
+class ScopeTokenCache {
+    private final AtomicBoolean wip;
+    private AccessToken cache;
+    private final ReplayProcessor<AccessToken> emitterProcessor = ReplayProcessor.create(1);
+    private final FluxSink<AccessToken> sink = emitterProcessor.sink(FluxSink.OverflowStrategy.BUFFER);
+    private final Function<TokenRequestContext, Mono<AccessToken>> getNew;
+    private TokenRequestContext request;
+
+
+    /**
+     * Creates an instance of RefreshableTokenCredential with default scheme "Bearer".
+     *
+     * @param getNew a method to get a new token
+     */
+    ScopeTokenCache(Function<TokenRequestContext, Mono<AccessToken>> getNew) {
+        this.wip = new AtomicBoolean(false);
+        this.getNew = getNew;
+    }
+
+    public void setTokenRequest(TokenRequestContext request) {
+        this.request = request;
+    }
+
+    /**
+     * Asynchronously get a token from either the cache or replenish the cache with a new token.
+     * @return a Publisher that emits an AccessToken
+     */
+    public Mono<AccessToken> getToken() {
+        if (cache != null && !cache.isExpired()) {
+            return Mono.just(cache);
+        }
+        return Mono.defer(() -> {
+            if (!wip.getAndSet(true)) {
+                return getNew.apply(request).doOnNext(ac -> cache = ac)
+                        .doOnNext(sink::next)
+                        .doOnError(sink::error)
+                        .doOnTerminate(() -> wip.set(false));
+            } else {
+                return emitterProcessor.next();
+            }
+        });
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/Error.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/Error.java
new file mode 100644
index 000000000000..7d7efb8e170e
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/Error.java
@@ -0,0 +1,57 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Immutable;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/** The Error model. */
+@Immutable
+public final class Error {
+    /*
+     * The error code.
+     */
+    @JsonProperty(value = "code", access = JsonProperty.Access.WRITE_ONLY)
+    private String code;
+
+    /*
+     * The error message.
+     */
+    @JsonProperty(value = "message", access = JsonProperty.Access.WRITE_ONLY)
+    private String message;
+
+    /*
+     * The key vault server error.
+     */
+    @JsonProperty(value = "innererror", access = JsonProperty.Access.WRITE_ONLY)
+    private Error innerError;
+
+    /**
+     * Get the code property: The error code.
+     *
+     * @return the code value.
+     */
+    public String getCode() {
+        return this.code;
+    }
+
+    /**
+     * Get the message property: The error message.
+     *
+     * @return the message value.
+     */
+    public String getMessage() {
+        return this.message;
+    }
+
+    /**
+     * Get the innerError property: The key vault server error.
+     *
+     * @return the innerError value.
+     */
+    public Error getInnerError() {
+        return this.innerError;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/KeyVaultError.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/KeyVaultError.java
new file mode 100644
index 000000000000..e7a84828d10c
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/KeyVaultError.java
@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Immutable;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/** The KeyVaultError model. */
+@Immutable
+public final class KeyVaultError {
+    /*
+     * The key vault server error.
+     */
+    @JsonProperty(value = "error", access = JsonProperty.Access.WRITE_ONLY)
+    private Error error;
+
+    /**
+     * Get the error property: The key vault server error.
+     *
+     * @return the error value.
+     */
+    public Error getError() {
+        return this.error;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/KeyVaultErrorException.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/KeyVaultErrorException.java
new file mode 100644
index 000000000000..77b9441be30e
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/KeyVaultErrorException.java
@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.exception.HttpResponseException;
+import com.azure.core.http.HttpResponse;
+
+/** Exception thrown for an invalid response with KeyVaultError information. */
+public final class KeyVaultErrorException extends HttpResponseException {
+    /**
+     * Initializes a new instance of the KeyVaultErrorException class.
+     *
+     * @param message the exception message or the response content if a message is not available.
+     * @param response the HTTP response.
+     */
+    public KeyVaultErrorException(String message, HttpResponse response) {
+        super(message, response);
+    }
+
+    /**
+     * Initializes a new instance of the KeyVaultErrorException class.
+     *
+     * @param message the exception message or the response content if a message is not available.
+     * @param response the HTTP response.
+     * @param value the deserialized response value.
+     */
+    public KeyVaultErrorException(String message, HttpResponse response, KeyVaultError value) {
+        super(message, response, value);
+    }
+
+    @Override
+    public KeyVaultError getValue() {
+        return (KeyVaultError) super.getValue();
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/Permission.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/Permission.java
new file mode 100644
index 000000000000..d1feaf6d24e4
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/Permission.java
@@ -0,0 +1,117 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Fluent;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.List;
+
+/** The Permission model. */
+@Fluent
+public final class Permission {
+    /*
+     * Allowed actions.
+     */
+    @JsonProperty(value = "actions")
+    private List<String> actions;
+
+    /*
+     * Denied actions.
+     */
+    @JsonProperty(value = "notActions")
+    private List<String> notActions;
+
+    /*
+     * Allowed Data actions.
+     */
+    @JsonProperty(value = "dataActions")
+    private List<String> dataActions;
+
+    /*
+     * Denied Data actions.
+     */
+    @JsonProperty(value = "notDataActions")
+    private List<String> notDataActions;
+
+    /**
+     * Get the actions property: Allowed actions.
+     *
+     * @return the actions value.
+     */
+    public List<String> getActions() {
+        return this.actions;
+    }
+
+    /**
+     * Set the actions property: Allowed actions.
+     *
+     * @param actions the actions value to set.
+     * @return the Permission object itself.
+     */
+    public Permission setActions(List<String> actions) {
+        this.actions = actions;
+        return this;
+    }
+
+    /**
+     * Get the notActions property: Denied actions.
+     *
+     * @return the notActions value.
+     */
+    public List<String> getNotActions() {
+        return this.notActions;
+    }
+
+    /**
+     * Set the notActions property: Denied actions.
+     *
+     * @param notActions the notActions value to set.
+     * @return the Permission object itself.
+     */
+    public Permission setNotActions(List<String> notActions) {
+        this.notActions = notActions;
+        return this;
+    }
+
+    /**
+     * Get the dataActions property: Allowed Data actions.
+     *
+     * @return the dataActions value.
+     */
+    public List<String> getDataActions() {
+        return this.dataActions;
+    }
+
+    /**
+     * Set the dataActions property: Allowed Data actions.
+     *
+     * @param dataActions the dataActions value to set.
+     * @return the Permission object itself.
+     */
+    public Permission setDataActions(List<String> dataActions) {
+        this.dataActions = dataActions;
+        return this;
+    }
+
+    /**
+     * Get the notDataActions property: Denied Data actions.
+     *
+     * @return the notDataActions value.
+     */
+    public List<String> getNotDataActions() {
+        return this.notDataActions;
+    }
+
+    /**
+     * Set the notDataActions property: Denied Data actions.
+     *
+     * @param notDataActions the notDataActions value to set.
+     * @return the Permission object itself.
+     */
+    public Permission setNotDataActions(List<String> notDataActions) {
+        this.notDataActions = notDataActions;
+        return this;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignment.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignment.java
new file mode 100644
index 000000000000..1d06ce14088f
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignment.java
@@ -0,0 +1,83 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Fluent;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/** The RoleAssignment model. */
+@Fluent
+public final class RoleAssignment {
+    /*
+     * The role assignment ID.
+     */
+    @JsonProperty(value = "id", access = JsonProperty.Access.WRITE_ONLY)
+    private String id;
+
+    /*
+     * The role assignment name.
+     */
+    @JsonProperty(value = "name", access = JsonProperty.Access.WRITE_ONLY)
+    private String name;
+
+    /*
+     * The role assignment type.
+     */
+    @JsonProperty(value = "type", access = JsonProperty.Access.WRITE_ONLY)
+    private String type;
+
+    /*
+     * Role assignment properties.
+     */
+    @JsonProperty(value = "properties")
+    private RoleAssignmentPropertiesWithScope properties;
+
+    /**
+     * Get the id property: The role assignment ID.
+     *
+     * @return the id value.
+     */
+    public String getId() {
+        return this.id;
+    }
+
+    /**
+     * Get the name property: The role assignment name.
+     *
+     * @return the name value.
+     */
+    public String getName() {
+        return this.name;
+    }
+
+    /**
+     * Get the type property: The role assignment type.
+     *
+     * @return the type value.
+     */
+    public String getType() {
+        return this.type;
+    }
+
+    /**
+     * Get the properties property: Role assignment properties.
+     *
+     * @return the properties value.
+     */
+    public RoleAssignmentPropertiesWithScope getProperties() {
+        return this.properties;
+    }
+
+    /**
+     * Set the properties property: Role assignment properties.
+     *
+     * @param properties the properties value to set.
+     * @return the RoleAssignment object itself.
+     */
+    public RoleAssignment setProperties(RoleAssignmentPropertiesWithScope properties) {
+        this.properties = properties;
+        return this;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentCreateParameters.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentCreateParameters.java
new file mode 100644
index 000000000000..56d16b847a06
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentCreateParameters.java
@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Fluent;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/** The RoleAssignmentCreateParameters model. */
+@Fluent
+public final class RoleAssignmentCreateParameters {
+    /*
+     * Role assignment properties.
+     */
+    @JsonProperty(value = "properties", required = true)
+    private RoleAssignmentProperties properties;
+
+    /**
+     * Get the properties property: Role assignment properties.
+     *
+     * @return the properties value.
+     */
+    public RoleAssignmentProperties getProperties() {
+        return this.properties;
+    }
+
+    /**
+     * Set the properties property: Role assignment properties.
+     *
+     * @param properties the properties value to set.
+     * @return the RoleAssignmentCreateParameters object itself.
+     */
+    public RoleAssignmentCreateParameters setProperties(RoleAssignmentProperties properties) {
+        this.properties = properties;
+        return this;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentFilter.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentFilter.java
new file mode 100644
index 000000000000..c04d69f36bd9
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentFilter.java
@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Fluent;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/** The RoleAssignmentFilter model. */
+@Fluent
+public final class RoleAssignmentFilter {
+    /*
+     * Returns role assignment of the specific principal.
+     */
+    @JsonProperty(value = "principalId")
+    private String principalId;
+
+    /**
+     * Get the principalId property: Returns role assignment of the specific principal.
+     *
+     * @return the principalId value.
+     */
+    public String getPrincipalId() {
+        return this.principalId;
+    }
+
+    /**
+     * Set the principalId property: Returns role assignment of the specific principal.
+     *
+     * @param principalId the principalId value to set.
+     * @return the RoleAssignmentFilter object itself.
+     */
+    public RoleAssignmentFilter setPrincipalId(String principalId) {
+        this.principalId = principalId;
+        return this;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentListResult.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentListResult.java
new file mode 100644
index 000000000000..72a6eb8440a6
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentListResult.java
@@ -0,0 +1,65 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Fluent;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.List;
+
+/** The RoleAssignmentListResult model. */
+@Fluent
+public final class RoleAssignmentListResult {
+    /*
+     * Role assignment list.
+     */
+    @JsonProperty(value = "value")
+    private List<RoleAssignment> value;
+
+    /*
+     * The URL to use for getting the next set of results.
+     */
+    @JsonProperty(value = "nextLink")
+    private String nextLink;
+
+    /**
+     * Get the value property: Role assignment list.
+     *
+     * @return the value value.
+     */
+    public List<RoleAssignment> getValue() {
+        return this.value;
+    }
+
+    /**
+     * Set the value property: Role assignment list.
+     *
+     * @param value the value value to set.
+     * @return the RoleAssignmentListResult object itself.
+     */
+    public RoleAssignmentListResult setValue(List<RoleAssignment> value) {
+        this.value = value;
+        return this;
+    }
+
+    /**
+     * Get the nextLink property: The URL to use for getting the next set of results.
+     *
+     * @return the nextLink value.
+     */
+    public String getNextLink() {
+        return this.nextLink;
+    }
+
+    /**
+     * Set the nextLink property: The URL to use for getting the next set of results.
+     *
+     * @param nextLink the nextLink value to set.
+     * @return the RoleAssignmentListResult object itself.
+     */
+    public RoleAssignmentListResult setNextLink(String nextLink) {
+        this.nextLink = nextLink;
+        return this;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentProperties.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentProperties.java
new file mode 100644
index 000000000000..0ab892817a1e
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentProperties.java
@@ -0,0 +1,68 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Fluent;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/** The RoleAssignmentProperties model. */
+@Fluent
+public final class RoleAssignmentProperties {
+    /*
+     * The role definition ID used in the role assignment.
+     */
+    @JsonProperty(value = "roleDefinitionId", required = true)
+    private String roleDefinitionId;
+
+    /*
+     * The principal ID assigned to the role. This maps to the ID inside the
+     * Active Directory. It can point to a user, service principal, or security
+     * group.
+     */
+    @JsonProperty(value = "principalId", required = true)
+    private String principalId;
+
+    /**
+     * Get the roleDefinitionId property: The role definition ID used in the role assignment.
+     *
+     * @return the roleDefinitionId value.
+     */
+    public String getRoleDefinitionId() {
+        return this.roleDefinitionId;
+    }
+
+    /**
+     * Set the roleDefinitionId property: The role definition ID used in the role assignment.
+     *
+     * @param roleDefinitionId the roleDefinitionId value to set.
+     * @return the RoleAssignmentProperties object itself.
+     */
+    public RoleAssignmentProperties setRoleDefinitionId(String roleDefinitionId) {
+        this.roleDefinitionId = roleDefinitionId;
+        return this;
+    }
+
+    /**
+     * Get the principalId property: The principal ID assigned to the role. This maps to the ID inside the Active
+     * Directory. It can point to a user, service principal, or security group.
+     *
+     * @return the principalId value.
+     */
+    public String getPrincipalId() {
+        return this.principalId;
+    }
+
+    /**
+     * Set the principalId property: The principal ID assigned to the role. This maps to the ID inside the Active
+     * Directory. It can point to a user, service principal, or security group.
+     *
+     * @param principalId the principalId value to set.
+     * @return the RoleAssignmentProperties object itself.
+     */
+    public RoleAssignmentProperties setPrincipalId(String principalId) {
+        this.principalId = principalId;
+        return this;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentPropertiesWithScope.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentPropertiesWithScope.java
new file mode 100644
index 000000000000..ff50c91dc2ae
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleAssignmentPropertiesWithScope.java
@@ -0,0 +1,90 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Fluent;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/** The RoleAssignmentPropertiesWithScope model. */
+@Fluent
+public final class RoleAssignmentPropertiesWithScope {
+    /*
+     * The role assignment scope.
+     */
+    @JsonProperty(value = "scope")
+    private String scope;
+
+    /*
+     * The role definition ID.
+     */
+    @JsonProperty(value = "roleDefinitionId")
+    private String roleDefinitionId;
+
+    /*
+     * The principal ID.
+     */
+    @JsonProperty(value = "principalId")
+    private String principalId;
+
+    /**
+     * Get the scope property: The role assignment scope.
+     *
+     * @return the scope value.
+     */
+    public String getScope() {
+        return this.scope;
+    }
+
+    /**
+     * Set the scope property: The role assignment scope.
+     *
+     * @param scope the scope value to set.
+     * @return the RoleAssignmentPropertiesWithScope object itself.
+     */
+    public RoleAssignmentPropertiesWithScope setScope(String scope) {
+        this.scope = scope;
+        return this;
+    }
+
+    /**
+     * Get the roleDefinitionId property: The role definition ID.
+     *
+     * @return the roleDefinitionId value.
+     */
+    public String getRoleDefinitionId() {
+        return this.roleDefinitionId;
+    }
+
+    /**
+     * Set the roleDefinitionId property: The role definition ID.
+     *
+     * @param roleDefinitionId the roleDefinitionId value to set.
+     * @return the RoleAssignmentPropertiesWithScope object itself.
+     */
+    public RoleAssignmentPropertiesWithScope setRoleDefinitionId(String roleDefinitionId) {
+        this.roleDefinitionId = roleDefinitionId;
+        return this;
+    }
+
+    /**
+     * Get the principalId property: The principal ID.
+     *
+     * @return the principalId value.
+     */
+    public String getPrincipalId() {
+        return this.principalId;
+    }
+
+    /**
+     * Set the principalId property: The principal ID.
+     *
+     * @param principalId the principalId value to set.
+     * @return the RoleAssignmentPropertiesWithScope object itself.
+     */
+    public RoleAssignmentPropertiesWithScope setPrincipalId(String principalId) {
+        this.principalId = principalId;
+        return this;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleDefinition.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleDefinition.java
new file mode 100644
index 000000000000..5383e4acbb8a
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleDefinition.java
@@ -0,0 +1,190 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Fluent;
+import com.azure.core.annotation.JsonFlatten;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.List;
+
+/** The RoleDefinition model. */
+@JsonFlatten
+@Fluent
+public class RoleDefinition {
+    /*
+     * The role definition ID.
+     */
+    @JsonProperty(value = "id", access = JsonProperty.Access.WRITE_ONLY)
+    private String id;
+
+    /*
+     * The role definition name.
+     */
+    @JsonProperty(value = "name", access = JsonProperty.Access.WRITE_ONLY)
+    private String name;
+
+    /*
+     * The role definition type.
+     */
+    @JsonProperty(value = "type", access = JsonProperty.Access.WRITE_ONLY)
+    private String type;
+
+    /*
+     * The role name.
+     */
+    @JsonProperty(value = "properties.roleName")
+    private String roleName;
+
+    /*
+     * The role definition description.
+     */
+    @JsonProperty(value = "properties.description")
+    private String description;
+
+    /*
+     * The role type.
+     */
+    @JsonProperty(value = "properties.type")
+    private String roleType;
+
+    /*
+     * Role definition permissions.
+     */
+    @JsonProperty(value = "properties.permissions")
+    private List<Permission> permissions;
+
+    /*
+     * Role definition assignable scopes.
+     */
+    @JsonProperty(value = "properties.assignableScopes")
+    private List<String> assignableScopes;
+
+    /**
+     * Get the id property: The role definition ID.
+     *
+     * @return the id value.
+     */
+    public String getId() {
+        return this.id;
+    }
+
+    /**
+     * Get the name property: The role definition name.
+     *
+     * @return the name value.
+     */
+    public String getName() {
+        return this.name;
+    }
+
+    /**
+     * Get the type property: The role definition type.
+     *
+     * @return the type value.
+     */
+    public String getType() {
+        return this.type;
+    }
+
+    /**
+     * Get the roleName property: The role name.
+     *
+     * @return the roleName value.
+     */
+    public String getRoleName() {
+        return this.roleName;
+    }
+
+    /**
+     * Set the roleName property: The role name.
+     *
+     * @param roleName the roleName value to set.
+     * @return the RoleDefinition object itself.
+     */
+    public RoleDefinition setRoleName(String roleName) {
+        this.roleName = roleName;
+        return this;
+    }
+
+    /**
+     * Get the description property: The role definition description.
+     *
+     * @return the description value.
+     */
+    public String getDescription() {
+        return this.description;
+    }
+
+    /**
+     * Set the description property: The role definition description.
+     *
+     * @param description the description value to set.
+     * @return the RoleDefinition object itself.
+     */
+    public RoleDefinition setDescription(String description) {
+        this.description = description;
+        return this;
+    }
+
+    /**
+     * Get the roleType property: The role type.
+     *
+     * @return the roleType value.
+     */
+    public String getRoleType() {
+        return this.roleType;
+    }
+
+    /**
+     * Set the roleType property: The role type.
+     *
+     * @param roleType the roleType value to set.
+     * @return the RoleDefinition object itself.
+     */
+    public RoleDefinition setRoleType(String roleType) {
+        this.roleType = roleType;
+        return this;
+    }
+
+    /**
+     * Get the permissions property: Role definition permissions.
+     *
+     * @return the permissions value.
+     */
+    public List<Permission> getPermissions() {
+        return this.permissions;
+    }
+
+    /**
+     * Set the permissions property: Role definition permissions.
+     *
+     * @param permissions the permissions value to set.
+     * @return the RoleDefinition object itself.
+     */
+    public RoleDefinition setPermissions(List<Permission> permissions) {
+        this.permissions = permissions;
+        return this;
+    }
+
+    /**
+     * Get the assignableScopes property: Role definition assignable scopes.
+     *
+     * @return the assignableScopes value.
+     */
+    public List<String> getAssignableScopes() {
+        return this.assignableScopes;
+    }
+
+    /**
+     * Set the assignableScopes property: Role definition assignable scopes.
+     *
+     * @param assignableScopes the assignableScopes value to set.
+     * @return the RoleDefinition object itself.
+     */
+    public RoleDefinition setAssignableScopes(List<String> assignableScopes) {
+        this.assignableScopes = assignableScopes;
+        return this;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleDefinitionFilter.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleDefinitionFilter.java
new file mode 100644
index 000000000000..ce01792ed37f
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleDefinitionFilter.java
@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Fluent;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/** The RoleDefinitionFilter model. */
+@Fluent
+public final class RoleDefinitionFilter {
+    /*
+     * Returns role definition with the specific name.
+     */
+    @JsonProperty(value = "roleName")
+    private String roleName;
+
+    /**
+     * Get the roleName property: Returns role definition with the specific name.
+     *
+     * @return the roleName value.
+     */
+    public String getRoleName() {
+        return this.roleName;
+    }
+
+    /**
+     * Set the roleName property: Returns role definition with the specific name.
+     *
+     * @param roleName the roleName value to set.
+     * @return the RoleDefinitionFilter object itself.
+     */
+    public RoleDefinitionFilter setRoleName(String roleName) {
+        this.roleName = roleName;
+        return this;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleDefinitionListResult.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleDefinitionListResult.java
new file mode 100644
index 000000000000..fa52f012f154
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/RoleDefinitionListResult.java
@@ -0,0 +1,65 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+package com.azure.security.keyvault.administration.implementation.models;
+
+import com.azure.core.annotation.Fluent;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.List;
+
+/** The RoleDefinitionListResult model. */
+@Fluent
+public final class RoleDefinitionListResult {
+    /*
+     * Role definition list.
+     */
+    @JsonProperty(value = "value")
+    private List<RoleDefinition> value;
+
+    /*
+     * The URL to use for getting the next set of results.
+     */
+    @JsonProperty(value = "nextLink")
+    private String nextLink;
+
+    /**
+     * Get the value property: Role definition list.
+     *
+     * @return the value value.
+     */
+    public List<RoleDefinition> getValue() {
+        return this.value;
+    }
+
+    /**
+     * Set the value property: Role definition list.
+     *
+     * @param value the value value to set.
+     * @return the RoleDefinitionListResult object itself.
+     */
+    public RoleDefinitionListResult setValue(List<RoleDefinition> value) {
+        this.value = value;
+        return this;
+    }
+
+    /**
+     * Get the nextLink property: The URL to use for getting the next set of results.
+     *
+     * @return the nextLink value.
+     */
+    public String getNextLink() {
+        return this.nextLink;
+    }
+
+    /**
+     * Set the nextLink property: The URL to use for getting the next set of results.
+     *
+     * @param nextLink the nextLink value to set.
+     * @return the RoleDefinitionListResult object itself.
+     */
+    public RoleDefinitionListResult setNextLink(String nextLink) {
+        this.nextLink = nextLink;
+        return this;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/package-info.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/package-info.java
new file mode 100644
index 000000000000..3ad2fecedd55
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/models/package-info.java
@@ -0,0 +1,9 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+/**
+ * Package containing the data models for KeyVaultAccessControlClient. The key vault client performs cryptographic key
+ * operations and vault operations against the Key Vault service.
+ */
+package com.azure.security.keyvault.administration.implementation.models;
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/package-info.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/package-info.java
new file mode 100644
index 000000000000..2f88bbe09355
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/package-info.java
@@ -0,0 +1,9 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+// Code generated by Microsoft (R) AutoRest Code Generator.
+
+/**
+ * Package containing the implementations and inner classes for KeyVaultAccessControlClient. The key vault client
+ * performs cryptographic key operations and vault operations against the Key Vault service.
+ */
+package com.azure.security.keyvault.administration.implementation;
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultPermission.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultPermission.java
new file mode 100644
index 000000000000..d987cbb04072
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultPermission.java
@@ -0,0 +1,67 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration.models;
+
+import java.util.List;
+
+/**
+ * A class describing allowed and denied actions and data actions of a {@link KeyVaultRoleDefinition}.
+ */
+public final class KeyVaultPermission {
+    private List<String> actions;
+    private List<String> deniedActions;
+    private List<String> dataActions;
+    private List<String> deniedDataActions;
+
+    /**
+     * Creates a new {@link KeyVaultPermission} with the specified allowed and denied actions and data actions.
+     *
+     * @param actions The actions this {@link KeyVaultPermission permission} allows.
+     * @param deniedActions The actions this {@link KeyVaultPermission permission} denies.
+     * @param dataActions The data actions this {@link KeyVaultPermission permission} allows.
+     * @param deniedDataActions The data actions this {@link KeyVaultPermission permission} denies.
+     */
+    public KeyVaultPermission(List<String> actions, List<String> deniedActions, List<String> dataActions, List<String> deniedDataActions) {
+        this.actions = actions;
+        this.deniedActions = deniedActions;
+        this.dataActions = dataActions;
+        this.deniedDataActions = deniedDataActions;
+    }
+
+    /**
+     * Get the actions this {@link KeyVaultPermission permission} allows.
+     *
+     * @return The allowed actions.
+     */
+    public List<String> getActions() {
+        return actions;
+    }
+
+    /**
+     * Get the actions this {@link KeyVaultPermission permission} denies.
+     *
+     * @return The denied actions.
+     */
+    public List<String> getDeniedActions() {
+        return deniedActions;
+    }
+
+    /**
+     * Get the data actions this {@link KeyVaultPermission permission} allows.
+     *
+     * @return The allowed data actions.
+     */
+    public List<String> getDataActions() {
+        return dataActions;
+    }
+
+    /**
+     * Get the data actions this {@link KeyVaultPermission permission} denies.
+     *
+     * @return The denied data actions.
+     */
+    public List<String> getDeniedDataActions() {
+        return deniedDataActions;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleAssignment.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleAssignment.java
new file mode 100644
index 000000000000..ef085aea877b
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleAssignment.java
@@ -0,0 +1,79 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration.models;
+
+/**
+ * A class that defines a role assignment.
+ */
+public final class KeyVaultRoleAssignment {
+    private String id;
+    private String name;
+    private String type;
+    private KeyVaultRoleAssignmentProperties properties;
+    private KeyVaultRoleAssignmentScope scope;
+
+    /**
+     * Creates a new {@link KeyVaultRoleAssignment role assignment} with the specified details.
+     *
+     * @param id The ID for this {@link KeyVaultRoleAssignment role assignment}.
+     * @param name The name of this {@link KeyVaultRoleAssignment role assignment}.
+     * @param type The type of this {@link KeyVaultRoleAssignment role assignment}.
+     * @param properties {@link KeyVaultRoleAssignmentProperties properties} of this {@link KeyVaultRoleAssignment
+     * role assignment}.
+     * @param roleScope The {@link KeyVaultRoleAssignmentScope scope} of this {@link KeyVaultRoleAssignment role
+     * assignment}.
+     */
+    public KeyVaultRoleAssignment(String id, String name, String type, KeyVaultRoleAssignmentProperties properties, KeyVaultRoleAssignmentScope roleScope) {
+        this.id = id;
+        this.name = name;
+        this.type = type;
+        this.properties = properties;
+        this.scope = roleScope;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleAssignment role assignment} ID.
+     *
+     * @return The {@link KeyVaultRoleAssignment role assignment} ID.
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleAssignment role assignment} name.
+     *
+     * @return The {@link KeyVaultRoleAssignment role assignment} name.
+     */
+    public String getName() {
+        return name;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleAssignment role assignment} type.
+     *
+     * @return The {@link KeyVaultRoleAssignment role assignment} type.
+     */
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleAssignment role assignment} {@link KeyVaultRoleAssignmentProperties properties}.
+     *
+     * @return The {@link KeyVaultRoleAssignment role assignment} {@link KeyVaultRoleAssignmentProperties properties}.
+     */
+    public KeyVaultRoleAssignmentProperties getProperties() {
+        return properties;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleAssignment role assignment} {@link KeyVaultRoleAssignmentScope scope}.
+     *
+     * @return The {@link KeyVaultRoleAssignment role assignment} {@link KeyVaultRoleAssignmentScope scope}.
+     */
+    public KeyVaultRoleAssignmentScope getScope() {
+        return scope;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleAssignmentProperties.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleAssignmentProperties.java
new file mode 100644
index 000000000000..cc0a945730e7
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleAssignmentProperties.java
@@ -0,0 +1,56 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration.models;
+
+import com.azure.security.keyvault.administration.implementation.KeyVaultErrorCodeStrings;
+
+import java.util.Objects;
+
+/**
+ * A class that defines a role assignment's properties.
+ */
+public final class KeyVaultRoleAssignmentProperties {
+    private String roleDefinitionId;
+    private String principalId;
+
+    /**
+     * Creates a new {@link KeyVaultRoleAssignmentProperties role assignment properties} object with the specified
+     * details.
+     *
+     * @param roleDefinitionId The {@link KeyVaultRoleDefinition role definition} ID used in the
+     *                         {@link KeyVaultRoleAssignment role assignment}.
+     * @param principalId      The principal ID assigned to the role. This maps to the ID inside the Active Directory.
+     *                         It can point to a user, service principal, or security group.
+     */
+    public KeyVaultRoleAssignmentProperties(String roleDefinitionId, String principalId) {
+        Objects.requireNonNull(roleDefinitionId,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'roleDefinitionId' in 'properties'"));
+        Objects.requireNonNull(principalId,
+            String.format(KeyVaultErrorCodeStrings.getErrorString(KeyVaultErrorCodeStrings.PARAMETER_REQUIRED),
+                "'principalId' in 'properties'"));
+
+        this.roleDefinitionId = roleDefinitionId;
+        this.principalId = principalId;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleDefinition role definition} ID used in the {@link KeyVaultRoleAssignment role
+     * assignment}.
+     *
+     * @return The {@link KeyVaultRoleDefinition role definition} ID.
+     */
+    public String getRoleDefinitionId() {
+        return roleDefinitionId;
+    }
+
+    /**
+     * Get the principal ID assigned to the role.
+     *
+     * @return The principal ID.
+     */
+    public String getPrincipalId() {
+        return principalId;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleAssignmentScope.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleAssignmentScope.java
new file mode 100644
index 000000000000..0356d3fde614
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleAssignmentScope.java
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration.models;
+
+import com.azure.core.util.ExpandableStringEnum;
+
+import java.net.URI;
+
+/**
+ * A class that defines the scope of a role.
+ */
+public final class KeyVaultRoleAssignmentScope extends ExpandableStringEnum<KeyVaultRoleAssignmentScope> {
+    public static final KeyVaultRoleAssignmentScope GLOBAL = fromString("/");
+    public static final KeyVaultRoleAssignmentScope KEYS = fromString("/keys");
+
+    /**
+     * Creates or finds a {@link KeyVaultRoleAssignmentScope} from its string representation.
+     *
+     * @param name A name to look for.
+     * @return The corresponding {@link KeyVaultRoleAssignmentScope}
+     */
+    public static KeyVaultRoleAssignmentScope fromString(String name) {
+        return fromString(name, KeyVaultRoleAssignmentScope.class);
+    }
+
+    /**
+     * Creates or finds a {@link KeyVaultRoleAssignmentScope} from its string representation.
+     *
+     * @param uri A URI to look for.
+     * @return The corresponding {@link KeyVaultRoleAssignmentScope}
+     */
+    public static KeyVaultRoleAssignmentScope fromUri(URI uri) {
+        return fromString(uri.getRawPath(), KeyVaultRoleAssignmentScope.class);
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleDefinition.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleDefinition.java
new file mode 100644
index 000000000000..9d4a7465ffc5
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleDefinition.java
@@ -0,0 +1,69 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration.models;
+
+import java.util.List;
+
+/**
+ * A class that defines a role.
+ */
+public final class KeyVaultRoleDefinition {
+    private String id;
+    private String name;
+    private String type;
+    private KeyVaultRoleDefinitionProperties properties;
+    private List<String> scopes;
+
+    /**
+     * Creates a new {@link KeyVaultRoleDefinition role definition} with the specified details.
+     *
+     * @param id The ID for this {@link KeyVaultRoleDefinition role definition}.
+     * @param name The name for this {@link KeyVaultRoleDefinition role definition}.
+     * @param type The type for this {@link KeyVaultRoleDefinition role definition}.
+     * @param properties {@link KeyVaultRoleDefinitionProperties properties} of this {@link KeyVaultRoleDefinition
+     * role assignment}.
+     */
+    public KeyVaultRoleDefinition(String id, String name, String type, KeyVaultRoleDefinitionProperties properties) {
+        this.id = id;
+        this.name = name;
+        this.type = type;
+        this.properties = properties;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleDefinition role definition} ID.
+     *
+     * @return The {@link KeyVaultRoleDefinition role definition} ID.
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleDefinition role definition} name.
+     *
+     * @return The {@link KeyVaultRoleDefinition role definition} name.
+     */
+    public String getName() {
+        return name;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleDefinition role assignment} type.
+     *
+     * @return The {@link KeyVaultRoleDefinition role assignment} type.
+     */
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleDefinition role definition} {@link KeyVaultRoleDefinitionProperties properties}.
+     *
+     * @return The {@link KeyVaultRoleDefinition role assignment} {@link KeyVaultRoleDefinitionProperties properties}.
+     */
+    public KeyVaultRoleDefinitionProperties getProperties() {
+        return properties;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleDefinitionProperties.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleDefinitionProperties.java
new file mode 100644
index 000000000000..599a6ceae1f0
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/KeyVaultRoleDefinitionProperties.java
@@ -0,0 +1,81 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.administration.models;
+
+import java.util.List;
+
+/**
+ * A class that defines a role definition's properties.
+ */
+public final class KeyVaultRoleDefinitionProperties {
+    private String roleName;
+    private String description;
+    private String roleType;
+    private List<KeyVaultPermission> permissions;
+    private List<String> assignableScopes;
+
+    /**
+     * Creates a new {@link KeyVaultRoleDefinitionProperties role definition properties} object with the specified
+     * details.
+     *
+     * @param roleName The name of the role.
+     * @param roleDescription The description of the role.
+     * @param roleType The type of the role.
+     * @param permissions The {@link KeyVaultPermission permissions} the {@link KeyVaultRoleDefinition role
+     * definition} has.
+     * @param assignableScopes The assignable scopes of the {@link KeyVaultRoleDefinition role definition}.
+     */
+    public KeyVaultRoleDefinitionProperties(String roleName, String roleDescription, String roleType, List<KeyVaultPermission> permissions, List<String> assignableScopes) {
+        this.roleName = roleName;
+        this.description = roleDescription;
+        this.roleType = roleType;
+        this.permissions = permissions;
+        this.assignableScopes = assignableScopes;
+    }
+
+    /**
+     * Get the role name.
+     *
+     * @return The role name.
+     */
+    public String getRoleName() {
+        return roleName;
+    }
+
+    /**
+     * Get the role description.
+     *
+     * @return The role description.
+     */
+    public String getDescription() {
+        return description;
+    }
+
+    /**
+     * Get the role type.
+     *
+     * @return The role type.
+     */
+    public String getRoleType() {
+        return roleType;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleDefinition role definition}'s {@link KeyVaultPermission permissions}.
+     *
+     * @return The {@link KeyVaultRoleDefinition role definition}'s {@link KeyVaultPermission permissions}.
+     */
+    public List<KeyVaultPermission> getPermissions() {
+        return permissions;
+    }
+
+    /**
+     * Get the {@link KeyVaultRoleDefinition role definition}'s assignable scopes.
+     *
+     * @return The {@link KeyVaultRoleDefinition role definition}'s assignable scopes.
+     */
+    public List<String> getAssignableScopes() {
+        return assignableScopes;
+    }
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/package-info.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/package-info.java
new file mode 100644
index 000000000000..a53d8c9c2c32
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/models/package-info.java
@@ -0,0 +1,10 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+/**
+ * Package containing classes used by
+ * {@link com.azure.security.keyvault.administration.KeyVaultAccessControlAsyncClient} and
+ * {@link com.azure.security.keyvault.administration.KeyVaultAccessControlClient} to perform access control
+ * operations on Azure Key Vault resources.
+ */
+package com.azure.security.keyvault.administration.models;
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/package-info.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/package-info.java
new file mode 100644
index 000000000000..b1e6ea894df0
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/package-info.java
@@ -0,0 +1,10 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+/**
+ * Package containing classes for creating clients
+ * {@link com.azure.security.keyvault.administration.KeyVaultAccessControlAsyncClient} and
+ * {@link com.azure.security.keyvault.administration.KeyVaultAccessControlClient} that perform access control
+ * operations on Azure Key Vault resources.
+ */
+package com.azure.security.keyvault.administration;
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/java/module-info.java b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/module-info.java
new file mode 100644
index 000000000000..8bd509800fd7
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/java/module-info.java
@@ -0,0 +1,16 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+module com.azure.security.keyvault.administration {
+    requires transitive com.azure.core;
+
+    exports com.azure.security.keyvault.administration;
+    exports com.azure.security.keyvault.administration.models;
+    exports com.azure.security.keyvault.administration.implementation;
+    exports com.azure.security.keyvault.administration.implementation.models;
+
+    opens com.azure.security.keyvault.administration to com.fasterxml.jackson.databind;
+    opens com.azure.security.keyvault.administration.models to com.fasterxml.jackson.databind;
+    opens com.azure.security.keyvault.administration.implementation to com.fasterxml.jackson.databind;
+    opens com.azure.security.keyvault.administration.implementation.models to com.fasterxml.jackson.databind;
+}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/resources/azure-key-vault-administration.properties b/sdk/keyvault/azure-security-keyvault-administration/src/main/resources/azure-key-vault-administration.properties
new file mode 100644
index 000000000000..ca812989b4f2
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/resources/azure-key-vault-administration.properties
@@ -0,0 +1,2 @@
+name=${project.artifactId}
+version=${project.version}
diff --git a/sdk/keyvault/azure-security-keyvault-administration/src/main/resources/kvErrorStrings.properties b/sdk/keyvault/azure-security-keyvault-administration/src/main/resources/kvErrorStrings.properties
new file mode 100644
index 000000000000..664cfe25c2c1
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/src/main/resources/kvErrorStrings.properties
@@ -0,0 +1,3 @@
+credential_required=Azure Key Vault credentials are required.
+vault_endpoint_required=Azure Key Vault endpoint url is required.
+parameter_required=%s cannot be null.
diff --git a/sdk/keyvault/azure-security-keyvault-administration/swagger/autorest.md b/sdk/keyvault/azure-security-keyvault-administration/swagger/autorest.md
new file mode 100644
index 000000000000..3c96b1a3de64
--- /dev/null
+++ b/sdk/keyvault/azure-security-keyvault-administration/swagger/autorest.md
@@ -0,0 +1,52 @@
+# Azure Key Vault Administration for Java
+> see https://aka.ms/autorest
+
+### Setup
+Increase max memory if you're using Autorest older than 3. Set the environment variable `NODE_OPTIONS` to `--max-old-space-size=8192`.
+
+This is the AutoRest configuration file for KeyVaultAccessControlClient.
+---
+## Getting Started 
+To build the SDK for KeyVaultAccessControlClient, simply [Install AutoRest](https://github.com/Azure/autorest/blob/master/docs/installing-autorest.md) and in this folder, run:
+
+> `autorest`
+
+To see additional help and options, run:
+
+> `autorest --help`
+
+### Generation
+There is one swagger for KeyVault Administration: rbac. It uses the following tag: `--tag=rbac-preview`.
+
+```ps
+cd <swagger-folder>
+autorest --use=@microsoft.azure/autorest.java@4.0.0 --tag=${package} 
+```
+
+e.g.
+```ps
+cd <swagger-folder>
+autorest --use=@microsoft.azure/autorest.java@4.0.0 --tag=rbac-preview  
+```
+
+## Code generation settings
+``` yaml
+java: true
+output-folder: ../
+namespace: com.azure.security.keyvault.administration
+license-header: MICROSOFT_MIT_SMALL
+models-subpackage: implementation.models
+custom-types-subpackage: models
+generate-client-as-impl: true
+sync-methods: none
+add-context-parameter: true
+context-client-method-parameter: true
+```
+
+### Tag: rbac-preview
+These settings apply only when `--tag=rbac-preview` is specified on the command line.
+
+``` yaml $(tag) == 'rbac-preview'
+input-file: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/rbac.json
+title: KeyVaultAccessControlClient
+```
diff --git a/sdk/keyvault/pom.xml b/sdk/keyvault/pom.xml
index 5f620284c6a4..6042dcedc8af 100644
--- a/sdk/keyvault/pom.xml
+++ b/sdk/keyvault/pom.xml
@@ -1,6 +1,6 @@
 <!-- Copyright (c) Microsoft Corporation. All rights reserved.
      Licensed under the MIT License. -->
-<project xmlns="http://maven.apache.org/POM/4.0.0" 
+<project xmlns="http://maven.apache.org/POM/4.0.0"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.azure</groupId>
@@ -16,6 +16,7 @@
     <module>microsoft-azure-keyvault-cryptography</module>
     <module>microsoft-azure-keyvault-extensions</module>
     <module>microsoft-azure-keyvault-test</module>
+    <module>azure-security-keyvault-administration</module>
     <module>azure-security-keyvault-certificates</module>
     <module>azure-security-keyvault-keys</module>
     <module>azure-security-keyvault-secrets</module>