Azure Management Plane vs Data Plane A principal can manage Azure resources through ARM while data access for Storage and Key Vault is evaluated separately through data roles or service-specific authorization. Azure Management Plane vs Data Plane Teaching point: being able to manage a resource does not automatically mean being able to read its data. Principal user, group, SP Management plane Azure ARM role assignment Resource configure / deploy Data Role service-specific Data plane examples Storage Blob data access Key Vault secret access Can read data? check data auth Can read secret? check vault model Decision rule: always name the plane, the scope, and the resource-specific authorization path.