From 69d36df10df3d8a2b474635eefa1b18c2b0bc3f0 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Wed, 3 Jun 2020 11:26:35 -0500
Subject: [PATCH 01/20] poc of generated client

---
 .../CHANGELOG.md                              |   3 +
 .../readme.md                                 |  47 ++
 .../src/AccessControlClient.cs                | 169 ++++++
 .../src/AccessControlClientOptions.cs         |  67 +++
 ...re.Security.KeyVault.Administration.csproj |  36 ++
 .../Generated/Models/Error.Serialization.cs   |  53 ++
 .../src/Generated/Models/Error.cs             |  36 ++
 .../Models/KeyVaultError.Serialization.cs     |  33 ++
 .../src/Generated/Models/KeyVaultError.cs     |  28 +
 .../KeyVaultPermission.Serialization.cs       | 112 ++++
 .../Generated/Models/KeyVaultPermission.cs    |  42 ++
 .../Models/RoleAssignment.Serialization.cs    |  63 ++
 .../src/Generated/Models/RoleAssignment.cs    |  40 ++
 ...ssignmentCreateParameters.Serialization.cs |  23 +
 .../Models/RoleAssignmentCreateParameters.cs  |  30 +
 .../Generated/Models/RoleAssignmentFilter.cs  |  28 +
 .../RoleAssignmentListResult.Serialization.cs |  56 ++
 .../Models/RoleAssignmentListResult.cs        |  34 ++
 .../RoleAssignmentProperties.Serialization.cs |  25 +
 .../Models/RoleAssignmentProperties.cs        |  38 ++
 ...gnmentPropertiesWithScope.Serialization.cs |  53 ++
 .../RoleAssignmentPropertiesWithScope.cs      |  36 ++
 .../Models/RoleDefinition.Serialization.cs    | 135 +++++
 .../src/Generated/Models/RoleDefinition.cs    |  58 ++
 .../Generated/Models/RoleDefinitionFilter.cs  |  28 +
 .../RoleDefinitionListResult.Serialization.cs |  56 ++
 .../Models/RoleDefinitionListResult.cs        |  34 ++
 .../Generated/RoleAssignmentsRestClient.cs    | 559 ++++++++++++++++++
 .../Generated/RoleDefinitionsRestClient.cs    | 239 ++++++++
 .../src/KeyVaultPermision.cs                  |  13 +
 .../src/autorest.md                           |  14 +
 sdk/keyvault/Azure.Security.KeyVault.sln      |   8 +-
 32 files changed, 2195 insertions(+), 1 deletion(-)
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClientOptions.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentFilter.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionFilter.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleDefinitionsRestClient.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultPermision.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
new file mode 100644
index 0000000000000..a7611de6197e6
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
@@ -0,0 +1,3 @@
+# Release History
+
+## 4.2.0-preview.1 (Unreleased)
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md
new file mode 100644
index 0000000000000..71bb904a73dba
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md
@@ -0,0 +1,47 @@
+# Azure KeyVault Administration client library for .NET
+
+Content forthcoming
+
+## Getting started
+
+Content forthcoming
+
+### Install the package
+
+Content forthcoming
+
+### Authenticate the client
+
+Content forthcoming
+
+## Key concepts
+
+Content forthcoming
+
+## Examples
+
+Content forthcoming
+
+## Troubleshooting
+
+Content forthcoming
+
+## Next steps
+
+Content forthcoming
+
+## Contributing
+
+This project welcomes contributions and suggestions.  Most contributions require
+you to agree to a Contributor License Agreement (CLA) declaring that you have
+the right to, and actually do, grant us the rights to use your contribution. For
+details, visit [cla.microsoft.com][cla].
+
+This project has adopted the [Microsoft Open Source Code of Conduct][coc].
+For more information see the [Code of Conduct FAQ][coc_faq]
+or contact [opencode@microsoft.com][coc_contact] with any
+additional questions or comments.
+
+<!-- LINKS -->
+
+![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-net%2Fsdk%2Ftables%2FAzure.Data.Tables%2FREADME.png)
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
new file mode 100644
index 0000000000000..a8fbed321ea36
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
@@ -0,0 +1,169 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Core.Pipeline;
+using Azure.Security.KeyVault;
+using Azure.Security.KeyVault.Administration.Models;
+
+namespace Azure.Security.KeyVault.Administration
+{
+    /// <summary>
+    /// The Client.
+    /// </summary>
+    public class AccessControlClient
+    {
+        private readonly RoleDefinitionsRestClient _definitionsRestClient;
+        private readonly RoleAssignmentsRestClient _assignmentsRestClient;
+
+        /// <summary>
+        /// The vault Uri.
+        /// </summary>
+        /// <value></value>
+        public Uri VaultUri { get; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="AccessControlClient"/> class for mocking.
+        /// </summary>
+        protected AccessControlClient()
+        {
+
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="AccessControlClient"/> class for the specified vault.
+        /// </summary>
+        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.</param>
+        /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
+        /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
+        public AccessControlClient(Uri vaultUri, TokenCredential credential)
+            : this(vaultUri, credential, null)
+        {
+
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="AccessControlClient"/> class for the specified vault.
+        /// </summary>
+        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.</param>
+        /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
+        /// <param name="options"><see cref="AccessControlClientOptions"/> that allow to configure the management of the request sent to Key Vault.</param>
+        /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
+        public AccessControlClient(Uri vaultUri, TokenCredential credential, AccessControlClientOptions options)
+        {
+            VaultUri = vaultUri;
+            Argument.AssertNotNull(vaultUri, nameof(vaultUri));
+            Argument.AssertNotNull(credential, nameof(credential));
+
+            options ??= new AccessControlClientOptions();
+            string apiVersion = options.GetVersionString();
+
+            HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
+                    new ChallengeBasedAuthenticationPolicy(credential));
+
+            var diagnostics = new ClientDiagnostics(options);
+            _definitionsRestClient = new RoleDefinitionsRestClient(diagnostics, pipeline, apiVersion);
+            _assignmentsRestClient = new RoleAssignmentsRestClient(diagnostics, pipeline, apiVersion);
+        }
+
+        /// <summary>
+        /// Gets a list of <see cref="RoleDefinition"/>.
+        /// </summary>
+        /// <param name="scope"></param>
+        /// <param name="cancellationToken"></param>
+        /// <returns></returns>
+        public virtual Pageable<RoleDefinition> GetRoleDefinitions(Uri scope, CancellationToken cancellationToken = default)
+        {
+            return PageableHelpers.CreateEnumerable(_ =>
+            {
+                var response = _definitionsRestClient.List(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.AbsoluteUri, cancellationToken: cancellationToken);
+                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+            }, (nextLink, _) =>
+            {
+                var response = _definitionsRestClient.ListNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.AbsoluteUri, cancellationToken: cancellationToken);
+                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+            });
+        }
+
+        /// <summary>
+        /// Gets a list of <see cref="RoleDefinition"/>.
+        /// </summary>
+        /// <param name="scope"></param>
+        /// <param name="cancellationToken"></param>
+        /// <returns></returns>
+        public virtual Pageable<RoleDefinition> GetRoleDefinitions(string scope, CancellationToken cancellationToken = default)
+        {
+            return PageableHelpers.CreateEnumerable(_ =>
+            {
+                var response = _definitionsRestClient.List(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken);
+                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+            }, (nextLink, _) =>
+            {
+                var response = _definitionsRestClient.ListNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken);
+                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+            });
+        }
+
+        /// <summary>
+        /// Gets a list of <see cref="RoleDefinition"/>.
+        /// </summary>
+        /// <param name="scope"></param>
+        /// <param name="cancellationToken"></param>
+        /// <returns></returns>
+        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(Uri scope, CancellationToken cancellationToken = default)
+        {
+            return PageableHelpers.CreateAsyncEnumerable(async _ =>
+            {
+                var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.AbsoluteUri, cancellationToken: cancellationToken)
+                    .ConfigureAwait(false);
+                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+            }, async (nextLink, _) =>
+            {
+                var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.AbsoluteUri, cancellationToken: cancellationToken)
+                    .ConfigureAwait(false);
+                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+            });
+        }
+
+        /// <summary>
+        /// Gets a list of <see cref="RoleDefinition"/>.
+        /// </summary>
+        /// <param name="scope"></param>
+        /// <param name="cancellationToken"></param>
+        /// <returns></returns>
+        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scope, CancellationToken cancellationToken = default)
+        {
+            return PageableHelpers.CreateAsyncEnumerable(async _ =>
+            {
+                var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
+                    .ConfigureAwait(false);
+                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+            }, async (nextLink, _) =>
+            {
+                var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
+                    .ConfigureAwait(false);
+                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+            });
+        }
+
+        // public virtual Pageable<RoleAssignment> GetRoleAssignments(Uri scope, CancellationToken cancellationToken = default) => null;
+        // public virtual Pageable<RoleAssignment> GetRoleAssignments(string scope, CancellationToken cancellationToken = default) => null;
+        // public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(Uri scope, CancellationToken cancellationToken = default) => null;
+        // public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scope, CancellationToken cancellationToken = default) => null;
+
+        // // The role assignment name will be created automatically. The swagger specification reads, "The name of the role assignment to create. It can be any valid GUID."
+        // public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) => null;
+        // public virtual Response<RoleAssignment> CreateRoleAssignment(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) => null;
+        // public virtual Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) => null;
+        // public virtual Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) => null;
+
+        // public virtual Response<RoleAssignment> GetRoleAssignment(string name, CancellationToken cancellationToken = default) => null;
+        // public virtual Task<Response<RoleAssignment>> GetRoleAssignmentAsync(string name, CancellationToken cancellation = default) => null;
+
+        // public virtual Response<RoleAssignment> DeleteRoleAssignment(string name, CancellationToken cancellationToken = default) => null;
+        // public virtual Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(string name, CancellationToken cancellation = default) => null;
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClientOptions.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClientOptions.cs
new file mode 100644
index 0000000000000..7b90594ef16af
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClientOptions.cs
@@ -0,0 +1,67 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration
+{
+    /// <summary>
+    /// Options that allow you to configure the requests sent to Key Vault.
+    /// </summary>
+    public class AccessControlClientOptions : ClientOptions
+    {
+        /// <summary>
+        /// The latest service version supported by this client library.
+        /// For more information, see
+        /// <see href="https://docs.microsoft.com/en-us/rest/api/keyvault/key-vault-versions"/>.
+        /// </summary>
+        internal const ServiceVersion LatestVersion = ServiceVersion.V7_2_Preview;
+
+        /// <summary>
+        /// The versions of Azure Key Vault supported by this client
+        /// library.
+        /// </summary>
+        public enum ServiceVersion
+        {
+#pragma warning disable CA1707 // Identifiers should not contain underscores
+            /// <summary>
+            /// The Key Vault API version 7.2-preview.
+            /// </summary>
+            V7_2_Preview = 1,
+#pragma warning restore CA1707 // Identifiers should not contain underscores
+        }
+
+        /// <summary>
+        /// Gets the <see cref="ServiceVersion"/> of the service API used when
+        /// making requests. For more information, see
+        /// <see href="https://docs.microsoft.com/en-us/rest/api/keyvault/key-vault-versions"/>.
+        /// </summary>
+        public ServiceVersion Version { get; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="AccessControlClientOptions"/> class.
+        /// class.
+        /// </summary>
+        /// <param name="version">
+        /// The <see cref="ServiceVersion"/> of the service API used when
+        /// making requests.
+        /// </param>
+        public AccessControlClientOptions(ServiceVersion version = LatestVersion)
+        {
+            Version = version;
+
+            this.ConfigureLogging();
+        }
+
+        internal string GetVersionString()
+        {
+            return Version switch
+            {
+                ServiceVersion.V7_2_Preview => "7.2-preview",
+
+                _ => throw new ArgumentException(Version.ToString()),
+            };
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
new file mode 100644
index 0000000000000..86f635d1a7aa1
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
@@ -0,0 +1,36 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+<PropertyGroup>
+    <Description>This is the Microsoft Azure Key Vault Administration client library</Description>
+    <AssemblyTitle>Microsoft Azure.Security.KeyVault.Administration client library</AssemblyTitle>
+    <Version>4.2.0-preview.1</Version>
+    <PackageTags>Microsoft Azure Key Vault Administration;$(PackageCommonTags)</PackageTags>
+    <TargetFrameworks>$(RequiredTargetFrameworks)</TargetFrameworks>
+    <EnableApiCompat>false</EnableApiCompat>
+    <NoWarn>$(NoWarn);3021;CA1812</NoWarn>
+  </PropertyGroup>
+
+  <Import Project="..\..\Azure.Security.KeyVault.Shared\src\Azure.Security.KeyVault.Shared.projitems" Label="Shared" />
+    
+  <ItemGroup>
+    <PackageReference Include="System.Text.Json" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="$(AzureCoreSharedSources)NoBodyResponse{T}.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)ForwardsClientCallsAttribute.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="$(AzureCoreSharedSources)Argument.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)ArrayBufferWriter.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)AzureKeyCredentialPolicy.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)ClientDiagnostics.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)ContentTypeUtilities.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)DiagnosticScope.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)DiagnosticScopeFactory.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)HttpMessageSanitizer.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)OperationHelpers.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)TaskExtensions.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+  </ItemGroup>
+
+  <Import Project="$(MSBuildThisFileDirectory)..\..\..\core\Azure.Core\src\Azure.Core.props" />
+</Project>
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.Serialization.cs
new file mode 100644
index 0000000000000..093080307c932
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.Serialization.cs
@@ -0,0 +1,53 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    internal partial class Error
+    {
+        internal static Error DeserializeError(JsonElement element)
+        {
+            string code = default;
+            string message = default;
+            Error innererror = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("code"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    code = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("message"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    message = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("innererror"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    innererror = DeserializeError(property.Value);
+                    continue;
+                }
+            }
+            return new Error(code, message, innererror);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.cs
new file mode 100644
index 0000000000000..f2d129460a540
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/Error.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> The key vault server error. </summary>
+    internal partial class Error
+    {
+        /// <summary> Initializes a new instance of Error. </summary>
+        internal Error()
+        {
+        }
+
+        /// <summary> Initializes a new instance of Error. </summary>
+        /// <param name="code"> The error code. </param>
+        /// <param name="message"> The error message. </param>
+        /// <param name="innerError"> The key vault server error. </param>
+        internal Error(string code, string message, Error innerError)
+        {
+            Code = code;
+            Message = message;
+            InnerError = innerError;
+        }
+
+        /// <summary> The error code. </summary>
+        public string Code { get; }
+        /// <summary> The error message. </summary>
+        public string Message { get; }
+        /// <summary> The key vault server error. </summary>
+        public Error InnerError { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.Serialization.cs
new file mode 100644
index 0000000000000..a89434d3bd6b5
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.Serialization.cs
@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    internal partial class KeyVaultError
+    {
+        internal static KeyVaultError DeserializeKeyVaultError(JsonElement element)
+        {
+            Error error = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("error"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    error = Error.DeserializeError(property.Value);
+                    continue;
+                }
+            }
+            return new KeyVaultError(error);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.cs
new file mode 100644
index 0000000000000..c5290b49abc7e
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultError.cs
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> The key vault error exception. </summary>
+    internal partial class KeyVaultError
+    {
+        /// <summary> Initializes a new instance of KeyVaultError. </summary>
+        internal KeyVaultError()
+        {
+        }
+
+        /// <summary> Initializes a new instance of KeyVaultError. </summary>
+        /// <param name="error"> The key vault server error. </param>
+        internal KeyVaultError(Error error)
+        {
+            Error = error;
+        }
+
+        /// <summary> The key vault server error. </summary>
+        public Error Error { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.Serialization.cs
new file mode 100644
index 0000000000000..272f8558f375e
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.Serialization.cs
@@ -0,0 +1,112 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class KeyVaultPermission
+    {
+        internal static KeyVaultPermission DeserializeKeyVaultPermission(JsonElement element)
+        {
+            IReadOnlyList<string> actions = default;
+            IReadOnlyList<string> notActions = default;
+            IReadOnlyList<string> dataActions = default;
+            IReadOnlyList<string> notDataActions = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("actions"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<string> array = new List<string>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(item.GetString());
+                        }
+                    }
+                    actions = array;
+                    continue;
+                }
+                if (property.NameEquals("notActions"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<string> array = new List<string>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(item.GetString());
+                        }
+                    }
+                    notActions = array;
+                    continue;
+                }
+                if (property.NameEquals("dataActions"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<string> array = new List<string>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(item.GetString());
+                        }
+                    }
+                    dataActions = array;
+                    continue;
+                }
+                if (property.NameEquals("notDataActions"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<string> array = new List<string>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(item.GetString());
+                        }
+                    }
+                    notDataActions = array;
+                    continue;
+                }
+            }
+            return new KeyVaultPermission(actions, notActions, dataActions, notDataActions);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.cs
new file mode 100644
index 0000000000000..e2d834bc31bb2
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/KeyVaultPermission.cs
@@ -0,0 +1,42 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role definition permissions. </summary>
+    public partial class KeyVaultPermission
+    {
+        /// <summary> Initializes a new instance of KeyVaultPermission. </summary>
+        internal KeyVaultPermission()
+        {
+        }
+
+        /// <summary> Initializes a new instance of KeyVaultPermission. </summary>
+        /// <param name="actions"> Allowed actions. </param>
+        /// <param name="notActions"> Denied actions. </param>
+        /// <param name="dataActions"> Allowed Data actions. </param>
+        /// <param name="notDataActions"> Denied Data actions. </param>
+        internal KeyVaultPermission(IReadOnlyList<string> actions, IReadOnlyList<string> notActions, IReadOnlyList<string> dataActions, IReadOnlyList<string> notDataActions)
+        {
+            Actions = actions;
+            NotActions = notActions;
+            DataActions = dataActions;
+            NotDataActions = notDataActions;
+        }
+
+        /// <summary> Allowed actions. </summary>
+        public IReadOnlyList<string> Actions { get; }
+        /// <summary> Denied actions. </summary>
+        public IReadOnlyList<string> NotActions { get; }
+        /// <summary> Allowed Data actions. </summary>
+        public IReadOnlyList<string> DataActions { get; }
+        /// <summary> Denied Data actions. </summary>
+        public IReadOnlyList<string> NotDataActions { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.Serialization.cs
new file mode 100644
index 0000000000000..d01bc11bed94f
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.Serialization.cs
@@ -0,0 +1,63 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleAssignment
+    {
+        internal static RoleAssignment DeserializeRoleAssignment(JsonElement element)
+        {
+            string id = default;
+            string name = default;
+            string type = default;
+            RoleAssignmentPropertiesWithScope properties = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("id"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    id = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("name"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    name = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("type"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    type = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("properties"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    properties = RoleAssignmentPropertiesWithScope.DeserializeRoleAssignmentPropertiesWithScope(property.Value);
+                    continue;
+                }
+            }
+            return new RoleAssignment(id, name, type, properties);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.cs
new file mode 100644
index 0000000000000..feaa794113d23
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignment.cs
@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role Assignments. </summary>
+    public partial class RoleAssignment
+    {
+        /// <summary> Initializes a new instance of RoleAssignment. </summary>
+        internal RoleAssignment()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleAssignment. </summary>
+        /// <param name="id"> The role assignment ID. </param>
+        /// <param name="name"> The role assignment name. </param>
+        /// <param name="type"> The role assignment type. </param>
+        /// <param name="properties"> Role assignment properties. </param>
+        internal RoleAssignment(string id, string name, string type, RoleAssignmentPropertiesWithScope properties)
+        {
+            Id = id;
+            Name = name;
+            Type = type;
+            Properties = properties;
+        }
+
+        /// <summary> The role assignment ID. </summary>
+        public string Id { get; }
+        /// <summary> The role assignment name. </summary>
+        public string Name { get; }
+        /// <summary> The role assignment type. </summary>
+        public string Type { get; }
+        /// <summary> Role assignment properties. </summary>
+        public RoleAssignmentPropertiesWithScope Properties { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.Serialization.cs
new file mode 100644
index 0000000000000..e1405bf052907
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.Serialization.cs
@@ -0,0 +1,23 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleAssignmentCreateParameters : IUtf8JsonSerializable
+    {
+        void IUtf8JsonSerializable.Write(Utf8JsonWriter writer)
+        {
+            writer.WriteStartObject();
+            writer.WritePropertyName("properties");
+            writer.WriteObjectValue(Properties);
+            writer.WriteEndObject();
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.cs
new file mode 100644
index 0000000000000..373046729fa42
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.cs
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role assignment create parameters. </summary>
+    public partial class RoleAssignmentCreateParameters
+    {
+        /// <summary> Initializes a new instance of RoleAssignmentCreateParameters. </summary>
+        /// <param name="properties"> Role assignment properties. </param>
+        public RoleAssignmentCreateParameters(RoleAssignmentProperties properties)
+        {
+            if (properties == null)
+            {
+                throw new ArgumentNullException(nameof(properties));
+            }
+
+            Properties = properties;
+        }
+
+        /// <summary> Role assignment properties. </summary>
+        public RoleAssignmentProperties Properties { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentFilter.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentFilter.cs
new file mode 100644
index 0000000000000..1cebb3647a651
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentFilter.cs
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role Assignments filter. </summary>
+    internal partial class RoleAssignmentFilter
+    {
+        /// <summary> Initializes a new instance of RoleAssignmentFilter. </summary>
+        internal RoleAssignmentFilter()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleAssignmentFilter. </summary>
+        /// <param name="principalId"> Returns role assignment of the specific principal. </param>
+        internal RoleAssignmentFilter(string principalId)
+        {
+            PrincipalId = principalId;
+        }
+
+        /// <summary> Returns role assignment of the specific principal. </summary>
+        public string PrincipalId { get; set; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs
new file mode 100644
index 0000000000000..fcbf054d8326e
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs
@@ -0,0 +1,56 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleAssignmentListResult
+    {
+        internal static RoleAssignmentListResult DeserializeRoleAssignmentListResult(JsonElement element)
+        {
+            IReadOnlyList<RoleAssignment> value = default;
+            string nextLink = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("value"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<RoleAssignment> array = new List<RoleAssignment>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(RoleAssignment.DeserializeRoleAssignment(item));
+                        }
+                    }
+                    value = array;
+                    continue;
+                }
+                if (property.NameEquals("nextLink"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    nextLink = property.Value.GetString();
+                    continue;
+                }
+            }
+            return new RoleAssignmentListResult(value, nextLink);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs
new file mode 100644
index 0000000000000..b8643f65c58b6
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs
@@ -0,0 +1,34 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role assignment list operation result. </summary>
+    public partial class RoleAssignmentListResult
+    {
+        /// <summary> Initializes a new instance of RoleAssignmentListResult. </summary>
+        internal RoleAssignmentListResult()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleAssignmentListResult. </summary>
+        /// <param name="value"> Role assignment list. </param>
+        /// <param name="nextLink"> The URL to use for getting the next set of results. </param>
+        internal RoleAssignmentListResult(IReadOnlyList<RoleAssignment> value, string nextLink)
+        {
+            Value = value;
+            NextLink = nextLink;
+        }
+
+        /// <summary> Role assignment list. </summary>
+        public IReadOnlyList<RoleAssignment> Value { get; }
+        /// <summary> The URL to use for getting the next set of results. </summary>
+        public string NextLink { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.Serialization.cs
new file mode 100644
index 0000000000000..a5c5d1fb11384
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.Serialization.cs
@@ -0,0 +1,25 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleAssignmentProperties : IUtf8JsonSerializable
+    {
+        void IUtf8JsonSerializable.Write(Utf8JsonWriter writer)
+        {
+            writer.WriteStartObject();
+            writer.WritePropertyName("roleDefinitionId");
+            writer.WriteStringValue(RoleDefinitionId);
+            writer.WritePropertyName("principalId");
+            writer.WriteStringValue(PrincipalId);
+            writer.WriteEndObject();
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.cs
new file mode 100644
index 0000000000000..e650e69d2e866
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentProperties.cs
@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role assignment properties. </summary>
+    public partial class RoleAssignmentProperties
+    {
+        /// <summary> Initializes a new instance of RoleAssignmentProperties. </summary>
+        /// <param name="roleDefinitionId"> The role definition ID used in the role assignment. </param>
+        /// <param name="principalId"> The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. </param>
+        public RoleAssignmentProperties(string roleDefinitionId, string principalId)
+        {
+            if (roleDefinitionId == null)
+            {
+                throw new ArgumentNullException(nameof(roleDefinitionId));
+            }
+            if (principalId == null)
+            {
+                throw new ArgumentNullException(nameof(principalId));
+            }
+
+            RoleDefinitionId = roleDefinitionId;
+            PrincipalId = principalId;
+        }
+
+        /// <summary> The role definition ID used in the role assignment. </summary>
+        public string RoleDefinitionId { get; }
+        /// <summary> The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. </summary>
+        public string PrincipalId { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.Serialization.cs
new file mode 100644
index 0000000000000..e4aedccebeea3
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.Serialization.cs
@@ -0,0 +1,53 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleAssignmentPropertiesWithScope
+    {
+        internal static RoleAssignmentPropertiesWithScope DeserializeRoleAssignmentPropertiesWithScope(JsonElement element)
+        {
+            string scope = default;
+            string roleDefinitionId = default;
+            string principalId = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("scope"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    scope = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("roleDefinitionId"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    roleDefinitionId = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("principalId"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    principalId = property.Value.GetString();
+                    continue;
+                }
+            }
+            return new RoleAssignmentPropertiesWithScope(scope, roleDefinitionId, principalId);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.cs
new file mode 100644
index 0000000000000..9618cf35ad9b1
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentPropertiesWithScope.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role assignment properties with scope. </summary>
+    public partial class RoleAssignmentPropertiesWithScope
+    {
+        /// <summary> Initializes a new instance of RoleAssignmentPropertiesWithScope. </summary>
+        internal RoleAssignmentPropertiesWithScope()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleAssignmentPropertiesWithScope. </summary>
+        /// <param name="scope"> The role assignment scope. </param>
+        /// <param name="roleDefinitionId"> The role definition ID. </param>
+        /// <param name="principalId"> The principal ID. </param>
+        internal RoleAssignmentPropertiesWithScope(string scope, string roleDefinitionId, string principalId)
+        {
+            Scope = scope;
+            RoleDefinitionId = roleDefinitionId;
+            PrincipalId = principalId;
+        }
+
+        /// <summary> The role assignment scope. </summary>
+        public string Scope { get; }
+        /// <summary> The role definition ID. </summary>
+        public string RoleDefinitionId { get; }
+        /// <summary> The principal ID. </summary>
+        public string PrincipalId { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.Serialization.cs
new file mode 100644
index 0000000000000..c7ac9a18033b5
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.Serialization.cs
@@ -0,0 +1,135 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleDefinition
+    {
+        internal static RoleDefinition DeserializeRoleDefinition(JsonElement element)
+        {
+            string id = default;
+            string name = default;
+            string type = default;
+            string roleName = default;
+            string description = default;
+            string type0 = default;
+            IReadOnlyList<KeyVaultPermission> permissions = default;
+            IReadOnlyList<string> assignableScopes = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("id"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    id = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("name"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    name = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("type"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    type = property.Value.GetString();
+                    continue;
+                }
+                if (property.NameEquals("properties"))
+                {
+                    foreach (var property0 in property.Value.EnumerateObject())
+                    {
+                        if (property0.NameEquals("roleName"))
+                        {
+                            if (property0.Value.ValueKind == JsonValueKind.Null)
+                            {
+                                continue;
+                            }
+                            roleName = property0.Value.GetString();
+                            continue;
+                        }
+                        if (property0.NameEquals("description"))
+                        {
+                            if (property0.Value.ValueKind == JsonValueKind.Null)
+                            {
+                                continue;
+                            }
+                            description = property0.Value.GetString();
+                            continue;
+                        }
+                        if (property0.NameEquals("type"))
+                        {
+                            if (property0.Value.ValueKind == JsonValueKind.Null)
+                            {
+                                continue;
+                            }
+                            type0 = property0.Value.GetString();
+                            continue;
+                        }
+                        if (property0.NameEquals("permissions"))
+                        {
+                            if (property0.Value.ValueKind == JsonValueKind.Null)
+                            {
+                                continue;
+                            }
+                            List<KeyVaultPermission> array = new List<KeyVaultPermission>();
+                            foreach (var item in property0.Value.EnumerateArray())
+                            {
+                                if (item.ValueKind == JsonValueKind.Null)
+                                {
+                                    array.Add(null);
+                                }
+                                else
+                                {
+                                    array.Add(KeyVaultPermission.DeserializeKeyVaultPermission(item));
+                                }
+                            }
+                            permissions = array;
+                            continue;
+                        }
+                        if (property0.NameEquals("assignableScopes"))
+                        {
+                            if (property0.Value.ValueKind == JsonValueKind.Null)
+                            {
+                                continue;
+                            }
+                            List<string> array = new List<string>();
+                            foreach (var item in property0.Value.EnumerateArray())
+                            {
+                                if (item.ValueKind == JsonValueKind.Null)
+                                {
+                                    array.Add(null);
+                                }
+                                else
+                                {
+                                    array.Add(item.GetString());
+                                }
+                            }
+                            assignableScopes = array;
+                            continue;
+                        }
+                    }
+                    continue;
+                }
+            }
+            return new RoleDefinition(id, name, type, roleName, description, type0, permissions, assignableScopes);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.cs
new file mode 100644
index 0000000000000..8ede71adf7a33
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinition.cs
@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role definition. </summary>
+    public partial class RoleDefinition
+    {
+        /// <summary> Initializes a new instance of RoleDefinition. </summary>
+        internal RoleDefinition()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleDefinition. </summary>
+        /// <param name="id"> The role definition ID. </param>
+        /// <param name="name"> The role definition name. </param>
+        /// <param name="type"> The role definition type. </param>
+        /// <param name="roleName"> The role name. </param>
+        /// <param name="description"> The role definition description. </param>
+        /// <param name="roleType"> The role type. </param>
+        /// <param name="permissions"> Role definition permissions. </param>
+        /// <param name="assignableScopes"> Role definition assignable scopes. </param>
+        internal RoleDefinition(string id, string name, string type, string roleName, string description, string roleType, IReadOnlyList<KeyVaultPermission> permissions, IReadOnlyList<string> assignableScopes)
+        {
+            Id = id;
+            Name = name;
+            Type = type;
+            RoleName = roleName;
+            Description = description;
+            RoleType = roleType;
+            Permissions = permissions;
+            AssignableScopes = assignableScopes;
+        }
+
+        /// <summary> The role definition ID. </summary>
+        public string Id { get; }
+        /// <summary> The role definition name. </summary>
+        public string Name { get; }
+        /// <summary> The role definition type. </summary>
+        public string Type { get; }
+        /// <summary> The role name. </summary>
+        public string RoleName { get; }
+        /// <summary> The role definition description. </summary>
+        public string Description { get; }
+        /// <summary> The role type. </summary>
+        public string RoleType { get; }
+        /// <summary> Role definition permissions. </summary>
+        public IReadOnlyList<KeyVaultPermission> Permissions { get; }
+        /// <summary> Role definition assignable scopes. </summary>
+        public IReadOnlyList<string> AssignableScopes { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionFilter.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionFilter.cs
new file mode 100644
index 0000000000000..b0f1a576708c1
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionFilter.cs
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role Definitions filter. </summary>
+    internal partial class RoleDefinitionFilter
+    {
+        /// <summary> Initializes a new instance of RoleDefinitionFilter. </summary>
+        internal RoleDefinitionFilter()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleDefinitionFilter. </summary>
+        /// <param name="roleName"> Returns role definition with the specific name. </param>
+        internal RoleDefinitionFilter(string roleName)
+        {
+            RoleName = roleName;
+        }
+
+        /// <summary> Returns role definition with the specific name. </summary>
+        public string RoleName { get; set; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs
new file mode 100644
index 0000000000000..d112ad1b6e96c
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs
@@ -0,0 +1,56 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+using System.Text.Json;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class RoleDefinitionListResult
+    {
+        internal static RoleDefinitionListResult DeserializeRoleDefinitionListResult(JsonElement element)
+        {
+            IReadOnlyList<RoleDefinition> value = default;
+            string nextLink = default;
+            foreach (var property in element.EnumerateObject())
+            {
+                if (property.NameEquals("value"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    List<RoleDefinition> array = new List<RoleDefinition>();
+                    foreach (var item in property.Value.EnumerateArray())
+                    {
+                        if (item.ValueKind == JsonValueKind.Null)
+                        {
+                            array.Add(null);
+                        }
+                        else
+                        {
+                            array.Add(RoleDefinition.DeserializeRoleDefinition(item));
+                        }
+                    }
+                    value = array;
+                    continue;
+                }
+                if (property.NameEquals("nextLink"))
+                {
+                    if (property.Value.ValueKind == JsonValueKind.Null)
+                    {
+                        continue;
+                    }
+                    nextLink = property.Value.GetString();
+                    continue;
+                }
+            }
+            return new RoleDefinitionListResult(value, nextLink);
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs
new file mode 100644
index 0000000000000..b99d96a152485
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs
@@ -0,0 +1,34 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System.Collections.Generic;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role definition list operation result. </summary>
+    public partial class RoleDefinitionListResult
+    {
+        /// <summary> Initializes a new instance of RoleDefinitionListResult. </summary>
+        internal RoleDefinitionListResult()
+        {
+        }
+
+        /// <summary> Initializes a new instance of RoleDefinitionListResult. </summary>
+        /// <param name="value"> Role definition list. </param>
+        /// <param name="nextLink"> The URL to use for getting the next set of results. </param>
+        internal RoleDefinitionListResult(IReadOnlyList<RoleDefinition> value, string nextLink)
+        {
+            Value = value;
+            NextLink = nextLink;
+        }
+
+        /// <summary> Role definition list. </summary>
+        public IReadOnlyList<RoleDefinition> Value { get; }
+        /// <summary> The URL to use for getting the next set of results. </summary>
+        public string NextLink { get; }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
new file mode 100644
index 0000000000000..e358a916f8b87
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
@@ -0,0 +1,559 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure;
+using Azure.Core;
+using Azure.Core.Pipeline;
+using Azure.Security.KeyVault.Administration.Models;
+
+namespace Azure.Security.KeyVault.Administration
+{
+    internal partial class RoleAssignmentsRestClient
+    {
+        private string apiVersion;
+        private ClientDiagnostics _clientDiagnostics;
+        private HttpPipeline _pipeline;
+
+        /// <summary> Initializes a new instance of RoleAssignmentsRestClient. </summary>
+        /// <param name="clientDiagnostics"> The handler for diagnostic messaging in the client. </param>
+        /// <param name="pipeline"> The HTTP pipeline for sending and receiving REST requests and responses. </param>
+        /// <param name="apiVersion"> Api Version. </param>
+        /// <exception cref="ArgumentNullException"> This occurs when one of the required arguments is null. </exception>
+        public RoleAssignmentsRestClient(ClientDiagnostics clientDiagnostics, HttpPipeline pipeline, string apiVersion = "7.2-preview")
+        {
+            if (apiVersion == null)
+            {
+                throw new ArgumentNullException(nameof(apiVersion));
+            }
+
+            this.apiVersion = apiVersion;
+            _clientDiagnostics = clientDiagnostics;
+            _pipeline = pipeline;
+        }
+
+        internal HttpMessage CreateDeleteRequest(string vaultBaseUrl, string scope, string roleAssignmentName)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Delete;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendPath("/", false);
+            uri.AppendPath(scope, false);
+            uri.AppendPath("/providers/Microsoft.Authorization/roleAssignments/", false);
+            uri.AppendPath(roleAssignmentName, true);
+            uri.AppendQuery("api-version", apiVersion, true);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Deletes a role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment to delete. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to delete. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleAssignment>> DeleteAsync(string vaultBaseUrl, string scope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+
+            using var message = CreateDeleteRequest(vaultBaseUrl, scope, roleAssignmentName);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignment value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Deletes a role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment to delete. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to delete. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleAssignment> Delete(string vaultBaseUrl, string scope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+
+            using var message = CreateDeleteRequest(vaultBaseUrl, scope, roleAssignmentName);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignment value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+
+        internal HttpMessage CreateCreateRequest(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentCreateParameters parameters)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Put;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendPath("/", false);
+            uri.AppendPath(scope, false);
+            uri.AppendPath("/providers/Microsoft.Authorization/roleAssignments/", false);
+            uri.AppendPath(roleAssignmentName, true);
+            uri.AppendQuery("api-version", apiVersion, true);
+            request.Uri = uri;
+            request.Headers.Add("Content-Type", "application/json");
+            using var content = new Utf8JsonRequestContent();
+            content.JsonWriter.WriteObjectValue(parameters);
+            request.Content = content;
+            return message;
+        }
+
+        /// <summary> Creates a role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to create. It can be any valid GUID. </param>
+        /// <param name="parameters"> Parameters for the role assignment. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleAssignment>> CreateAsync(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentCreateParameters parameters, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+            if (parameters == null)
+            {
+                throw new ArgumentNullException(nameof(parameters));
+            }
+
+            using var message = CreateCreateRequest(vaultBaseUrl, scope, roleAssignmentName, parameters);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 201:
+                    {
+                        RoleAssignment value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Creates a role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to create. It can be any valid GUID. </param>
+        /// <param name="parameters"> Parameters for the role assignment. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleAssignment> Create(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentCreateParameters parameters, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+            if (parameters == null)
+            {
+                throw new ArgumentNullException(nameof(parameters));
+            }
+
+            using var message = CreateCreateRequest(vaultBaseUrl, scope, roleAssignmentName, parameters);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 201:
+                    {
+                        RoleAssignment value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+
+        internal HttpMessage CreateGetRequest(string vaultBaseUrl, string scope, string roleAssignmentName)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Get;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendPath("/", false);
+            uri.AppendPath(scope, false);
+            uri.AppendPath("/providers/Microsoft.Authorization/roleAssignments/", false);
+            uri.AppendPath(roleAssignmentName, true);
+            uri.AppendQuery("api-version", apiVersion, true);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Get the specified role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleAssignment>> GetAsync(string vaultBaseUrl, string scope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+
+            using var message = CreateGetRequest(vaultBaseUrl, scope, roleAssignmentName);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignment value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Get the specified role assignment. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleAssignment> Get(string vaultBaseUrl, string scope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+            if (roleAssignmentName == null)
+            {
+                throw new ArgumentNullException(nameof(roleAssignmentName));
+            }
+
+            using var message = CreateGetRequest(vaultBaseUrl, scope, roleAssignmentName);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignment value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignment.DeserializeRoleAssignment(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+
+        internal HttpMessage CreateListForScopeRequest(string vaultBaseUrl, string scope, string filter)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Get;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendPath("/", false);
+            uri.AppendPath(scope, false);
+            uri.AppendPath("/providers/Microsoft.Authorization/roleAssignments", false);
+            if (filter != null)
+            {
+                uri.AppendQuery("$filter", filter, true);
+            }
+            uri.AppendQuery("api-version", apiVersion, true);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Gets role assignments for a scope. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleAssignmentListResult>> ListForScopeAsync(string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListForScopeRequest(vaultBaseUrl, scope, filter);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignmentListResult value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignmentListResult.DeserializeRoleAssignmentListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Gets role assignments for a scope. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleAssignmentListResult> ListForScope(string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListForScopeRequest(vaultBaseUrl, scope, filter);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignmentListResult value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignmentListResult.DeserializeRoleAssignmentListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+
+        internal HttpMessage CreateListForScopeNextPageRequest(string nextLink, string vaultBaseUrl, string scope, string filter)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Get;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendRawNextLink(nextLink, false);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Gets role assignments for a scope. </summary>
+        /// <param name="nextLink"> The URL to the next page of results. </param>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleAssignmentListResult>> ListForScopeNextPageAsync(string nextLink, string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (nextLink == null)
+            {
+                throw new ArgumentNullException(nameof(nextLink));
+            }
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListForScopeNextPageRequest(nextLink, vaultBaseUrl, scope, filter);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignmentListResult value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignmentListResult.DeserializeRoleAssignmentListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Gets role assignments for a scope. </summary>
+        /// <param name="nextLink"> The URL to the next page of results. </param>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleAssignmentListResult> ListForScopeNextPage(string nextLink, string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (nextLink == null)
+            {
+                throw new ArgumentNullException(nameof(nextLink));
+            }
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListForScopeNextPageRequest(nextLink, vaultBaseUrl, scope, filter);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleAssignmentListResult value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleAssignmentListResult.DeserializeRoleAssignmentListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleDefinitionsRestClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleDefinitionsRestClient.cs
new file mode 100644
index 0000000000000..7bcb0e5e32309
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleDefinitionsRestClient.cs
@@ -0,0 +1,239 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+// <auto-generated/>
+
+#nullable disable
+
+using System;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure;
+using Azure.Core;
+using Azure.Core.Pipeline;
+using Azure.Security.KeyVault.Administration.Models;
+
+namespace Azure.Security.KeyVault.Administration
+{
+    internal partial class RoleDefinitionsRestClient
+    {
+        private string apiVersion;
+        private ClientDiagnostics _clientDiagnostics;
+        private HttpPipeline _pipeline;
+
+        /// <summary> Initializes a new instance of RoleDefinitionsRestClient. </summary>
+        /// <param name="clientDiagnostics"> The handler for diagnostic messaging in the client. </param>
+        /// <param name="pipeline"> The HTTP pipeline for sending and receiving REST requests and responses. </param>
+        /// <param name="apiVersion"> Api Version. </param>
+        /// <exception cref="ArgumentNullException"> This occurs when one of the required arguments is null. </exception>
+        public RoleDefinitionsRestClient(ClientDiagnostics clientDiagnostics, HttpPipeline pipeline, string apiVersion = "7.2-preview")
+        {
+            if (apiVersion == null)
+            {
+                throw new ArgumentNullException(nameof(apiVersion));
+            }
+
+            this.apiVersion = apiVersion;
+            _clientDiagnostics = clientDiagnostics;
+            _pipeline = pipeline;
+        }
+
+        internal HttpMessage CreateListRequest(string vaultBaseUrl, string scope, string filter)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Get;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendPath("/", false);
+            uri.AppendPath(scope, false);
+            uri.AppendPath("/providers/Microsoft.Authorization/roleDefinitions", false);
+            if (filter != null)
+            {
+                uri.AppendQuery("$filter", filter, true);
+            }
+            uri.AppendQuery("api-version", apiVersion, true);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Get all role definitions that are applicable at scope and above. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleDefinitionListResult>> ListAsync(string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListRequest(vaultBaseUrl, scope, filter);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleDefinitionListResult value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleDefinitionListResult.DeserializeRoleDefinitionListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Get all role definitions that are applicable at scope and above. </summary>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleDefinitionListResult> List(string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListRequest(vaultBaseUrl, scope, filter);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleDefinitionListResult value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleDefinitionListResult.DeserializeRoleDefinitionListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+
+        internal HttpMessage CreateListNextPageRequest(string nextLink, string vaultBaseUrl, string scope, string filter)
+        {
+            var message = _pipeline.CreateMessage();
+            var request = message.Request;
+            request.Method = RequestMethod.Get;
+            var uri = new RawRequestUriBuilder();
+            uri.AppendRaw(vaultBaseUrl, false);
+            uri.AppendRawNextLink(nextLink, false);
+            request.Uri = uri;
+            return message;
+        }
+
+        /// <summary> Get all role definitions that are applicable at scope and above. </summary>
+        /// <param name="nextLink"> The URL to the next page of results. </param>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public async Task<Response<RoleDefinitionListResult>> ListNextPageAsync(string nextLink, string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (nextLink == null)
+            {
+                throw new ArgumentNullException(nameof(nextLink));
+            }
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListNextPageRequest(nextLink, vaultBaseUrl, scope, filter);
+            await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleDefinitionListResult value = default;
+                        using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleDefinitionListResult.DeserializeRoleDefinitionListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw await _clientDiagnostics.CreateRequestFailedExceptionAsync(message.Response).ConfigureAwait(false);
+            }
+        }
+
+        /// <summary> Get all role definitions that are applicable at scope and above. </summary>
+        /// <param name="nextLink"> The URL to the next page of results. </param>
+        /// <param name="vaultBaseUrl"> The vault name, for example https://myvault.vault.azure.net. </param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="filter"> The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public Response<RoleDefinitionListResult> ListNextPage(string nextLink, string vaultBaseUrl, string scope, string filter = null, CancellationToken cancellationToken = default)
+        {
+            if (nextLink == null)
+            {
+                throw new ArgumentNullException(nameof(nextLink));
+            }
+            if (vaultBaseUrl == null)
+            {
+                throw new ArgumentNullException(nameof(vaultBaseUrl));
+            }
+            if (scope == null)
+            {
+                throw new ArgumentNullException(nameof(scope));
+            }
+
+            using var message = CreateListNextPageRequest(nextLink, vaultBaseUrl, scope, filter);
+            _pipeline.Send(message, cancellationToken);
+            switch (message.Response.Status)
+            {
+                case 200:
+                    {
+                        RoleDefinitionListResult value = default;
+                        using var document = JsonDocument.Parse(message.Response.ContentStream);
+                        if (document.RootElement.ValueKind == JsonValueKind.Null)
+                        {
+                            value = null;
+                        }
+                        else
+                        {
+                            value = RoleDefinitionListResult.DeserializeRoleDefinitionListResult(document.RootElement);
+                        }
+                        return Response.FromValue(value, message.Response);
+                    }
+                default:
+                    throw _clientDiagnostics.CreateRequestFailedException(message.Response);
+            }
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultPermision.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultPermision.cs
new file mode 100644
index 0000000000000..ce27551d8d4b1
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultPermision.cs
@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    ///<inheritdoc/>
+    [CodeGenModel("Permission")]
+    public partial class KeyVaultPermission
+    {
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md
new file mode 100644
index 0000000000000..afd6a4a1cd9a9
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md
@@ -0,0 +1,14 @@
+# Azure.Security.KeyVault.Administration
+
+### AutoRest Configuration
+> see https://aka.ms/autorest
+
+Run `dotnet msbuild /t:GenerateCode` in src directory to re-generate.
+
+``` yaml
+title: Azure.Security.KeyVault.Administration
+input-file:
+    - https://raw.githubusercontent.com/Azure/azure-rest-api-specs/001730d4c5b19d69b1edf43894a1e931f9591e58/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2/rbac.json
+namespace: Azure.Security.KeyVault.Administration
+include-csproj: disable
+```
diff --git a/sdk/keyvault/Azure.Security.KeyVault.sln b/sdk/keyvault/Azure.Security.KeyVault.sln
index ad79a5064e3be..4e48bb29da62a 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.sln
+++ b/sdk/keyvault/Azure.Security.KeyVault.sln
@@ -25,7 +25,9 @@ Project("{D954291E-2A0B-460D-934E-DC6B0785DB48}") = "Azure.Security.KeyVault.Sha
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ApiCompat", "..\..\eng\ApiCompat\ApiCompat.csproj", "{A0C00A76-5F21-4664-A7B1-BE2DA201BF6E}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Azure.Core.TestFramework", "..\core\Azure.Core.TestFramework\src\Azure.Core.TestFramework.csproj", "{117730A7-49B1-4608-9A4C-77469BA5372F}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Azure.Core.TestFramework", "..\core\Azure.Core.TestFramework\src\Azure.Core.TestFramework.csproj", "{117730A7-49B1-4608-9A4C-77469BA5372F}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Azure.Security.KeyVault.Administration", "Azure.Security.KeyVault.Administration\Azure.Security.KeyVault.Administration.csproj", "{EE1064ED-C892-4763-B8C9-9BE2A768251B}"
 EndProject
 Global
 	GlobalSection(SharedMSBuildProjectFiles) = preSolution
@@ -83,6 +85,10 @@ Global
 		{117730A7-49B1-4608-9A4C-77469BA5372F}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{117730A7-49B1-4608-9A4C-77469BA5372F}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{117730A7-49B1-4608-9A4C-77469BA5372F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

From 5126cff2620e46cce723457df9f54c7b963bc3df Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Wed, 3 Jun 2020 12:09:19 -0500
Subject: [PATCH 02/20] cleanup

---
 .../src/AccessControlClient.cs                | 83 +++++++++++++------
 1 file changed, 56 insertions(+), 27 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
index a8fbed321ea36..17f4c0e2c46cd 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
@@ -29,9 +29,7 @@ public class AccessControlClient
         /// Initializes a new instance of the <see cref="AccessControlClient"/> class for mocking.
         /// </summary>
         protected AccessControlClient()
-        {
-
-        }
+        { }
 
         /// <summary>
         /// Initializes a new instance of the <see cref="AccessControlClient"/> class for the specified vault.
@@ -75,18 +73,8 @@ public AccessControlClient(Uri vaultUri, TokenCredential credential, AccessContr
         /// <param name="scope"></param>
         /// <param name="cancellationToken"></param>
         /// <returns></returns>
-        public virtual Pageable<RoleDefinition> GetRoleDefinitions(Uri scope, CancellationToken cancellationToken = default)
-        {
-            return PageableHelpers.CreateEnumerable(_ =>
-            {
-                var response = _definitionsRestClient.List(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.AbsoluteUri, cancellationToken: cancellationToken);
-                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
-            }, (nextLink, _) =>
-            {
-                var response = _definitionsRestClient.ListNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.AbsoluteUri, cancellationToken: cancellationToken);
-                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
-            });
-        }
+        public virtual Pageable<RoleDefinition> GetRoleDefinitions(Uri scope, CancellationToken cancellationToken = default) =>
+            GetRoleDefinitions(scope.AbsoluteUri, cancellationToken);
 
         /// <summary>
         /// Gets a list of <see cref="RoleDefinition"/>.
@@ -113,47 +101,88 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(string scope, Cancell
         /// <param name="scope"></param>
         /// <param name="cancellationToken"></param>
         /// <returns></returns>
-        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(Uri scope, CancellationToken cancellationToken = default)
+        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(Uri scope, CancellationToken cancellationToken = default) =>
+            GetRoleDefinitionsAsync(scope.AbsoluteUri, cancellationToken);
+
+        /// <summary>
+        /// Gets a list of <see cref="RoleDefinition"/>.
+        /// </summary>
+        /// <param name="scope"></param>
+        /// <param name="cancellationToken"></param>
+        /// <returns></returns>
+        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateAsyncEnumerable(async _ =>
             {
-                var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.AbsoluteUri, cancellationToken: cancellationToken)
+                var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             }, async (nextLink, _) =>
             {
-                var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.AbsoluteUri, cancellationToken: cancellationToken)
+                var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             });
         }
 
         /// <summary>
-        /// Gets a list of <see cref="RoleDefinition"/>.
+        ///
         /// </summary>
         /// <param name="scope"></param>
         /// <param name="cancellationToken"></param>
         /// <returns></returns>
-        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scope, CancellationToken cancellationToken = default)
+        public virtual Pageable<RoleAssignment> GetRoleAssignments(Uri scope, CancellationToken cancellationToken = default) =>
+            GetRoleAssignments(scope.AbsoluteUri, cancellationToken);
+
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="scope"></param>
+        /// <param name="cancellationToken"></param>
+        /// <returns></returns>
+        public virtual Pageable<RoleAssignment> GetRoleAssignments(string scope, CancellationToken cancellationToken = default)
+        {
+            return PageableHelpers.CreateEnumerable(_ =>
+            {
+                var response = _assignmentsRestClient.ListForScope(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken);
+                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+            }, (nextLink, _) =>
+            {
+                var response = _assignmentsRestClient.ListForScopeNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken);
+                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+            });
+        }
+
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="scope"></param>
+        /// <param name="cancellationToken"></param>
+        /// <returns></returns>
+        public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(Uri scope, CancellationToken cancellationToken = default) =>
+            GetRoleAssignmentsAsync(scope.AbsoluteUri, cancellationToken);
+
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="scope"></param>
+        /// <param name="cancellationToken"></param>
+        /// <returns></returns>
+        public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateAsyncEnumerable(async _ =>
             {
-                var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
+                var response = await _assignmentsRestClient.ListForScopeAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             }, async (nextLink, _) =>
             {
-                var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
+                var response = await _assignmentsRestClient.ListForScopeNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             });
         }
 
-        // public virtual Pageable<RoleAssignment> GetRoleAssignments(Uri scope, CancellationToken cancellationToken = default) => null;
-        // public virtual Pageable<RoleAssignment> GetRoleAssignments(string scope, CancellationToken cancellationToken = default) => null;
-        // public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(Uri scope, CancellationToken cancellationToken = default) => null;
-        // public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scope, CancellationToken cancellationToken = default) => null;
-
         // // The role assignment name will be created automatically. The swagger specification reads, "The name of the role assignment to create. It can be any valid GUID."
         // public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) => null;
         // public virtual Response<RoleAssignment> CreateRoleAssignment(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) => null;

From 9ba28442442736d8d250ace171b87f7b5cd95417 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Wed, 3 Jun 2020 13:59:03 -0500
Subject: [PATCH 03/20] implement the rest

---
 .../src/AccessControlClient.cs                | 115 ++++++++++++++----
 1 file changed, 89 insertions(+), 26 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
index 17f4c0e2c46cd..1c710d07edd21 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
@@ -68,16 +68,16 @@ public AccessControlClient(Uri vaultUri, TokenCredential credential, AccessContr
         }
 
         /// <summary>
-        /// Gets a list of <see cref="RoleDefinition"/>.
+        /// Get all role definitions that are applicable at scope and above.
         /// </summary>
-        /// <param name="scope"></param>
-        /// <param name="cancellationToken"></param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
         public virtual Pageable<RoleDefinition> GetRoleDefinitions(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleDefinitions(scope.AbsoluteUri, cancellationToken);
 
         /// <summary>
-        /// Gets a list of <see cref="RoleDefinition"/>.
+        /// Get all role definitions that are applicable at scope and above.
         /// </summary>
         /// <param name="scope"></param>
         /// <param name="cancellationToken"></param>
@@ -96,19 +96,19 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(string scope, Cancell
         }
 
         /// <summary>
-        /// Gets a list of <see cref="RoleDefinition"/>.
+        /// Get all role definitions that are applicable at scope and above.
         /// </summary>
-        /// <param name="scope"></param>
-        /// <param name="cancellationToken"></param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
         public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleDefinitionsAsync(scope.AbsoluteUri, cancellationToken);
 
         /// <summary>
-        /// Gets a list of <see cref="RoleDefinition"/>.
+        /// Get all role definitions that are applicable at scope and above.
         /// </summary>
-        /// <param name="scope"></param>
-        /// <param name="cancellationToken"></param>
+        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
         public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scope, CancellationToken cancellationToken = default)
         {
@@ -126,7 +126,7 @@ public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scop
         }
 
         /// <summary>
-        ///
+        /// Gets the <see cref="RoleAssignment"/>s for a scope.
         /// </summary>
         /// <param name="scope"></param>
         /// <param name="cancellationToken"></param>
@@ -154,19 +154,19 @@ public virtual Pageable<RoleAssignment> GetRoleAssignments(string scope, Cancell
         }
 
         /// <summary>
-        ///
+        /// Gets the <see cref="RoleAssignment"/>s for a scope.
         /// </summary>
-        /// <param name="scope"></param>
-        /// <param name="cancellationToken"></param>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
         public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleAssignmentsAsync(scope.AbsoluteUri, cancellationToken);
 
         /// <summary>
-        ///
+        /// Gets the <see cref="RoleAssignment"/>s for a scope.
         /// </summary>
-        /// <param name="scope"></param>
-        /// <param name="cancellationToken"></param>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
         public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scope, CancellationToken cancellationToken = default)
         {
@@ -183,16 +183,79 @@ public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scop
             });
         }
 
-        // // The role assignment name will be created automatically. The swagger specification reads, "The name of the role assignment to create. It can be any valid GUID."
-        // public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) => null;
-        // public virtual Response<RoleAssignment> CreateRoleAssignment(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) => null;
-        // public virtual Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) => null;
-        // public virtual Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) => null;
+        /// <summary>
+        /// Creates a <see cref="RoleAssignment"/>.
+        /// </summary>
+        /// <returns></returns>
+        public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
+            CreateRoleAssignment(scope.AbsoluteUri, properties, cancellationToken);
+
+        /// <summary>
+        /// Creates a <see cref="RoleAssignment"/>.
+        /// </summary>
+        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="properties"> Properties for the role assignment. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <returns></returns>
+        public virtual Response<RoleAssignment> CreateRoleAssignment(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
+            _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), new RoleAssignmentCreateParameters(properties), cancellationToken);
+
+        /// <summary>
+        /// Creates a <see cref="RoleAssignment"/>.
+        /// </summary>
+        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="properties"> Properties for the role assignment. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
+            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope.AbsoluteUri, Guid.NewGuid().ToString(), new RoleAssignmentCreateParameters(properties), cancellationToken)
+                .ConfigureAwait(false);
+
+        /// <summary>
+        /// Creates a <see cref="RoleAssignment"/>.
+        /// </summary>
+        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="properties"> Properties for the role assignment. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
+            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), new RoleAssignmentCreateParameters(properties), cancellationToken)
+                .ConfigureAwait(false);
+
+        /// <summary>
+        /// Get the specified role assignment.
+        /// </summary>
+        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public virtual Response<RoleAssignment> GetRoleAssignment(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
+            _assignmentsRestClient.Get(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken);
 
-        // public virtual Response<RoleAssignment> GetRoleAssignment(string name, CancellationToken cancellationToken = default) => null;
-        // public virtual Task<Response<RoleAssignment>> GetRoleAssignmentAsync(string name, CancellationToken cancellation = default) => null;
+        /// <summary>
+        /// Get the specified role assignment.
+        /// </summary>
+        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
+            await _assignmentsRestClient.GetAsync(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken)
+                .ConfigureAwait(false);
 
-        // public virtual Response<RoleAssignment> DeleteRoleAssignment(string name, CancellationToken cancellationToken = default) => null;
-        // public virtual Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(string name, CancellationToken cancellation = default) => null;
+        /// <summary>
+        /// Delete the specified role assignment.
+        /// </summary>
+        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public virtual Response<RoleAssignment> DeleteRoleAssignment(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
+            _assignmentsRestClient.Delete(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken);
+
+        /// <summary>
+        /// Delete the specified role assignment.
+        /// </summary>
+        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
+            await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken)
+                .ConfigureAwait(false);
     }
 }

From 6cac6123b01784c2eb381f2cbec43e2bf6f682ad Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Wed, 3 Jun 2020 16:35:53 -0500
Subject: [PATCH 04/20] export api

---
 ....KeyVault.Administration.netstandard2.0.cs | 96 +++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
new file mode 100644
index 0000000000000..6725e0688677f
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -0,0 +1,96 @@
+namespace Azure.Security.KeyVault.Administration
+{
+    public partial class AccessControlClient
+    {
+        protected AccessControlClient() { }
+        public AccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential) { }
+        public AccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azure.Security.KeyVault.Administration.AccessControlClientOptions options) { }
+        public System.Uri VaultUri { get { throw null; } }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(System.Uri scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(System.Uri scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignment(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> GetRoleAssignmentAsync(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignments(string scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignments(System.Uri scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignmentsAsync(string scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignmentsAsync(System.Uri scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitions(string scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitions(System.Uri scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitionsAsync(string scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitionsAsync(System.Uri scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+    }
+    public partial class AccessControlClientOptions : Azure.Core.ClientOptions
+    {
+        public AccessControlClientOptions(Azure.Security.KeyVault.Administration.AccessControlClientOptions.ServiceVersion version = Azure.Security.KeyVault.Administration.AccessControlClientOptions.ServiceVersion.V7_2_Preview) { }
+        public Azure.Security.KeyVault.Administration.AccessControlClientOptions.ServiceVersion Version { get { throw null; } }
+        public enum ServiceVersion
+        {
+            V7_2_Preview = 1,
+        }
+    }
+}
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    public partial class KeyVaultPermission
+    {
+        internal KeyVaultPermission() { }
+        public System.Collections.Generic.IReadOnlyList<string> Actions { get { throw null; } }
+        public System.Collections.Generic.IReadOnlyList<string> DataActions { get { throw null; } }
+        public System.Collections.Generic.IReadOnlyList<string> NotActions { get { throw null; } }
+        public System.Collections.Generic.IReadOnlyList<string> NotDataActions { get { throw null; } }
+    }
+    public partial class RoleAssignment
+    {
+        internal RoleAssignment() { }
+        public string Id { get { throw null; } }
+        public string Name { get { throw null; } }
+        public Azure.Security.KeyVault.Administration.Models.RoleAssignmentPropertiesWithScope Properties { get { throw null; } }
+        public string Type { get { throw null; } }
+    }
+    public partial class RoleAssignmentCreateParameters
+    {
+        public RoleAssignmentCreateParameters(Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties) { }
+        public Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties Properties { get { throw null; } }
+    }
+    public partial class RoleAssignmentListResult
+    {
+        internal RoleAssignmentListResult() { }
+        public string NextLink { get { throw null; } }
+        public System.Collections.Generic.IReadOnlyList<Azure.Security.KeyVault.Administration.Models.RoleAssignment> Value { get { throw null; } }
+    }
+    public partial class RoleAssignmentProperties
+    {
+        public RoleAssignmentProperties(string roleDefinitionId, string principalId) { }
+        public string PrincipalId { get { throw null; } }
+        public string RoleDefinitionId { get { throw null; } }
+    }
+    public partial class RoleAssignmentPropertiesWithScope
+    {
+        internal RoleAssignmentPropertiesWithScope() { }
+        public string PrincipalId { get { throw null; } }
+        public string RoleDefinitionId { get { throw null; } }
+        public string Scope { get { throw null; } }
+    }
+    public partial class RoleDefinition
+    {
+        internal RoleDefinition() { }
+        public System.Collections.Generic.IReadOnlyList<string> AssignableScopes { get { throw null; } }
+        public string Description { get { throw null; } }
+        public string Id { get { throw null; } }
+        public string Name { get { throw null; } }
+        public System.Collections.Generic.IReadOnlyList<Azure.Security.KeyVault.Administration.Models.KeyVaultPermission> Permissions { get { throw null; } }
+        public string RoleName { get { throw null; } }
+        public string RoleType { get { throw null; } }
+        public string Type { get { throw null; } }
+    }
+    public partial class RoleDefinitionListResult
+    {
+        internal RoleDefinitionListResult() { }
+        public string NextLink { get { throw null; } }
+        public System.Collections.Generic.IReadOnlyList<Azure.Security.KeyVault.Administration.Models.RoleDefinition> Value { get { throw null; } }
+    }
+}

From 1bc515070ecd5d47480b64b485d948ec6dc5e928 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 8 Jun 2020 10:40:45 -0500
Subject: [PATCH 05/20] tests

---
 .../CHANGELOG.md                              |   2 +-
 ....KeyVault.Administration.netstandard2.0.cs |  10 +-
 .../readme.md                                 |   4 +
 .../src/AccessControlClient.cs                |  35 +-
 ...re.Security.KeyVault.Administration.csproj |   3 +-
 ...ssignmentCreateParameters.Serialization.cs |  23 -
 .../Models/RoleAssignmentCreateParameters.cs  |  30 --
 .../Generated/RoleAssignmentsRestClient.cs    |   6 +-
 .../src/KeyVaultAdministrationConstants.cs    |  22 +
 .../src/Properties/AssemblyInfo.cs            |   7 +
 .../src/autorest.md                           |   6 +-
 .../src/swagger/common.json                   |  73 +++
 .../src/swagger/rbac.json                     | 494 ++++++++++++++++++
 .../tests/AccessControlClientLiveTests.cs     | 110 ++++
 .../tests/AccessControlTestBase.cs            |  73 +++
 ...urity.KeyVault.Administration.Tests.csproj |  23 +
 .../src/Properties/AssemblyInfo.cs            |   2 +-
 sdk/keyvault/Azure.Security.KeyVault.sln      |  10 +-
 18 files changed, 859 insertions(+), 74 deletions(-)
 delete mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.Serialization.cs
 delete mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationConstants.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Properties/AssemblyInfo.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/common.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/rbac.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
index a7611de6197e6..245e6afd18ccc 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
@@ -1,3 +1,3 @@
 # Release History
 
-## 4.2.0-preview.1 (Unreleased)
+## 4.1.0-preview.1 (Unreleased)
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
index 6725e0688677f..e172dff9aa6a5 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -11,7 +11,9 @@ public AccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential crede
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(System.Uri scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(System.Uri scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(System.Uri scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignment(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> GetRoleAssignmentAsync(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignments(string scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
@@ -32,6 +34,9 @@ public enum ServiceVersion
             V7_2_Preview = 1,
         }
     }
+    public static partial class KeyVaultAdministrationConstants
+    {
+    }
 }
 namespace Azure.Security.KeyVault.Administration.Models
 {
@@ -51,11 +56,6 @@ internal RoleAssignment() { }
         public Azure.Security.KeyVault.Administration.Models.RoleAssignmentPropertiesWithScope Properties { get { throw null; } }
         public string Type { get { throw null; } }
     }
-    public partial class RoleAssignmentCreateParameters
-    {
-        public RoleAssignmentCreateParameters(Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties) { }
-        public Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties Properties { get { throw null; } }
-    }
     public partial class RoleAssignmentListResult
     {
         internal RoleAssignmentListResult() { }
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md
index 71bb904a73dba..6c95bb96d4d9b 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/readme.md
@@ -6,6 +6,10 @@ Content forthcoming
 
 Content forthcoming
 
+### Prerequisites
+
+Content forthcoming
+
 ### Install the package
 
 Content forthcoming
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
index 1c710d07edd21..105b19c0c6c86 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
@@ -74,7 +74,7 @@ public AccessControlClient(Uri vaultUri, TokenCredential credential, AccessContr
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
         public virtual Pageable<RoleDefinition> GetRoleDefinitions(Uri scope, CancellationToken cancellationToken = default) =>
-            GetRoleDefinitions(scope.AbsoluteUri, cancellationToken);
+            GetRoleDefinitions(scope.AbsolutePath, cancellationToken);
 
         /// <summary>
         /// Get all role definitions that are applicable at scope and above.
@@ -102,7 +102,7 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(string scope, Cancell
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
         public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(Uri scope, CancellationToken cancellationToken = default) =>
-            GetRoleDefinitionsAsync(scope.AbsoluteUri, cancellationToken);
+            GetRoleDefinitionsAsync(scope.AbsolutePath, cancellationToken);
 
         /// <summary>
         /// Get all role definitions that are applicable at scope and above.
@@ -132,7 +132,7 @@ public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scop
         /// <param name="cancellationToken"></param>
         /// <returns></returns>
         public virtual Pageable<RoleAssignment> GetRoleAssignments(Uri scope, CancellationToken cancellationToken = default) =>
-            GetRoleAssignments(scope.AbsoluteUri, cancellationToken);
+            GetRoleAssignments(scope.AbsolutePath, cancellationToken);
 
         /// <summary>
         ///
@@ -160,7 +160,7 @@ public virtual Pageable<RoleAssignment> GetRoleAssignments(string scope, Cancell
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
         public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(Uri scope, CancellationToken cancellationToken = default) =>
-            GetRoleAssignmentsAsync(scope.AbsoluteUri, cancellationToken);
+            GetRoleAssignmentsAsync(scope.AbsolutePath, cancellationToken);
 
         /// <summary>
         /// Gets the <see cref="RoleAssignment"/>s for a scope.
@@ -188,7 +188,7 @@ public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scop
         /// </summary>
         /// <returns></returns>
         public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            CreateRoleAssignment(scope.AbsoluteUri, properties, cancellationToken);
+            CreateRoleAssignment(scope.AbsolutePath, properties, cancellationToken);
 
         /// <summary>
         /// Creates a <see cref="RoleAssignment"/>.
@@ -198,7 +198,7 @@ public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssi
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
         public virtual Response<RoleAssignment> CreateRoleAssignment(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), new RoleAssignmentCreateParameters(properties), cancellationToken);
+            _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), properties, cancellationToken);
 
         /// <summary>
         /// Creates a <see cref="RoleAssignment"/>.
@@ -207,7 +207,7 @@ public virtual Response<RoleAssignment> CreateRoleAssignment(string scope, RoleA
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope.AbsoluteUri, Guid.NewGuid().ToString(), new RoleAssignmentCreateParameters(properties), cancellationToken)
+            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope.AbsolutePath, Guid.NewGuid().ToString(), properties, cancellationToken)
                 .ConfigureAwait(false);
 
         /// <summary>
@@ -217,7 +217,7 @@ public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(Ur
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), new RoleAssignmentCreateParameters(properties), cancellationToken)
+            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), properties, cancellationToken)
                 .ConfigureAwait(false);
 
         /// <summary>
@@ -239,6 +239,25 @@ public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(strin
             await _assignmentsRestClient.GetAsync(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken)
                 .ConfigureAwait(false);
 
+        /// <summary>
+        /// Delete the specified role assignment.
+        /// </summary>
+        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public virtual Response<RoleAssignment> DeleteRoleAssignment(Uri scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
+            _assignmentsRestClient.Delete(VaultUri.AbsoluteUri, scope.AbsolutePath, roleAssignmentName, cancellationToken);
+
+        /// <summary>
+        /// Delete the specified role assignment.
+        /// </summary>
+        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(Uri scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
+            await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, scope.AbsolutePath, roleAssignmentName, cancellationToken)
+                .ConfigureAwait(false);
+
         /// <summary>
         /// Delete the specified role assignment.
         /// </summary>
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
index 86f635d1a7aa1..3698c312b5ac5 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
@@ -3,7 +3,7 @@
 <PropertyGroup>
     <Description>This is the Microsoft Azure Key Vault Administration client library</Description>
     <AssemblyTitle>Microsoft Azure.Security.KeyVault.Administration client library</AssemblyTitle>
-    <Version>4.2.0-preview.1</Version>
+    <Version>4.1.0-preview.2</Version>
     <PackageTags>Microsoft Azure Key Vault Administration;$(PackageCommonTags)</PackageTags>
     <TargetFrameworks>$(RequiredTargetFrameworks)</TargetFrameworks>
     <EnableApiCompat>false</EnableApiCompat>
@@ -23,6 +23,7 @@
     <Compile Include="$(AzureCoreSharedSources)Argument.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)ArrayBufferWriter.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)AzureKeyCredentialPolicy.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)AzureResourceProviderNamespaceAttribute.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)ClientDiagnostics.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)ContentTypeUtilities.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)DiagnosticScope.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.Serialization.cs
deleted file mode 100644
index e1405bf052907..0000000000000
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.Serialization.cs
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-// <auto-generated/>
-
-#nullable disable
-
-using System.Text.Json;
-using Azure.Core;
-
-namespace Azure.Security.KeyVault.Administration.Models
-{
-    public partial class RoleAssignmentCreateParameters : IUtf8JsonSerializable
-    {
-        void IUtf8JsonSerializable.Write(Utf8JsonWriter writer)
-        {
-            writer.WriteStartObject();
-            writer.WritePropertyName("properties");
-            writer.WriteObjectValue(Properties);
-            writer.WriteEndObject();
-        }
-    }
-}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.cs
deleted file mode 100644
index 373046729fa42..0000000000000
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentCreateParameters.cs
+++ /dev/null
@@ -1,30 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-// <auto-generated/>
-
-#nullable disable
-
-using System;
-
-namespace Azure.Security.KeyVault.Administration.Models
-{
-    /// <summary> Role assignment create parameters. </summary>
-    public partial class RoleAssignmentCreateParameters
-    {
-        /// <summary> Initializes a new instance of RoleAssignmentCreateParameters. </summary>
-        /// <param name="properties"> Role assignment properties. </param>
-        public RoleAssignmentCreateParameters(RoleAssignmentProperties properties)
-        {
-            if (properties == null)
-            {
-                throw new ArgumentNullException(nameof(properties));
-            }
-
-            Properties = properties;
-        }
-
-        /// <summary> Role assignment properties. </summary>
-        public RoleAssignmentProperties Properties { get; }
-    }
-}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
index e358a916f8b87..7f0d8f6861e58 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
@@ -141,7 +141,7 @@ public Response<RoleAssignment> Delete(string vaultBaseUrl, string scope, string
             }
         }
 
-        internal HttpMessage CreateCreateRequest(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentCreateParameters parameters)
+        internal HttpMessage CreateCreateRequest(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentProperties parameters)
         {
             var message = _pipeline.CreateMessage();
             var request = message.Request;
@@ -167,7 +167,7 @@ internal HttpMessage CreateCreateRequest(string vaultBaseUrl, string scope, stri
         /// <param name="roleAssignmentName"> The name of the role assignment to create. It can be any valid GUID. </param>
         /// <param name="parameters"> Parameters for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        public async Task<Response<RoleAssignment>> CreateAsync(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentCreateParameters parameters, CancellationToken cancellationToken = default)
+        public async Task<Response<RoleAssignment>> CreateAsync(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentProperties parameters, CancellationToken cancellationToken = default)
         {
             if (vaultBaseUrl == null)
             {
@@ -215,7 +215,7 @@ public async Task<Response<RoleAssignment>> CreateAsync(string vaultBaseUrl, str
         /// <param name="roleAssignmentName"> The name of the role assignment to create. It can be any valid GUID. </param>
         /// <param name="parameters"> Parameters for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        public Response<RoleAssignment> Create(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentCreateParameters parameters, CancellationToken cancellationToken = default)
+        public Response<RoleAssignment> Create(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentProperties parameters, CancellationToken cancellationToken = default)
         {
             if (vaultBaseUrl == null)
             {
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationConstants.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationConstants.cs
new file mode 100644
index 0000000000000..c95381f243519
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationConstants.cs
@@ -0,0 +1,22 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Azure.Security.KeyVault.Administration
+{
+    /// <summary>
+    /// Constant values for KeyVault Administration.
+    /// </summary>
+    public static class KeyVaultAdministrationConstants
+    {
+        internal static class Scopes
+        {
+            /// <summary>
+            /// The root scope.
+            /// </summary>
+            public const string Root = "/";
+            public const string Keys = "/keys";
+        }
+
+    }
+
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Properties/AssemblyInfo.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000000..69449656bbeee
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Properties/AssemblyInfo.cs
@@ -0,0 +1,7 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("Azure.Security.KeyVault.Administration.Tests, PublicKey=0024000004800000940000000602000000240000525341310004000001000100d15ddcb29688295338af4b7686603fe614abd555e09efba8fb88ee09e1f7b1ccaeed2e8f823fa9eef3fdd60217fc012ea67d2479751a0b8c087a4185541b851bd8b16f8d91b840e51b1cb0ba6fe647997e57429265e85ef62d565db50a69ae1647d54d7bd855e4db3d8a91510e5bcbd0edfbbecaa20a7bd9ae74593daa7b11b4")]
+[assembly: Azure.Core.AzureResourceProviderNamespace("Microsoft.KeyVault")]
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md
index afd6a4a1cd9a9..11efca6e4e92b 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/autorest.md
@@ -8,7 +8,11 @@ Run `dotnet msbuild /t:GenerateCode` in src directory to re-generate.
 ``` yaml
 title: Azure.Security.KeyVault.Administration
 input-file:
-    - https://raw.githubusercontent.com/Azure/azure-rest-api-specs/001730d4c5b19d69b1edf43894a1e931f9591e58/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2/rbac.json
+    - $(this-folder)/swagger/rbac.json
 namespace: Azure.Security.KeyVault.Administration
 include-csproj: disable
 ```
+
+Note the input file should be restored to 
+the below path pending a service fix.
+https://raw.githubusercontent.com/Azure/azure-rest-api-specs/001730d4c5b19d69b1edf43894a1e931f9591e58/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2/rbac.json
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/common.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/common.json
new file mode 100644
index 0000000000000..6b913677029b5
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/common.json
@@ -0,0 +1,73 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "KeyVaultClient",
+    "description": "The key vault client performs cryptographic key operations and vault operations against the Key Vault service.",
+    "version": "7.2-preview"
+  },
+  "paths": {},
+  "definitions": {
+    "Attributes": {
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "Determines whether the object is enabled."
+        },
+        "nbf": {
+          "x-ms-client-name": "NotBefore",
+          "type": "integer",
+          "format": "unixtime",
+          "description": "Not before date in UTC."
+        },
+        "exp": {
+          "x-ms-client-name": "Expires",
+          "type": "integer",
+          "format": "unixtime",
+          "description": "Expiry date in UTC."
+        },
+        "created": {
+          "type": "integer",
+          "format": "unixtime",
+          "readOnly": true,
+          "description": "Creation time in UTC."
+        },
+        "updated": {
+          "type": "integer",
+          "format": "unixtime",
+          "readOnly": true,
+          "description": "Last updated time in UTC."
+        }
+      },
+      "description": "The object attributes managed by the KeyVault service."
+    },
+    "KeyVaultError": {
+      "properties": {
+        "error": {
+          "readOnly": true,
+          "$ref": "#/definitions/Error"
+        }
+      },
+      "description": "The key vault error exception."
+    },
+    "Error": {
+      "properties": {
+        "code": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The error code."
+        },
+        "message": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The error message."
+        },
+        "innererror": {
+          "x-ms-client-name": "innerError",
+          "readOnly": true,
+          "$ref": "#/definitions/Error"
+        }
+      },
+      "description": "The key vault server error."
+    }
+  }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/rbac.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/rbac.json
new file mode 100644
index 0000000000000..8b4e73deb39e4
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/swagger/rbac.json
@@ -0,0 +1,494 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "KeyVaultClient",
+    "description": "The key vault client performs cryptographic key operations and vault operations against the Key Vault service.",
+    "version": "7.2-preview"
+  },
+  "x-ms-parameterized-host": {
+    "hostTemplate": "{vaultBaseUrl}",
+    "useSchemePrefix": false,
+    "positionInOperation": "first",
+    "parameters": [
+      {
+        "name": "vaultBaseUrl",
+        "description": "The vault name, for example https://myvault.vault.azure.net.",
+        "required": true,
+        "type": "string",
+        "in": "path",
+        "x-ms-skip-url-encoding": true
+      }
+    ]
+  },
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {
+    "/{scope}/providers/Microsoft.Authorization/roleDefinitions": {
+      "get": {
+        "tags": [
+          "RoleDefinitions"
+        ],
+        "operationId": "RoleDefinitions_List",
+        "description": "Get all role definitions that are applicable at scope and above.",
+        "parameters": [
+          {
+            "name": "scope",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The scope of the role definition.",
+            "x-ms-skip-url-encoding": true
+          },
+          {
+            "name": "$filter",
+            "in": "query",
+            "required": false,
+            "type": "string",
+            "description": "The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK - Returns an array of role definitions.",
+            "schema": {
+              "$ref": "#/definitions/RoleDefinitionListResult"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-pageable": {
+          "nextLinkName": "nextLink"
+        },
+        "x-ms-examples": {
+          "ListRoleDefinitions": {
+            "$ref": "./examples/ListRoleDefinitions-example.json"
+          }
+        },
+        "x-ms-odata": "#/definitions/RoleDefinitionFilter"
+      }
+    },
+    "/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}": {
+      "delete": {
+        "tags": [
+          "RoleAssignments"
+        ],
+        "operationId": "RoleAssignments_Delete",
+        "description": "Deletes a role assignment.",
+        "parameters": [
+          {
+            "name": "scope",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The scope of the role assignment to delete.",
+            "x-ms-skip-url-encoding": true
+          },
+          {
+            "name": "roleAssignmentName",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The name of the role assignment to delete."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK - Returns information about the role assignment.",
+            "schema": {
+              "$ref": "#/definitions/RoleAssignment"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-examples": {
+          "DeleteRoleAssignments": {
+            "$ref": "./examples/DeleteRoleAssignments-example.json"
+          }
+        }
+      },
+      "put": {
+        "tags": [
+          "RoleAssignments"
+        ],
+        "operationId": "RoleAssignments_Create",
+        "description": "Creates a role assignment.",
+        "parameters": [
+          {
+            "name": "scope",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The scope of the role assignment to create.",
+            "x-ms-skip-url-encoding": true
+          },
+          {
+            "name": "roleAssignmentName",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The name of the role assignment to create. It can be any valid GUID."
+          },
+          {
+            "name": "parameters",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/RoleAssignmentProperties"
+            },
+            "description": "Parameters for the role assignment."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": "Created - Returns information about the role assignment.",
+            "schema": {
+              "$ref": "#/definitions/RoleAssignment"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-examples": {
+          "PutRoleAssignments": {
+            "$ref": "./examples/PutRoleAssignments-example.json"
+          }
+        }
+      },
+      "get": {
+        "tags": [
+          "RoleAssignments"
+        ],
+        "operationId": "RoleAssignments_Get",
+        "description": "Get the specified role assignment.",
+        "parameters": [
+          {
+            "name": "scope",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The scope of the role assignment.",
+            "x-ms-skip-url-encoding": true
+          },
+          {
+            "name": "roleAssignmentName",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The name of the role assignment to get."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK - Returns information about the role assignment.",
+            "schema": {
+              "$ref": "#/definitions/RoleAssignment"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-examples": {
+          "GetRoleAssignments": {
+            "$ref": "./examples/GetRoleAssignments-example.json"
+          }
+        }
+      }
+    },
+    "/{scope}/providers/Microsoft.Authorization/roleAssignments": {
+      "get": {
+        "tags": [
+          "RoleAssignments"
+        ],
+        "operationId": "RoleAssignments_ListForScope",
+        "description": "Gets role assignments for a scope.",
+        "parameters": [
+          {
+            "name": "scope",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The scope of the role assignments.",
+            "x-ms-skip-url-encoding": true
+          },
+          {
+            "name": "$filter",
+            "in": "query",
+            "required": false,
+            "type": "string",
+            "description": "The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK - Returns an array of role assignments.",
+            "schema": {
+              "$ref": "#/definitions/RoleAssignmentListResult"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-pageable": {
+          "nextLinkName": "nextLink"
+        },
+        "x-ms-examples": {
+          "ListRoleAssignments": {
+            "$ref": "./examples/ListRoleAssignments-example.json"
+          }
+        },
+        "x-ms-odata": "#/definitions/RoleAssignmentFilter"
+      }
+    }
+  },
+  "definitions": {
+    "RoleAssignmentFilter": {
+      "properties": {
+        "principalId": {
+          "type": "string",
+          "description": "Returns role assignment of the specific principal."
+        }
+      },
+      "description": "Role Assignments filter"
+    },
+    "RoleAssignmentPropertiesWithScope": {
+      "properties": {
+        "scope": {
+          "type": "string",
+          "description": "The role assignment scope."
+        },
+        "roleDefinitionId": {
+          "type": "string",
+          "description": "The role definition ID."
+        },
+        "principalId": {
+          "type": "string",
+          "description": "The principal ID."
+        }
+      },
+      "description": "Role assignment properties with scope."
+    },
+    "RoleAssignment": {
+      "properties": {
+        "id": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role assignment ID."
+        },
+        "name": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role assignment name."
+        },
+        "type": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role assignment type."
+        },
+        "properties": {
+          "$ref": "#/definitions/RoleAssignmentPropertiesWithScope",
+          "description": "Role assignment properties."
+        }
+      },
+      "description": "Role Assignments"
+    },
+    "RoleAssignmentListResult": {
+      "properties": {
+        "value": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/RoleAssignment"
+          },
+          "description": "Role assignment list."
+        },
+        "nextLink": {
+          "type": "string",
+          "description": "The URL to use for getting the next set of results."
+        }
+      },
+      "description": "Role assignment list operation result."
+    },
+    "RoleAssignmentProperties": {
+      "type":"object",
+      "properties": {
+        "roleDefinitionId": {
+          "type": "string",
+          "description": "The role definition ID used in the role assignment."
+        },
+        "principalId": {
+          "type": "string",
+          "description": "The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group."
+        }
+      },
+      "required": [
+        "roleDefinitionId",
+        "principalId"
+      ],
+      "description": "Role assignment properties."
+    },
+    "RoleDefinitionFilter": {
+      "properties": {
+        "roleName": {
+          "type": "string",
+          "description": "Returns role definition with the specific name."
+        }
+      },
+      "description": "Role Definitions filter"
+    },
+    "Permission": {
+      "properties": {
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Allowed actions."
+        },
+        "notActions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Denied actions."
+        },
+        "dataActions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Allowed Data actions."
+        },
+        "notDataActions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Denied Data actions."
+        }
+      },
+      "description": "Role definition permissions."
+    },
+    "RoleDefinitionProperties": {
+      "properties": {
+        "roleName": {
+          "type": "string",
+          "description": "The role name."
+        },
+        "description": {
+          "type": "string",
+          "description": "The role definition description."
+        },
+        "type": {
+          "type": "string",
+          "description": "The role type.",
+          "x-ms-client-name": "roleType"
+        },
+        "permissions": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/Permission"
+          },
+          "description": "Role definition permissions."
+        },
+        "assignableScopes": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Role definition assignable scopes."
+        }
+      },
+      "description": "Role definition properties."
+    },
+    "RoleDefinition": {
+      "properties": {
+        "id": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role definition ID."
+        },
+        "name": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role definition name."
+        },
+        "type": {
+          "type": "string",
+          "readOnly": true,
+          "description": "The role definition type."
+        },
+        "properties": {
+          "x-ms-client-flatten": true,
+          "$ref": "#/definitions/RoleDefinitionProperties",
+          "description": "Role definition properties."
+        }
+      },
+      "description": "Role definition."
+    },
+    "RoleDefinitionListResult": {
+      "properties": {
+        "value": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/RoleDefinition"
+          },
+          "description": "Role definition list."
+        },
+        "nextLink": {
+          "type": "string",
+          "description": "The URL to use for getting the next set of results."
+        }
+      },
+      "description": "Role definition list operation result."
+    }
+  },
+  "parameters": {
+    "ApiVersionParameter": {
+      "name": "api-version",
+      "in": "query",
+      "required": true,
+      "type": "string",
+      "description": "Client API version."
+    }
+  }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
new file mode 100644
index 0000000000000..021bc285c91c0
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
@@ -0,0 +1,110 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Azure.Core.TestFramework;
+using Azure.Security.KeyVault.Administration.Models;
+using static Azure.Security.KeyVault.Administration.KeyVaultAdministrationConstants;
+using NUnit.Framework;
+using System.Linq;
+
+namespace Azure.Security.KeyVault.Administration.Tests
+{
+    [Ignore("Working out permissions issues to the resource")]
+    public class AccessControlClientLiveTests : AccessControlTestBase
+    {
+        private const string pricipalID = "4ae6842b-2a3e-4919-8305-7db89f3d6edd";
+        private const string roleName = "Azure Key Vault Managed HSM Administrator";
+
+        public AccessControlClientLiveTests(bool isAsync) : base(isAsync, RecordedTestMode.Record /* To record tests, add this argument, RecordedTestMode.Record */)
+        { }
+
+        [SetUp]
+        public void ClearChallengeCacheforRecord()
+        {
+            // in record mode we reset the challenge cache before each test so that the challenge call
+            // is always made.  This allows tests to be replayed independently and in any order
+            if (Mode == RecordedTestMode.Record || Mode == RecordedTestMode.Playback)
+            {
+                Client = GetClient();
+
+                ChallengeBasedAuthenticationPolicy.AuthenticationChallenge.ClearCache();
+            }
+        }
+
+        [Test]
+        public async Task GetRoleDefinitions()
+        {
+            List<RoleDefinition> results = await Client.GetRoleDefinitionsAsync(Scopes.Root).ToEnumerableAsync().ConfigureAwait(false);
+
+            Assert.That(results.Count, Is.Not.Zero);
+            Assert.That(results[0].AssignableScopes, Is.Not.Empty);
+            Assert.That(results[0].Description, Is.Not.Null);
+            Assert.That(results[0].Id, Is.Not.Null);
+            Assert.That(results[0].Name, Is.Not.Null);
+            Assert.That(results[0].Permissions, Is.Not.Empty);
+            Assert.That(results[0].RoleName, Is.Not.Null);
+            Assert.That(results[0].RoleType, Is.Not.Null);
+            Assert.That(results[0].Type, Is.Not.Null);
+        }
+
+        [Test]
+        public async Task CreateRoleAssignment()
+        {
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(Scopes.Root).ToEnumerableAsync().ConfigureAwait(false);
+            var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
+
+            var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
+            RoleAssignment result = await Client.CreateRoleAssignmentAsync(Scopes.Root, properties).ConfigureAwait(false);
+
+            RegisterForCleanup(result);
+
+            Assert.That(result.Id, Is.Not.Null);
+            Assert.That(result.Name, Is.Not.Null);
+            Assert.That(result.Type, Is.Not.Null);
+            Assert.That(result.Properties.PrincipalId, Is.EqualTo(properties.PrincipalId));
+            Assert.That(result.Properties.RoleDefinitionId, Is.EqualTo(properties.RoleDefinitionId));
+        }
+
+        [Test]
+        public async Task GetRoleAssignment()
+        {
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(Scopes.Root).ToEnumerableAsync().ConfigureAwait(false);
+            var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
+
+            var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
+            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(Scopes.Root, properties).ConfigureAwait(false);
+
+            RegisterForCleanup(assignment);
+
+            RoleAssignment result = await Client.GetRoleAssignmentAsync(Scopes.Root, assignment.Name).ConfigureAwait(false);
+
+            Assert.That(result.Id, Is.EqualTo(assignment.Id));
+            Assert.That(result.Name, Is.EqualTo(assignment.Name));
+            Assert.That(result.Type, Is.EqualTo(assignment.Type));
+            Assert.That(result.Properties.PrincipalId, Is.EqualTo(assignment.Properties.PrincipalId));
+            Assert.That(result.Properties.RoleDefinitionId, Is.EqualTo(assignment.Properties.RoleDefinitionId));
+            Assert.That(result.Properties.Scope, Is.EqualTo(assignment.Properties.Scope));
+        }
+
+        [Test]
+        public async Task DeleteRoleAssignment()
+        {
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(Scopes.Root).ToEnumerableAsync().ConfigureAwait(false);
+            var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
+
+            var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
+            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(Scopes.Root, properties).ConfigureAwait(false);
+
+            RoleAssignment result = await Client.DeleteRoleAssignmentAsync(Scopes.Root, assignment.Name).ConfigureAwait(false);
+
+            Assert.That(result.Id, Is.EqualTo(assignment.Id));
+            Assert.That(result.Name, Is.EqualTo(assignment.Name));
+            Assert.That(result.Type, Is.EqualTo(assignment.Type));
+            Assert.That(result.Properties.PrincipalId, Is.EqualTo(assignment.Properties.PrincipalId));
+            Assert.That(result.Properties.RoleDefinitionId, Is.EqualTo(assignment.Properties.RoleDefinitionId));
+            Assert.That(result.Properties.Scope, Is.EqualTo(assignment.Properties.Scope));
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
new file mode 100644
index 0000000000000..9bc01902a2f26
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
@@ -0,0 +1,73 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Concurrent;
+using System.Threading.Tasks;
+using Azure.Core.TestFramework;
+using Azure.Security.KeyVault.Administration.Models;
+using Azure.Security.KeyVault.Tests;
+using NUnit.Framework;
+
+namespace Azure.Security.KeyVault.Administration.Tests
+{
+    public class AccessControlTestBase : RecordedTestBase<KeyVaultTestEnvironment>
+    {
+        public AccessControlClient Client { get; set; }
+
+        public Uri VaultUri { get; set; }
+
+        private readonly ConcurrentQueue<(string Name, string Scope)> _roleAssignmentsToDelete = new ConcurrentQueue<(string Name, string Scope)>();
+
+        public AccessControlTestBase(bool isAsync, RecordedTestMode mode) : base(isAsync, mode)
+        { }
+
+        public AccessControlTestBase(bool isAsync) : base(isAsync)
+        { }
+
+        internal AccessControlClient GetClient(TestRecording recording = null)
+        {
+            recording ??= Recording;
+
+            return InstrumentClient
+                (new AccessControlClient(
+                    new Uri(TestEnvironment.KeyVaultUrl),
+                    TestEnvironment.Credential,
+                    recording.InstrumentClientOptions(new AccessControlClientOptions())));
+        }
+
+        [OneTimeTearDown]
+        public async Task Cleanup()
+        {
+            // Start deleting resources as soon as possible.
+            while (_roleAssignmentsToDelete.TryDequeue(out var assignment))
+            {
+                await DeleteRoleAssignment(assignment);
+            }
+        }
+
+        protected async Task DeleteRoleAssignment((string Name, string Scope) assignment)
+        {
+            if (Mode == RecordedTestMode.Playback)
+            {
+                return;
+            }
+
+            try
+            {
+                using (Recording.DisableRecording())
+                {
+                    await Client.DeleteRoleAssignmentAsync(assignment.Scope, assignment.Name).ConfigureAwait(false);
+                }
+            }
+            catch (RequestFailedException ex) when (ex.Status == 404)
+            {
+            }
+        }
+
+        protected void RegisterForCleanup(RoleAssignment assignment)
+        {
+            _roleAssignmentsToDelete.Enqueue((assignment.Name, assignment.Properties.Scope));
+        }
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj
new file mode 100644
index 0000000000000..2cc30840b1fe4
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj
@@ -0,0 +1,23 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFrameworks>$(RequiredTargetFrameworks)</TargetFrameworks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="nunit" />
+    <PackageReference Include="NUnit3TestAdapter" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" />
+    <PackageReference Include="Moq" />
+    <PackageReference Include="BenchmarkDotNet" />
+    <PackageReference Include="System.Text.Json" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="$(AzureCoreTestFramework)" />
+    <ProjectReference Include="..\src\Azure.Security.KeyVault.Administration.csproj" />
+  </ItemGroup>
+
+  <Import Project="..\..\Azure.Security.KeyVault.Shared\tests\Azure.Security.KeyVault.Shared.Tests.projitems" Label="Shared" />
+</Project>
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Properties/AssemblyInfo.cs b/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Properties/AssemblyInfo.cs
index abdacc44c67fe..7f100c106077d 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Properties/AssemblyInfo.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Properties/AssemblyInfo.cs
@@ -4,4 +4,4 @@
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("Azure.Security.KeyVault.Secrets.Tests, PublicKey=0024000004800000940000000602000000240000525341310004000001000100d15ddcb29688295338af4b7686603fe614abd555e09efba8fb88ee09e1f7b1ccaeed2e8f823fa9eef3fdd60217fc012ea67d2479751a0b8c087a4185541b851bd8b16f8d91b840e51b1cb0ba6fe647997e57429265e85ef62d565db50a69ae1647d54d7bd855e4db3d8a91510e5bcbd0edfbbecaa20a7bd9ae74593daa7b11b4")]
-[assembly: Azure.Core.AzureResourceProviderNamespace("Microsoft.KeyVault")]
\ No newline at end of file
+[assembly: Azure.Core.AzureResourceProviderNamespace("Microsoft.KeyVault")]
diff --git a/sdk/keyvault/Azure.Security.KeyVault.sln b/sdk/keyvault/Azure.Security.KeyVault.sln
index 4e48bb29da62a..3a04f29c73d91 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.sln
+++ b/sdk/keyvault/Azure.Security.KeyVault.sln
@@ -27,7 +27,9 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ApiCompat", "..\..\eng\ApiC
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Azure.Core.TestFramework", "..\core\Azure.Core.TestFramework\src\Azure.Core.TestFramework.csproj", "{117730A7-49B1-4608-9A4C-77469BA5372F}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Azure.Security.KeyVault.Administration", "Azure.Security.KeyVault.Administration\Azure.Security.KeyVault.Administration.csproj", "{EE1064ED-C892-4763-B8C9-9BE2A768251B}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Azure.Security.KeyVault.Administration", "Azure.Security.KeyVault.Administration\src\Azure.Security.KeyVault.Administration.csproj", "{EE1064ED-C892-4763-B8C9-9BE2A768251B}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Azure.Security.KeyVault.Administration.Tests", "Azure.Security.KeyVault.Administration\tests\Azure.Security.KeyVault.Administration.Tests.csproj", "{F2E6BD61-6A15-4F1B-A1A4-43E2AF274AD5}"
 EndProject
 Global
 	GlobalSection(SharedMSBuildProjectFiles) = preSolution
@@ -39,6 +41,8 @@ Global
 		Azure.Security.KeyVault.Shared\tests\Azure.Security.KeyVault.Shared.Tests.projitems*{b404190b-c1d4-4655-99d4-45cb6532806b}*SharedItemsImports = 5
 		Azure.Security.KeyVault.Shared\tests\Azure.Security.KeyVault.Shared.Tests.projitems*{c361b52f-cd94-465d-aa79-1b2c0461a166}*SharedItemsImports = 5
 		Azure.Security.KeyVault.Shared\src\Azure.Security.KeyVault.Shared.projitems*{e74dabdd-50b0-475c-b83a-44465cf5515c}*SharedItemsImports = 5
+		Azure.Security.KeyVault.Shared\src\Azure.Security.KeyVault.Shared.projitems*{ee1064ed-c892-4763-b8c9-9be2a768251b}*SharedItemsImports = 5
+		Azure.Security.KeyVault.Shared\tests\Azure.Security.KeyVault.Shared.Tests.projitems*{f2e6bd61-6a15-4f1b-a1a4-43e2af274ad5}*SharedItemsImports = 5
 	EndGlobalSection
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -89,6 +93,10 @@ Global
 		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{EE1064ED-C892-4763-B8C9-9BE2A768251B}.Release|Any CPU.Build.0 = Release|Any CPU
+		{F2E6BD61-6A15-4F1B-A1A4-43E2AF274AD5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{F2E6BD61-6A15-4F1B-A1A4-43E2AF274AD5}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{F2E6BD61-6A15-4F1B-A1A4-43E2AF274AD5}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{F2E6BD61-6A15-4F1B-A1A4-43E2AF274AD5}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

From fe0826338cf227bd5ef21992d0e9b9756718738f Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 8 Jun 2020 11:57:05 -0500
Subject: [PATCH 06/20] recorded tests

---
 ....KeyVault.Administration.netstandard2.0.cs |   4 +-
 .../src/AccessControlClient.cs                |  44 ++-
 .../tests/AccessControlClientLiveTests.cs     |  10 +-
 .../tests/AccessControlTestBase.cs            |   2 +-
 .../CreateRoleAssignment.json                 | 238 +++++++++++++++
 .../CreateRoleAssignmentAsync.json            | 238 +++++++++++++++
 .../DeleteRoleAssignment.json                 | 272 ++++++++++++++++++
 .../DeleteRoleAssignmentAsync.json            | 272 ++++++++++++++++++
 .../GetRoleAssignment.json                    | 272 ++++++++++++++++++
 .../GetRoleAssignmentAsync.json               | 272 ++++++++++++++++++
 .../GetRoleDefinitions.json                   | 199 +++++++++++++
 .../GetRoleDefinitionsAsync.json              | 199 +++++++++++++
 12 files changed, 2014 insertions(+), 8 deletions(-)
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitions.json
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitionsAsync.json

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
index e172dff9aa6a5..afc91c97290f1 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -5,10 +5,12 @@ public partial class AccessControlClient
         protected AccessControlClient() { }
         public AccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential) { }
         public AccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azure.Security.KeyVault.Administration.AccessControlClientOptions options) { }
-        public System.Uri VaultUri { get { throw null; } }
+        public virtual System.Uri VaultUri { get { throw null; } }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(string Name, string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(System.Uri scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(string Name, string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(System.Uri scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(System.Uri scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
index 105b19c0c6c86..9d7179b41e67a 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
@@ -23,7 +23,7 @@ public class AccessControlClient
         /// The vault Uri.
         /// </summary>
         /// <value></value>
-        public Uri VaultUri { get; }
+        public virtual Uri VaultUri { get; }
 
         /// <summary>
         /// Initializes a new instance of the <see cref="AccessControlClient"/> class for mocking.
@@ -73,6 +73,7 @@ public AccessControlClient(Uri vaultUri, TokenCredential credential, AccessContr
         /// <param name="scope"> The scope of the role definition. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
+        [ForwardsClientCalls]
         public virtual Pageable<RoleDefinition> GetRoleDefinitions(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleDefinitions(scope.AbsolutePath, cancellationToken);
 
@@ -82,6 +83,7 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(Uri scope, Cancellati
         /// <param name="scope"></param>
         /// <param name="cancellationToken"></param>
         /// <returns></returns>
+        [ForwardsClientCalls]
         public virtual Pageable<RoleDefinition> GetRoleDefinitions(string scope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateEnumerable(_ =>
@@ -101,6 +103,7 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(string scope, Cancell
         /// <param name="scope"> The scope of the role definition. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
+        [ForwardsClientCalls]
         public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleDefinitionsAsync(scope.AbsolutePath, cancellationToken);
 
@@ -110,6 +113,7 @@ public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(Uri scope,
         /// <param name="scope"> The scope of the role definition. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
+        [ForwardsClientCalls]
         public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateAsyncEnumerable(async _ =>
@@ -131,6 +135,7 @@ public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scop
         /// <param name="scope"></param>
         /// <param name="cancellationToken"></param>
         /// <returns></returns>
+        [ForwardsClientCalls]
         public virtual Pageable<RoleAssignment> GetRoleAssignments(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleAssignments(scope.AbsolutePath, cancellationToken);
 
@@ -140,6 +145,7 @@ public virtual Pageable<RoleAssignment> GetRoleAssignments(Uri scope, Cancellati
         /// <param name="scope"></param>
         /// <param name="cancellationToken"></param>
         /// <returns></returns>
+        [ForwardsClientCalls]
         public virtual Pageable<RoleAssignment> GetRoleAssignments(string scope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateEnumerable(_ =>
@@ -159,6 +165,7 @@ public virtual Pageable<RoleAssignment> GetRoleAssignments(string scope, Cancell
         /// <param name="scope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
+        [ForwardsClientCalls]
         public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleAssignmentsAsync(scope.AbsolutePath, cancellationToken);
 
@@ -168,6 +175,7 @@ public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(Uri scope,
         /// <param name="scope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
+        [ForwardsClientCalls]
         public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateAsyncEnumerable(async _ =>
@@ -187,6 +195,7 @@ public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scop
         /// Creates a <see cref="RoleAssignment"/>.
         /// </summary>
         /// <returns></returns>
+        [ForwardsClientCalls]
         public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
             CreateRoleAssignment(scope.AbsolutePath, properties, cancellationToken);
 
@@ -197,6 +206,7 @@ public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssi
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <returns></returns>
+        [ForwardsClientCalls]
         public virtual Response<RoleAssignment> CreateRoleAssignment(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
             _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), properties, cancellationToken);
 
@@ -206,6 +216,7 @@ public virtual Response<RoleAssignment> CreateRoleAssignment(string scope, RoleA
         /// <param name="scope"> The scope of the role assignment to create. </param>
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        [ForwardsClientCalls]
         public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
             await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope.AbsolutePath, Guid.NewGuid().ToString(), properties, cancellationToken)
                 .ConfigureAwait(false);
@@ -216,16 +227,42 @@ await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope.AbsolutePat
         /// <param name="scope"> The scope of the role assignment to create. </param>
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        [ForwardsClientCalls]
         public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
             await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), properties, cancellationToken)
                 .ConfigureAwait(false);
 
+        /// <summary>
+        /// Creates a <see cref="RoleAssignment"/>.
+        /// </summary>
+        /// <param name="Name">Pre-selected Name used to create the role assignment.</param>
+        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="properties"> Properties for the role assignment. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <returns></returns>
+        [ForwardsClientCalls]
+        public virtual Response<RoleAssignment> CreateRoleAssignment(string Name, string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
+            _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope, Name, properties, cancellationToken);
+
+        /// <summary>
+        /// Creates a <see cref="RoleAssignment"/>.
+        /// </summary>
+        /// <param name="Name">Pre-selected Id used to create the role assignment.</param>
+        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="properties"> Properties for the role assignment. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
+        [ForwardsClientCalls]
+        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(string Name, string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
+            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope, Name, properties, cancellationToken)
+                .ConfigureAwait(false);
+
         /// <summary>
         /// Get the specified role assignment.
         /// </summary>
         /// <param name="scope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        [ForwardsClientCalls]
         public virtual Response<RoleAssignment> GetRoleAssignment(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
             _assignmentsRestClient.Get(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken);
 
@@ -235,6 +272,7 @@ public virtual Response<RoleAssignment> GetRoleAssignment(string scope, string r
         /// <param name="scope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        [ForwardsClientCalls]
         public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
             await _assignmentsRestClient.GetAsync(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken)
                 .ConfigureAwait(false);
@@ -245,6 +283,7 @@ await _assignmentsRestClient.GetAsync(VaultUri.AbsoluteUri, scope, roleAssignmen
         /// <param name="scope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        [ForwardsClientCalls]
         public virtual Response<RoleAssignment> DeleteRoleAssignment(Uri scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
             _assignmentsRestClient.Delete(VaultUri.AbsoluteUri, scope.AbsolutePath, roleAssignmentName, cancellationToken);
 
@@ -254,6 +293,7 @@ public virtual Response<RoleAssignment> DeleteRoleAssignment(Uri scope, string r
         /// <param name="scope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        [ForwardsClientCalls]
         public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(Uri scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
             await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, scope.AbsolutePath, roleAssignmentName, cancellationToken)
                 .ConfigureAwait(false);
@@ -264,6 +304,7 @@ await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, scope.AbsolutePat
         /// <param name="scope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        [ForwardsClientCalls]
         public virtual Response<RoleAssignment> DeleteRoleAssignment(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
             _assignmentsRestClient.Delete(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken);
 
@@ -273,6 +314,7 @@ public virtual Response<RoleAssignment> DeleteRoleAssignment(string scope, strin
         /// <param name="scope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        [ForwardsClientCalls]
         public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
             await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken)
                 .ConfigureAwait(false);
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
index 021bc285c91c0..cfb83c02208aa 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
@@ -11,13 +11,13 @@
 
 namespace Azure.Security.KeyVault.Administration.Tests
 {
-    [Ignore("Working out permissions issues to the resource")]
     public class AccessControlClientLiveTests : AccessControlTestBase
     {
         private const string pricipalID = "4ae6842b-2a3e-4919-8305-7db89f3d6edd";
         private const string roleName = "Azure Key Vault Managed HSM Administrator";
+        private const string roleAssignmentId = "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16";
 
-        public AccessControlClientLiveTests(bool isAsync) : base(isAsync, RecordedTestMode.Record /* To record tests, add this argument, RecordedTestMode.Record */)
+        public AccessControlClientLiveTests(bool isAsync) : base(isAsync, RecordedTestMode.Playback /* To record tests, add this argument, RecordedTestMode.Record */)
         { }
 
         [SetUp]
@@ -56,7 +56,7 @@ public async Task CreateRoleAssignment()
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
             var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
-            RoleAssignment result = await Client.CreateRoleAssignmentAsync(Scopes.Root, properties).ConfigureAwait(false);
+            RoleAssignment result = await Client.CreateRoleAssignmentAsync(roleAssignmentId, Scopes.Root, properties).ConfigureAwait(false);
 
             RegisterForCleanup(result);
 
@@ -74,7 +74,7 @@ public async Task GetRoleAssignment()
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
             var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
-            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(Scopes.Root, properties).ConfigureAwait(false);
+            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(roleAssignmentId, Scopes.Root, properties).ConfigureAwait(false);
 
             RegisterForCleanup(assignment);
 
@@ -95,7 +95,7 @@ public async Task DeleteRoleAssignment()
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
             var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
-            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(Scopes.Root, properties).ConfigureAwait(false);
+            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(roleAssignmentId, Scopes.Root, properties).ConfigureAwait(false);
 
             RoleAssignment result = await Client.DeleteRoleAssignmentAsync(Scopes.Root, assignment.Name).ConfigureAwait(false);
 
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
index 9bc01902a2f26..b4880c9623c3f 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
@@ -36,7 +36,7 @@ internal AccessControlClient GetClient(TestRecording recording = null)
                     recording.InstrumentClientOptions(new AccessControlClientOptions())));
         }
 
-        [OneTimeTearDown]
+        [TearDown]
         public async Task Cleanup()
         {
             // Start deleting resources as soon as possible.
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json
new file mode 100644
index 0000000000000..584a92b176756
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json
@@ -0,0 +1,238 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "5e8636028f65bb56594d809618e68b9c",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "5e8636028f65bb56594d809618e68b9c",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|6e6b2bc5-4048e160b0eca19f.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "16093e51ef8cfc750e2d28064b66eddd",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "RandomSeed": "1126588322"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json
new file mode 100644
index 0000000000000..5ca5cee8aba71
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json
@@ -0,0 +1,238 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "c23c658117723d55cd717f5f53da57f6",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "c23c658117723d55cd717f5f53da57f6",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|6e6b2bcc-4048e160b0eca19f.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "8172d5e41db7e9e5c84ad8c05c75332c",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "RandomSeed": "1820470144"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json
new file mode 100644
index 0000000000000..ebb5ad14b32ba
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json
@@ -0,0 +1,272 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "5f9412fda0f0133d146f7775c4434755",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "5f9412fda0f0133d146f7775c4434755",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|6e6b2bc7-4048e160b0eca19f.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "a62283a033ccd643d3ca47462f9e8cc5",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "DELETE",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Request-Id": "|6e6b2bc8-4048e160b0eca19f.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "f213e6c0e20b3b9ee285854e4f62a8b4",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "RandomSeed": "26204039"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json
new file mode 100644
index 0000000000000..0f3d60c8400d3
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json
@@ -0,0 +1,272 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "90089dd99809a512d432fd1a0d8f4b26",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "90089dd99809a512d432fd1a0d8f4b26",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|6e6b2bce-4048e160b0eca19f.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "ffce91e513374f917bd26e76b166002d",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "DELETE",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Request-Id": "|6e6b2bcf-4048e160b0eca19f.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "3d63015b5be35d7e1461862d46efbe59",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "RandomSeed": "829785785"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json
new file mode 100644
index 0000000000000..95b8dca6baf04
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json
@@ -0,0 +1,272 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "495eaeb69be85f6afeff2958f3da8d60",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "495eaeb69be85f6afeff2958f3da8d60",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|6e6b2bc9-4048e160b0eca19f.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "d499b987535015555758ba33a25b0a64",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Request-Id": "|6e6b2bca-4048e160b0eca19f.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "599096f85657ea8ac7b19ce201831758",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "RandomSeed": "1965379599"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json
new file mode 100644
index 0000000000000..44ff97a8f6c5c
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json
@@ -0,0 +1,272 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "b1527bf3417a79628d90dd6275e693c2",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "b1527bf3417a79628d90dd6275e693c2",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "PUT",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Content-Length": "181",
+        "Content-Type": "application/json",
+        "Request-Id": "|6e6b2bd0-4048e160b0eca19f.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "97ca12c57d1eafa690e4cfbfaa6b1783",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": {
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+      },
+      "StatusCode": 201,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "Request-Id": "|6e6b2bd1-4048e160b0eca19f.",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "e8814a7bcc82cbf1a39bc7d83ee0eb34",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "398",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
+        "properties": {
+          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "scope": "/"
+        },
+        "type": "Microsoft.Authorization/roleAssignments"
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "RandomSeed": "1144294929"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitions.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitions.json
new file mode 100644
index 0000000000000..384b3b6cb434f
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitions.json
@@ -0,0 +1,199 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "ceef6d0ab68b4b8d6235ca38ce984db2",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "ceef6d0ab68b4b8d6235ca38ce984db2",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "RandomSeed": "520554031"
+  }
+}
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitionsAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitionsAsync.json
new file mode 100644
index 0000000000000..aec2dc60b73c6
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleDefinitionsAsync.json
@@ -0,0 +1,199 @@
+{
+  "Entries": [
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "e053ba5483ab0ec55202f62324301f5e",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 401,
+      "ResponseHeaders": {
+        "Content-Length": "2",
+        "Content-Type": "application/json",
+        "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": "OK"
+    },
+    {
+      "RequestUri": "https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview",
+      "RequestMethod": "GET",
+      "RequestHeaders": {
+        "Authorization": "Sanitized",
+        "User-Agent": [
+          "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
+          "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
+        ],
+        "x-ms-client-request-id": "e053ba5483ab0ec55202f62324301f5e",
+        "x-ms-return-client-request-id": "true"
+      },
+      "RequestBody": null,
+      "StatusCode": 200,
+      "ResponseHeaders": {
+        "Content-Length": "4256",
+        "Content-Type": "application/json",
+        "X-Content-Type-Options": "nosniff",
+        "x-ms-keyvault-network-info": "addr=72.176.254.191",
+        "x-ms-keyvault-region": "EASTUS",
+        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+      },
+      "ResponseBody": {
+        "value": [
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+            "name": "a290e904-7015-4bba-90c8-60543313cdb4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "name": "515eb02d-2335-4d2d-92f2-b1cbdf9c3778",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action",
+                    "Microsoft.KeyVault/managedHsm/keys/restore/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/create",
+                    "Microsoft.KeyVault/managedHsm/keys/delete",
+                    "Microsoft.KeyVault/managedHsm/keys/export/action",
+                    "Microsoft.KeyVault/managedHsm/keys/import/action",
+                    "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto Officer",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+            "name": "21dbd100-6940-42c2-9190-5d6cb909625b",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/keys/read",
+                    "Microsoft.KeyVault/managedHsm/keys/write",
+                    "Microsoft.KeyVault/managedHsm/keys/backup/action"
+                  ],
+                  "dataActions": [
+                    "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
+                    "Microsoft.KeyVault/managedHsm/keys/wrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
+                    "Microsoft.KeyVault/managedHsm/keys/sign/action",
+                    "Microsoft.KeyVault/managedHsm/keys/verify/action"
+                  ],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Crypto User",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "name": "4bd23610-cdcf-4971-bdee-bdc562cc28e4",
+            "properties": {
+              "assignableScopes": [
+                "/"
+              ],
+              "description": "",
+              "permissions": [
+                {
+                  "actions": [
+                    "Microsoft.KeyVault/managedHsm/roleDefinitions/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/read",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/write",
+                    "Microsoft.KeyVault/managedHsm/roleAssignments/delete"
+                  ],
+                  "dataActions": [],
+                  "notActions": [],
+                  "notDataActions": []
+                }
+              ],
+              "roleName": "Azure Key Vault Managed HSM Policy Administrator",
+              "type": ""
+            },
+            "type": "Microsoft.Authorization/roleDefinitions"
+          }
+        ]
+      }
+    }
+  ],
+  "Variables": {
+    "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "RandomSeed": "775111323"
+  }
+}
\ No newline at end of file

From d4c10d193959f6eb0fb4ad60971d87ba7cfde789 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 8 Jun 2020 12:20:34 -0500
Subject: [PATCH 07/20] regen client

---
 .../src/Generated/RoleAssignmentsRestClient.cs                  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
index 7f0d8f6861e58..f23a849d6fb8a 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/RoleAssignmentsRestClient.cs
@@ -155,7 +155,7 @@ internal HttpMessage CreateCreateRequest(string vaultBaseUrl, string scope, stri
             uri.AppendQuery("api-version", apiVersion, true);
             request.Uri = uri;
             request.Headers.Add("Content-Type", "application/json");
-            using var content = new Utf8JsonRequestContent();
+            var content = new Utf8JsonRequestContent();
             content.JsonWriter.WriteObjectValue(parameters);
             request.Content = content;
             return message;

From dcab74ffa8c06e365e1f0a57580383a636bc4c11 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 8 Jun 2020 12:33:50 -0500
Subject: [PATCH 08/20] fix version

---
 .../src/Azure.Security.KeyVault.Administration.csproj           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
index 3698c312b5ac5..f2ed6719d9549 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
@@ -3,7 +3,7 @@
 <PropertyGroup>
     <Description>This is the Microsoft Azure Key Vault Administration client library</Description>
     <AssemblyTitle>Microsoft Azure.Security.KeyVault.Administration client library</AssemblyTitle>
-    <Version>4.1.0-preview.2</Version>
+    <Version>4.1.0-preview.1</Version>
     <PackageTags>Microsoft Azure Key Vault Administration;$(PackageCommonTags)</PackageTags>
     <TargetFrameworks>$(RequiredTargetFrameworks)</TargetFrameworks>
     <EnableApiCompat>false</EnableApiCompat>

From 80ef6a6c72c50f9a33546287810f481e4b825876 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 8 Jun 2020 12:47:44 -0500
Subject: [PATCH 09/20] xml comments

---
 .../src/AccessControlClient.cs                | 29 ++++++++-----------
 1 file changed, 12 insertions(+), 17 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
index 9d7179b41e67a..4ed89ad9fdfe1 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
@@ -52,6 +52,9 @@ public AccessControlClient(Uri vaultUri, TokenCredential credential)
         /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
         public AccessControlClient(Uri vaultUri, TokenCredential credential, AccessControlClientOptions options)
         {
+            Argument.AssertNotNull(vaultUri, nameof(vaultUri));
+            Argument.AssertNotNull(credential, nameof(credential));
+
             VaultUri = vaultUri;
             Argument.AssertNotNull(vaultUri, nameof(vaultUri));
             Argument.AssertNotNull(credential, nameof(credential));
@@ -72,7 +75,6 @@ public AccessControlClient(Uri vaultUri, TokenCredential credential, AccessContr
         /// </summary>
         /// <param name="scope"> The scope of the role definition. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        /// <returns></returns>
         [ForwardsClientCalls]
         public virtual Pageable<RoleDefinition> GetRoleDefinitions(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleDefinitions(scope.AbsolutePath, cancellationToken);
@@ -80,9 +82,8 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(Uri scope, Cancellati
         /// <summary>
         /// Get all role definitions that are applicable at scope and above.
         /// </summary>
-        /// <param name="scope"></param>
-        /// <param name="cancellationToken"></param>
-        /// <returns></returns>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
         public virtual Pageable<RoleDefinition> GetRoleDefinitions(string scope, CancellationToken cancellationToken = default)
         {
@@ -102,7 +103,6 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(string scope, Cancell
         /// </summary>
         /// <param name="scope"> The scope of the role definition. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        /// <returns></returns>
         [ForwardsClientCalls]
         public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleDefinitionsAsync(scope.AbsolutePath, cancellationToken);
@@ -112,7 +112,6 @@ public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(Uri scope,
         /// </summary>
         /// <param name="scope"> The scope of the role definition. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        /// <returns></returns>
         [ForwardsClientCalls]
         public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scope, CancellationToken cancellationToken = default)
         {
@@ -132,9 +131,8 @@ public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scop
         /// <summary>
         /// Gets the <see cref="RoleAssignment"/>s for a scope.
         /// </summary>
-        /// <param name="scope"></param>
-        /// <param name="cancellationToken"></param>
-        /// <returns></returns>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
         public virtual Pageable<RoleAssignment> GetRoleAssignments(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleAssignments(scope.AbsolutePath, cancellationToken);
@@ -142,9 +140,8 @@ public virtual Pageable<RoleAssignment> GetRoleAssignments(Uri scope, Cancellati
         /// <summary>
         ///
         /// </summary>
-        /// <param name="scope"></param>
-        /// <param name="cancellationToken"></param>
-        /// <returns></returns>
+        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
         public virtual Pageable<RoleAssignment> GetRoleAssignments(string scope, CancellationToken cancellationToken = default)
         {
@@ -164,7 +161,6 @@ public virtual Pageable<RoleAssignment> GetRoleAssignments(string scope, Cancell
         /// </summary>
         /// <param name="scope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        /// <returns></returns>
         [ForwardsClientCalls]
         public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(Uri scope, CancellationToken cancellationToken = default) =>
             GetRoleAssignmentsAsync(scope.AbsolutePath, cancellationToken);
@@ -174,7 +170,6 @@ public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(Uri scope,
         /// </summary>
         /// <param name="scope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        /// <returns></returns>
         [ForwardsClientCalls]
         public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scope, CancellationToken cancellationToken = default)
         {
@@ -194,7 +189,9 @@ public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scop
         /// <summary>
         /// Creates a <see cref="RoleAssignment"/>.
         /// </summary>
-        /// <returns></returns>
+        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="properties"> Properties for the role assignment. </param>
+        /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
         public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
             CreateRoleAssignment(scope.AbsolutePath, properties, cancellationToken);
@@ -205,7 +202,6 @@ public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssi
         /// <param name="scope"> The scope of the role assignment to create. </param>
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        /// <returns></returns>
         [ForwardsClientCalls]
         public virtual Response<RoleAssignment> CreateRoleAssignment(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
             _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), properties, cancellationToken);
@@ -239,7 +235,6 @@ await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope, Guid.NewGu
         /// <param name="scope"> The scope of the role assignment to create. </param>
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        /// <returns></returns>
         [ForwardsClientCalls]
         public virtual Response<RoleAssignment> CreateRoleAssignment(string Name, string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
             _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope, Name, properties, cancellationToken);

From 28554ed6b77bad52d4337b8d14c5df7b1c59097c Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 8 Jun 2020 15:41:29 -0500
Subject: [PATCH 10/20] pr comments

---
 .../CHANGELOG.md                              |   4 +
 ....KeyVault.Administration.netstandard2.0.cs |  69 ++++----
 .../RoleDefinitionListResult.Serialization.cs |   2 +-
 .../Models/RoleDefinitionListResult.cs        |   2 +-
 ...ient.cs => KeyVaultAccessControlClient.cs} | 165 ++++--------------
 ... => KeyVaultAccessControlClientOptions.cs} |   6 +-
 .../src/KeyVaultAdministrationConstants.cs    |  22 ---
 .../src/RoleAssignmentScope.cs                |  83 +++++++++
 .../src/RoleDefinitionListResult.cs           |  11 ++
 .../tests/AccessControlClientLiveTests.cs     |  32 +---
 .../tests/AccessControlTestBase.cs            |  21 ++-
 ...urity.KeyVault.Administration.Tests.csproj |   1 -
 12 files changed, 202 insertions(+), 216 deletions(-)
 rename sdk/keyvault/Azure.Security.KeyVault.Administration/src/{AccessControlClient.cs => KeyVaultAccessControlClient.cs} (54%)
 rename sdk/keyvault/Azure.Security.KeyVault.Administration/src/{AccessControlClientOptions.cs => KeyVaultAccessControlClientOptions.cs} (88%)
 delete mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationConstants.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleDefinitionListResult.cs

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
index 245e6afd18ccc..dd46299edc3d2 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
@@ -1,3 +1,7 @@
 # Release History
 
 ## 4.1.0-preview.1 (Unreleased)
+
+### Added
+
+- Add `KeyVaultAccessControlClient`.
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
index afc91c97290f1..492a785d99b03 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -1,43 +1,50 @@
 namespace Azure.Security.KeyVault.Administration
 {
-    public partial class AccessControlClient
+    public partial class KeyVaultAccessControlClient
     {
-        protected AccessControlClient() { }
-        public AccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential) { }
-        public AccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azure.Security.KeyVault.Administration.AccessControlClientOptions options) { }
+        protected KeyVaultAccessControlClient() { }
+        public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential) { }
+        public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions options) { }
         public virtual System.Uri VaultUri { get { throw null; } }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(string Name, string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(System.Uri scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(string Name, string scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(System.Uri scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(System.Uri scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(System.Uri scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignment(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> GetRoleAssignmentAsync(string scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignments(string scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignments(System.Uri scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignmentsAsync(string scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignmentsAsync(System.Uri scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitions(string scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitions(System.Uri scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitionsAsync(string scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitionsAsync(System.Uri scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, string name = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, string name = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> GetRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignments(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignmentsAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitions(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitionsAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
     }
-    public partial class AccessControlClientOptions : Azure.Core.ClientOptions
+    public partial class KeyVaultAccessControlClientOptions : Azure.Core.ClientOptions
     {
-        public AccessControlClientOptions(Azure.Security.KeyVault.Administration.AccessControlClientOptions.ServiceVersion version = Azure.Security.KeyVault.Administration.AccessControlClientOptions.ServiceVersion.V7_2_Preview) { }
-        public Azure.Security.KeyVault.Administration.AccessControlClientOptions.ServiceVersion Version { get { throw null; } }
+        public KeyVaultAccessControlClientOptions(Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions.ServiceVersion version = Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions.ServiceVersion.V7_2_Preview) { }
+        public Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
         {
             V7_2_Preview = 1,
         }
     }
-    public static partial class KeyVaultAdministrationConstants
+    [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
+    public readonly partial struct RoleAssignmentScope : System.IEquatable<Azure.Security.KeyVault.Administration.RoleAssignmentScope>
     {
+        private readonly object _dummy;
+        private readonly int _dummyPrimitive;
+        public RoleAssignmentScope(string value) { throw null; }
+        public RoleAssignmentScope(System.Uri ResourceId) { throw null; }
+        public static Azure.Security.KeyVault.Administration.RoleAssignmentScope Keys { get { throw null; } }
+        public static Azure.Security.KeyVault.Administration.RoleAssignmentScope Root { get { throw null; } }
+        public bool Equals(Azure.Security.KeyVault.Administration.RoleAssignmentScope other) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override bool Equals(object obj) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override int GetHashCode() { throw null; }
+        public static bool operator ==(Azure.Security.KeyVault.Administration.RoleAssignmentScope left, Azure.Security.KeyVault.Administration.RoleAssignmentScope right) { throw null; }
+        public static implicit operator Azure.Security.KeyVault.Administration.RoleAssignmentScope (string value) { throw null; }
+        public static bool operator !=(Azure.Security.KeyVault.Administration.RoleAssignmentScope left, Azure.Security.KeyVault.Administration.RoleAssignmentScope right) { throw null; }
+        public override string ToString() { throw null; }
     }
 }
 namespace Azure.Security.KeyVault.Administration.Models
@@ -89,10 +96,4 @@ internal RoleDefinition() { }
         public string RoleType { get { throw null; } }
         public string Type { get { throw null; } }
     }
-    public partial class RoleDefinitionListResult
-    {
-        internal RoleDefinitionListResult() { }
-        public string NextLink { get { throw null; } }
-        public System.Collections.Generic.IReadOnlyList<Azure.Security.KeyVault.Administration.Models.RoleDefinition> Value { get { throw null; } }
-    }
 }
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs
index d112ad1b6e96c..6050894b96fdb 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.Serialization.cs
@@ -11,7 +11,7 @@
 
 namespace Azure.Security.KeyVault.Administration.Models
 {
-    public partial class RoleDefinitionListResult
+    internal partial class RoleDefinitionListResult
     {
         internal static RoleDefinitionListResult DeserializeRoleDefinitionListResult(JsonElement element)
         {
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs
index b99d96a152485..44d06f20c3cca 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleDefinitionListResult.cs
@@ -10,7 +10,7 @@
 namespace Azure.Security.KeyVault.Administration.Models
 {
     /// <summary> Role definition list operation result. </summary>
-    public partial class RoleDefinitionListResult
+    internal partial class RoleDefinitionListResult
     {
         /// <summary> Initializes a new instance of RoleDefinitionListResult. </summary>
         internal RoleDefinitionListResult()
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
similarity index 54%
rename from sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
rename to sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
index 4ed89ad9fdfe1..cd34b8a1fae95 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
@@ -14,7 +14,7 @@ namespace Azure.Security.KeyVault.Administration
     /// <summary>
     /// The Client.
     /// </summary>
-    public class AccessControlClient
+    public class KeyVaultAccessControlClient
     {
         private readonly RoleDefinitionsRestClient _definitionsRestClient;
         private readonly RoleAssignmentsRestClient _assignmentsRestClient;
@@ -26,31 +26,31 @@ public class AccessControlClient
         public virtual Uri VaultUri { get; }
 
         /// <summary>
-        /// Initializes a new instance of the <see cref="AccessControlClient"/> class for mocking.
+        /// Initializes a new instance of the <see cref="KeyVaultAccessControlClient"/> class for mocking.
         /// </summary>
-        protected AccessControlClient()
+        protected KeyVaultAccessControlClient()
         { }
 
         /// <summary>
-        /// Initializes a new instance of the <see cref="AccessControlClient"/> class for the specified vault.
+        /// Initializes a new instance of the <see cref="KeyVaultAccessControlClient"/> class for the specified vault.
         /// </summary>
         /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.</param>
         /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
         /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
-        public AccessControlClient(Uri vaultUri, TokenCredential credential)
+        public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential)
             : this(vaultUri, credential, null)
         {
 
         }
 
         /// <summary>
-        /// Initializes a new instance of the <see cref="AccessControlClient"/> class for the specified vault.
+        /// Initializes a new instance of the <see cref="KeyVaultAccessControlClient"/> class for the specified vault.
         /// </summary>
         /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.</param>
         /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
-        /// <param name="options"><see cref="AccessControlClientOptions"/> that allow to configure the management of the request sent to Key Vault.</param>
+        /// <param name="options"><see cref="KeyVaultAccessControlClientOptions"/> that allow to configure the management of the request sent to Key Vault.</param>
         /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
-        public AccessControlClient(Uri vaultUri, TokenCredential credential, AccessControlClientOptions options)
+        public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential, KeyVaultAccessControlClientOptions options)
         {
             Argument.AssertNotNull(vaultUri, nameof(vaultUri));
             Argument.AssertNotNull(credential, nameof(credential));
@@ -59,7 +59,7 @@ public AccessControlClient(Uri vaultUri, TokenCredential credential, AccessContr
             Argument.AssertNotNull(vaultUri, nameof(vaultUri));
             Argument.AssertNotNull(credential, nameof(credential));
 
-            options ??= new AccessControlClientOptions();
+            options ??= new KeyVaultAccessControlClientOptions();
             string apiVersion = options.GetVersionString();
 
             HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
@@ -70,30 +70,21 @@ public AccessControlClient(Uri vaultUri, TokenCredential credential, AccessContr
             _assignmentsRestClient = new RoleAssignmentsRestClient(diagnostics, pipeline, apiVersion);
         }
 
-        /// <summary>
-        /// Get all role definitions that are applicable at scope and above.
-        /// </summary>
-        /// <param name="scope"> The scope of the role definition. </param>
-        /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual Pageable<RoleDefinition> GetRoleDefinitions(Uri scope, CancellationToken cancellationToken = default) =>
-            GetRoleDefinitions(scope.AbsolutePath, cancellationToken);
-
         /// <summary>
         /// Get all role definitions that are applicable at scope and above.
         /// </summary>
         /// <param name="scope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual Pageable<RoleDefinition> GetRoleDefinitions(string scope, CancellationToken cancellationToken = default)
+        public virtual Pageable<RoleDefinition> GetRoleDefinitions(RoleAssignmentScope scope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateEnumerable(_ =>
             {
-                var response = _definitionsRestClient.List(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken);
+                var response = _definitionsRestClient.List(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             }, (nextLink, _) =>
             {
-                var response = _definitionsRestClient.ListNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken);
+                var response = _definitionsRestClient.ListNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             });
         }
@@ -104,83 +95,56 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(string scope, Cancell
         /// <param name="scope"> The scope of the role definition. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(Uri scope, CancellationToken cancellationToken = default) =>
-            GetRoleDefinitionsAsync(scope.AbsolutePath, cancellationToken);
-
-        /// <summary>
-        /// Get all role definitions that are applicable at scope and above.
-        /// </summary>
-        /// <param name="scope"> The scope of the role definition. </param>
-        /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(string scope, CancellationToken cancellationToken = default)
+        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(RoleAssignmentScope scope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateAsyncEnumerable(async _ =>
             {
-                var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
+                var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             }, async (nextLink, _) =>
             {
-                var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
+                var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             });
         }
 
-        /// <summary>
-        /// Gets the <see cref="RoleAssignment"/>s for a scope.
-        /// </summary>
-        /// <param name="scope"> The scope of the role assignments. </param>
-        /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual Pageable<RoleAssignment> GetRoleAssignments(Uri scope, CancellationToken cancellationToken = default) =>
-            GetRoleAssignments(scope.AbsolutePath, cancellationToken);
-
         /// <summary>
         ///
         /// </summary>
         /// <param name="scope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual Pageable<RoleAssignment> GetRoleAssignments(string scope, CancellationToken cancellationToken = default)
+        public virtual Pageable<RoleAssignment> GetRoleAssignments(RoleAssignmentScope scope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateEnumerable(_ =>
             {
-                var response = _assignmentsRestClient.ListForScope(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken);
+                var response = _assignmentsRestClient.ListForScope(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             }, (nextLink, _) =>
             {
-                var response = _assignmentsRestClient.ListForScopeNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken);
+                var response = _assignmentsRestClient.ListForScopeNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             });
         }
 
-        /// <summary>
-        /// Gets the <see cref="RoleAssignment"/>s for a scope.
-        /// </summary>
-        /// <param name="scope"> The scope of the role assignments. </param>
-        /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(Uri scope, CancellationToken cancellationToken = default) =>
-            GetRoleAssignmentsAsync(scope.AbsolutePath, cancellationToken);
-
-        /// <summary>
+        /// <summary>0
         /// Gets the <see cref="RoleAssignment"/>s for a scope.
         /// </summary>
         /// <param name="scope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scope, CancellationToken cancellationToken = default)
+        public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(RoleAssignmentScope scope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateAsyncEnumerable(async _ =>
             {
-                var response = await _assignmentsRestClient.ListForScopeAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
+                var response = await _assignmentsRestClient.ListForScopeAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             }, async (nextLink, _) =>
             {
-                var response = await _assignmentsRestClient.ListForScopeNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope, cancellationToken: cancellationToken)
+                var response = await _assignmentsRestClient.ListForScopeNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             });
@@ -193,62 +157,30 @@ public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(string scop
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual Response<RoleAssignment> CreateRoleAssignment(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            CreateRoleAssignment(scope.AbsolutePath, properties, cancellationToken);
-
-        /// <summary>
-        /// Creates a <see cref="RoleAssignment"/>.
-        /// </summary>
-        /// <param name="scope"> The scope of the role assignment to create. </param>
-        /// <param name="properties"> Properties for the role assignment. </param>
-        /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual Response<RoleAssignment> CreateRoleAssignment(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), properties, cancellationToken);
-
-        /// <summary>
-        /// Creates a <see cref="RoleAssignment"/>.
-        /// </summary>
-        /// <param name="scope"> The scope of the role assignment to create. </param>
-        /// <param name="properties"> Properties for the role assignment. </param>
-        /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(Uri scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope.AbsolutePath, Guid.NewGuid().ToString(), properties, cancellationToken)
-                .ConfigureAwait(false);
-
-        /// <summary>
-        /// Creates a <see cref="RoleAssignment"/>.
-        /// </summary>
-        /// <param name="scope"> The scope of the role assignment to create. </param>
-        /// <param name="properties"> Properties for the role assignment. </param>
-        /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope, Guid.NewGuid().ToString(), properties, cancellationToken)
-                .ConfigureAwait(false);
+        public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
+            _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope.ToString(), Guid.NewGuid().ToString(), properties, cancellationToken);
 
         /// <summary>
         /// Creates a <see cref="RoleAssignment"/>.
         /// </summary>
-        /// <param name="Name">Pre-selected Name used to create the role assignment.</param>
         /// <param name="scope"> The scope of the role assignment to create. </param>
         /// <param name="properties"> Properties for the role assignment. </param>
+        /// <param name="name">The Name used to create the role assignment.</param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual Response<RoleAssignment> CreateRoleAssignment(string Name, string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope, Name, properties, cancellationToken);
+        public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope scope, RoleAssignmentProperties properties, string name = null, CancellationToken cancellationToken = default) =>
+            _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope.ToString(), name ?? Guid.NewGuid().ToString(), properties, cancellationToken);
 
         /// <summary>
         /// Creates a <see cref="RoleAssignment"/>.
         /// </summary>
-        /// <param name="Name">Pre-selected Id used to create the role assignment.</param>
         /// <param name="scope"> The scope of the role assignment to create. </param>
         /// <param name="properties"> Properties for the role assignment. </param>
+        /// <param name="name">The name used to create the role assignment.</param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(string Name, string scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope, Name, properties, cancellationToken)
+        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(RoleAssignmentScope scope, RoleAssignmentProperties properties, string name = null, CancellationToken cancellationToken = default) =>
+            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope.ToString(), name ?? Guid.NewGuid().ToString(), properties, cancellationToken)
                 .ConfigureAwait(false);
 
         /// <summary>
@@ -258,8 +190,8 @@ await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope, Name, prop
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual Response<RoleAssignment> GetRoleAssignment(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
-            _assignmentsRestClient.Get(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken);
+        public virtual Response<RoleAssignment> GetRoleAssignment(RoleAssignmentScope scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
+            _assignmentsRestClient.Get(VaultUri.AbsoluteUri, scope.ToString(), roleAssignmentName, cancellationToken);
 
         /// <summary>
         /// Get the specified role assignment.
@@ -268,29 +200,8 @@ public virtual Response<RoleAssignment> GetRoleAssignment(string scope, string r
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.GetAsync(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken)
-                .ConfigureAwait(false);
-
-        /// <summary>
-        /// Delete the specified role assignment.
-        /// </summary>
-        /// <param name="scope"> The scope of the role assignment. </param>
-        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
-        /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual Response<RoleAssignment> DeleteRoleAssignment(Uri scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
-            _assignmentsRestClient.Delete(VaultUri.AbsoluteUri, scope.AbsolutePath, roleAssignmentName, cancellationToken);
-
-        /// <summary>
-        /// Delete the specified role assignment.
-        /// </summary>
-        /// <param name="scope"> The scope of the role assignment. </param>
-        /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
-        /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(Uri scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, scope.AbsolutePath, roleAssignmentName, cancellationToken)
+        public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(RoleAssignmentScope scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
+            await _assignmentsRestClient.GetAsync(VaultUri.AbsoluteUri, scope.ToString(), roleAssignmentName, cancellationToken)
                 .ConfigureAwait(false);
 
         /// <summary>
@@ -300,8 +211,8 @@ await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, scope.AbsolutePat
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual Response<RoleAssignment> DeleteRoleAssignment(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
-            _assignmentsRestClient.Delete(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken);
+        public virtual Response<RoleAssignment> DeleteRoleAssignment(RoleAssignmentScope scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
+            _assignmentsRestClient.Delete(VaultUri.AbsoluteUri, scope.ToString(), roleAssignmentName, cancellationToken);
 
         /// <summary>
         /// Delete the specified role assignment.
@@ -310,8 +221,8 @@ public virtual Response<RoleAssignment> DeleteRoleAssignment(string scope, strin
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         [ForwardsClientCalls]
-        public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(string scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, scope, roleAssignmentName, cancellationToken)
+        public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(RoleAssignmentScope scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
+            await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, scope.ToString(), roleAssignmentName, cancellationToken)
                 .ConfigureAwait(false);
     }
 }
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClientOptions.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs
similarity index 88%
rename from sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClientOptions.cs
rename to sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs
index 7b90594ef16af..32e597b7d2a15 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/AccessControlClientOptions.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs
@@ -9,7 +9,7 @@ namespace Azure.Security.KeyVault.Administration
     /// <summary>
     /// Options that allow you to configure the requests sent to Key Vault.
     /// </summary>
-    public class AccessControlClientOptions : ClientOptions
+    public class KeyVaultAccessControlClientOptions : ClientOptions
     {
         /// <summary>
         /// The latest service version supported by this client library.
@@ -40,14 +40,14 @@ public enum ServiceVersion
         public ServiceVersion Version { get; }
 
         /// <summary>
-        /// Initializes a new instance of the <see cref="AccessControlClientOptions"/> class.
+        /// Initializes a new instance of the <see cref="KeyVaultAccessControlClientOptions"/> class.
         /// class.
         /// </summary>
         /// <param name="version">
         /// The <see cref="ServiceVersion"/> of the service API used when
         /// making requests.
         /// </param>
-        public AccessControlClientOptions(ServiceVersion version = LatestVersion)
+        public KeyVaultAccessControlClientOptions(ServiceVersion version = LatestVersion)
         {
             Version = version;
 
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationConstants.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationConstants.cs
deleted file mode 100644
index c95381f243519..0000000000000
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationConstants.cs
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-namespace Azure.Security.KeyVault.Administration
-{
-    /// <summary>
-    /// Constant values for KeyVault Administration.
-    /// </summary>
-    public static class KeyVaultAdministrationConstants
-    {
-        internal static class Scopes
-        {
-            /// <summary>
-            /// The root scope.
-            /// </summary>
-            public const string Root = "/";
-            public const string Keys = "/keys";
-        }
-
-    }
-
-}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs
new file mode 100644
index 0000000000000..1f46f0d41384f
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs
@@ -0,0 +1,83 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.ComponentModel;
+
+namespace Azure.Security.KeyVault.Administration
+{
+    /// <summary>
+    /// A scope of the role assignment.
+    /// </summary>
+    public readonly struct RoleAssignmentScope : IEquatable<RoleAssignmentScope>
+    {
+        internal const string RootValue = "/";
+        internal const string KeysValue = "/keys";
+
+        private readonly string _value;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="RoleAssignmentScope"/> structure.
+        /// </summary>
+        /// <param name="value">The string value of the instance.</param>
+        public RoleAssignmentScope(string value)
+        {
+            _value = value ?? throw new ArgumentNullException(nameof(value));
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="RoleAssignmentScope"/> structure.
+        /// </summary>
+        /// <param name="ResourceId">The Resource Id for the given Resource</param>
+        public RoleAssignmentScope(Uri ResourceId)
+        {
+            _value = ResourceId.AbsolutePath ?? throw new ArgumentNullException(nameof(ResourceId));
+        }
+
+        /// <summary>
+        /// Root.
+        /// </summary>
+        public static RoleAssignmentScope Root { get; } = new RoleAssignmentScope(RootValue);
+
+        /// <summary>
+        /// Keys.
+        /// </summary>
+        public static RoleAssignmentScope Keys { get; } = new RoleAssignmentScope(KeysValue);
+
+        /// <summary>
+        /// Determines if two <see cref="RoleAssignmentScope"/> values are the same.
+        /// </summary>
+        /// <param name="left">The first <see cref="RoleAssignmentScope"/> to compare.</param>
+        /// <param name="right">The second <see cref="RoleAssignmentScope"/> to compare.</param>
+        /// <returns>True if <paramref name="left"/> and <paramref name="right"/> are the same; otherwise, false.</returns>
+        public static bool operator ==(RoleAssignmentScope left, RoleAssignmentScope right) => left.Equals(right);
+
+        /// <summary>
+        /// Determines if two <see cref="RoleAssignmentScope"/> values are different.
+        /// </summary>
+        /// <param name="left">The first <see cref="RoleAssignmentScope"/> to compare.</param>
+        /// <param name="right">The second <see cref="RoleAssignmentScope"/> to compare.</param>
+        /// <returns>True if <paramref name="left"/> and <paramref name="right"/> are different; otherwise, false.</returns>
+        public static bool operator !=(RoleAssignmentScope left, RoleAssignmentScope right) => !left.Equals(right);
+
+        /// <summary>
+        /// Converts a string to a <see cref="RoleAssignmentScope"/>.
+        /// </summary>
+        /// <param name="value">The string value to convert.</param>
+        public static implicit operator RoleAssignmentScope(string value) => new RoleAssignmentScope(value);
+
+        /// <inheritdoc/>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public override bool Equals(object obj) => obj is RoleAssignmentScope other && Equals(other);
+
+        /// <inheritdoc/>
+        public bool Equals(RoleAssignmentScope other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+        /// <inheritdoc/>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+        /// <inheritdoc/>
+        public override string ToString() => _value;
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleDefinitionListResult.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleDefinitionListResult.cs
new file mode 100644
index 0000000000000..1e765e7108a09
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleDefinitionListResult.cs
@@ -0,0 +1,11 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+
+    internal partial class RoleDefinitionListResult
+    {
+
+    }
+}
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
index cfb83c02208aa..534bec133f48d 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
@@ -5,7 +5,6 @@
 using System.Threading.Tasks;
 using Azure.Core.TestFramework;
 using Azure.Security.KeyVault.Administration.Models;
-using static Azure.Security.KeyVault.Administration.KeyVaultAdministrationConstants;
 using NUnit.Framework;
 using System.Linq;
 
@@ -20,23 +19,10 @@ public class AccessControlClientLiveTests : AccessControlTestBase
         public AccessControlClientLiveTests(bool isAsync) : base(isAsync, RecordedTestMode.Playback /* To record tests, add this argument, RecordedTestMode.Record */)
         { }
 
-        [SetUp]
-        public void ClearChallengeCacheforRecord()
-        {
-            // in record mode we reset the challenge cache before each test so that the challenge call
-            // is always made.  This allows tests to be replayed independently and in any order
-            if (Mode == RecordedTestMode.Record || Mode == RecordedTestMode.Playback)
-            {
-                Client = GetClient();
-
-                ChallengeBasedAuthenticationPolicy.AuthenticationChallenge.ClearCache();
-            }
-        }
-
         [Test]
         public async Task GetRoleDefinitions()
         {
-            List<RoleDefinition> results = await Client.GetRoleDefinitionsAsync(Scopes.Root).ToEnumerableAsync().ConfigureAwait(false);
+            List<RoleDefinition> results = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
 
             Assert.That(results.Count, Is.Not.Zero);
             Assert.That(results[0].AssignableScopes, Is.Not.Empty);
@@ -52,11 +38,11 @@ public async Task GetRoleDefinitions()
         [Test]
         public async Task CreateRoleAssignment()
         {
-            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(Scopes.Root).ToEnumerableAsync().ConfigureAwait(false);
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
             var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
-            RoleAssignment result = await Client.CreateRoleAssignmentAsync(roleAssignmentId, Scopes.Root, properties).ConfigureAwait(false);
+            RoleAssignment result = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Root, properties, roleAssignmentId).ConfigureAwait(false);
 
             RegisterForCleanup(result);
 
@@ -70,15 +56,15 @@ public async Task CreateRoleAssignment()
         [Test]
         public async Task GetRoleAssignment()
         {
-            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(Scopes.Root).ToEnumerableAsync().ConfigureAwait(false);
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
             var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
-            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(roleAssignmentId, Scopes.Root, properties).ConfigureAwait(false);
+            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Root, properties, roleAssignmentId).ConfigureAwait(false);
 
             RegisterForCleanup(assignment);
 
-            RoleAssignment result = await Client.GetRoleAssignmentAsync(Scopes.Root, assignment.Name).ConfigureAwait(false);
+            RoleAssignment result = await Client.GetRoleAssignmentAsync(RoleAssignmentScope.Root, assignment.Name).ConfigureAwait(false);
 
             Assert.That(result.Id, Is.EqualTo(assignment.Id));
             Assert.That(result.Name, Is.EqualTo(assignment.Name));
@@ -91,13 +77,13 @@ public async Task GetRoleAssignment()
         [Test]
         public async Task DeleteRoleAssignment()
         {
-            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(Scopes.Root).ToEnumerableAsync().ConfigureAwait(false);
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
             var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
-            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(roleAssignmentId, Scopes.Root, properties).ConfigureAwait(false);
+            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Root, properties, roleAssignmentId).ConfigureAwait(false);
 
-            RoleAssignment result = await Client.DeleteRoleAssignmentAsync(Scopes.Root, assignment.Name).ConfigureAwait(false);
+            RoleAssignment result = await Client.DeleteRoleAssignmentAsync(RoleAssignmentScope.Root, assignment.Name).ConfigureAwait(false);
 
             Assert.That(result.Id, Is.EqualTo(assignment.Id));
             Assert.That(result.Name, Is.EqualTo(assignment.Name));
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
index b4880c9623c3f..9baf6c42353e0 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlTestBase.cs
@@ -13,7 +13,7 @@ namespace Azure.Security.KeyVault.Administration.Tests
 {
     public class AccessControlTestBase : RecordedTestBase<KeyVaultTestEnvironment>
     {
-        public AccessControlClient Client { get; set; }
+        public KeyVaultAccessControlClient Client { get; set; }
 
         public Uri VaultUri { get; set; }
 
@@ -25,15 +25,28 @@ public AccessControlTestBase(bool isAsync, RecordedTestMode mode) : base(isAsync
         public AccessControlTestBase(bool isAsync) : base(isAsync)
         { }
 
-        internal AccessControlClient GetClient(TestRecording recording = null)
+        internal KeyVaultAccessControlClient GetClient(TestRecording recording = null)
         {
             recording ??= Recording;
 
             return InstrumentClient
-                (new AccessControlClient(
+                (new KeyVaultAccessControlClient(
                     new Uri(TestEnvironment.KeyVaultUrl),
                     TestEnvironment.Credential,
-                    recording.InstrumentClientOptions(new AccessControlClientOptions())));
+                    recording.InstrumentClientOptions(new KeyVaultAccessControlClientOptions())));
+        }
+
+        [SetUp]
+        public void ClearChallengeCacheforRecord()
+        {
+            // in record mode we reset the challenge cache before each test so that the challenge call
+            // is always made.  This allows tests to be replayed independently and in any order
+            if (Mode == RecordedTestMode.Record || Mode == RecordedTestMode.Playback)
+            {
+                Client = GetClient();
+
+                ChallengeBasedAuthenticationPolicy.AuthenticationChallenge.ClearCache();
+            }
         }
 
         [TearDown]
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj
index 2cc30840b1fe4..04876ddbbef5a 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/Azure.Security.KeyVault.Administration.Tests.csproj
@@ -10,7 +10,6 @@
     <PackageReference Include="NUnit3TestAdapter" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" />
     <PackageReference Include="Moq" />
-    <PackageReference Include="BenchmarkDotNet" />
     <PackageReference Include="System.Text.Json" />
   </ItemGroup>
 

From 6a47d736de285f4df595296c7852e4b13ca5d5df Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 8 Jun 2020 16:22:36 -0500
Subject: [PATCH 11/20] pr comments

---
 .../src/KeyVaultAccessControlClient.cs        |  5 ++--
 .../tests/AccessControlClientLiveTests.cs     |  9 +++----
 .../CreateRoleAssignment.json                 | 17 +++++++------
 .../CreateRoleAssignmentAsync.json            | 17 +++++++------
 .../DeleteRoleAssignment.json                 | 25 ++++++++++---------
 .../DeleteRoleAssignmentAsync.json            | 25 ++++++++++---------
 .../GetRoleAssignment.json                    | 25 ++++++++++---------
 .../GetRoleAssignmentAsync.json               | 25 ++++++++++---------
 .../tests/KeyVaultTestEnvironment.cs          |  2 ++
 sdk/keyvault/test-resources.json              |  4 +++
 10 files changed, 83 insertions(+), 71 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
index cd34b8a1fae95..589304f95cc86 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
@@ -6,13 +6,14 @@
 using System.Threading.Tasks;
 using Azure.Core;
 using Azure.Core.Pipeline;
-using Azure.Security.KeyVault;
 using Azure.Security.KeyVault.Administration.Models;
 
 namespace Azure.Security.KeyVault.Administration
 {
     /// <summary>
-    /// The Client.
+    /// The KeyVaultAccessControlClient provides synchronous and asynchronous methods to view and manage Role Based Access for the Azure Key Vault.
+    /// The client supports creating, listing, updating, and deleting <see cref="RoleAssignment"/>.
+    /// The client also supports listing <see cref="RoleDefinition" />.
     /// </summary>
     public class KeyVaultAccessControlClient
     {
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
index 534bec133f48d..49c6dc0eb9057 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
@@ -12,8 +12,7 @@ namespace Azure.Security.KeyVault.Administration.Tests
 {
     public class AccessControlClientLiveTests : AccessControlTestBase
     {
-        private const string pricipalID = "4ae6842b-2a3e-4919-8305-7db89f3d6edd";
-        private const string roleName = "Azure Key Vault Managed HSM Administrator";
+        private const string roleName = "Azure Key Vault Managed HSM Crypto User";
         private const string roleAssignmentId = "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16";
 
         public AccessControlClientLiveTests(bool isAsync) : base(isAsync, RecordedTestMode.Playback /* To record tests, add this argument, RecordedTestMode.Record */)
@@ -41,7 +40,7 @@ public async Task CreateRoleAssignment()
             List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
-            var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
+            var properties = new RoleAssignmentProperties(definitionToAssign.Id, TestEnvironment.ClientObjectId);
             RoleAssignment result = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Root, properties, roleAssignmentId).ConfigureAwait(false);
 
             RegisterForCleanup(result);
@@ -59,7 +58,7 @@ public async Task GetRoleAssignment()
             List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
-            var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
+            var properties = new RoleAssignmentProperties(definitionToAssign.Id, TestEnvironment.ClientObjectId);
             RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Root, properties, roleAssignmentId).ConfigureAwait(false);
 
             RegisterForCleanup(assignment);
@@ -80,7 +79,7 @@ public async Task DeleteRoleAssignment()
             List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
-            var properties = new RoleAssignmentProperties(definitionToAssign.Id, pricipalID);
+            var properties = new RoleAssignmentProperties(definitionToAssign.Id, TestEnvironment.ClientObjectId);
             RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Root, properties, roleAssignmentId).ConfigureAwait(false);
 
             RoleAssignment result = await Client.DeleteRoleAssignmentAsync(RoleAssignmentScope.Root, assignment.Name).ConfigureAwait(false);
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json
index 584a92b176756..1731d81da3730 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignment.json
@@ -18,7 +18,7 @@
         "Content-Type": "application/json",
         "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
         "X-Content-Type-Options": "nosniff",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": "OK"
     },
@@ -42,7 +42,7 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "value": [
@@ -198,7 +198,7 @@
         "Authorization": "Sanitized",
         "Content-Length": "181",
         "Content-Type": "application/json",
-        "Request-Id": "|6e6b2bc5-4048e160b0eca19f.",
+        "Request-Id": "|3e6cb37e-4eecfa4a673ebe60.",
         "User-Agent": [
           "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
           "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
@@ -207,8 +207,8 @@
         "x-ms-return-client-request-id": "true"
       },
       "RequestBody": {
-        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
-        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
       },
       "StatusCode": 201,
       "ResponseHeaders": {
@@ -217,14 +217,14 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "properties": {
-          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
-          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
           "scope": "/"
         },
         "type": "Microsoft.Authorization/roleAssignments"
@@ -233,6 +233,7 @@
   ],
   "Variables": {
     "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
     "RandomSeed": "1126588322"
   }
 }
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json
index 5ca5cee8aba71..a0391450d1775 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/CreateRoleAssignmentAsync.json
@@ -18,7 +18,7 @@
         "Content-Type": "application/json",
         "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
         "X-Content-Type-Options": "nosniff",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": "OK"
     },
@@ -42,7 +42,7 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "value": [
@@ -198,7 +198,7 @@
         "Authorization": "Sanitized",
         "Content-Length": "181",
         "Content-Type": "application/json",
-        "Request-Id": "|6e6b2bcc-4048e160b0eca19f.",
+        "Request-Id": "|3e6cb385-4eecfa4a673ebe60.",
         "User-Agent": [
           "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
           "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
@@ -207,8 +207,8 @@
         "x-ms-return-client-request-id": "true"
       },
       "RequestBody": {
-        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
-        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
       },
       "StatusCode": 201,
       "ResponseHeaders": {
@@ -217,14 +217,14 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "properties": {
-          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
-          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
           "scope": "/"
         },
         "type": "Microsoft.Authorization/roleAssignments"
@@ -233,6 +233,7 @@
   ],
   "Variables": {
     "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
     "RandomSeed": "1820470144"
   }
 }
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json
index ebb5ad14b32ba..70b68394cc29d 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignment.json
@@ -18,7 +18,7 @@
         "Content-Type": "application/json",
         "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
         "X-Content-Type-Options": "nosniff",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": "OK"
     },
@@ -42,7 +42,7 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "value": [
@@ -198,7 +198,7 @@
         "Authorization": "Sanitized",
         "Content-Length": "181",
         "Content-Type": "application/json",
-        "Request-Id": "|6e6b2bc7-4048e160b0eca19f.",
+        "Request-Id": "|3e6cb380-4eecfa4a673ebe60.",
         "User-Agent": [
           "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
           "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
@@ -207,8 +207,8 @@
         "x-ms-return-client-request-id": "true"
       },
       "RequestBody": {
-        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
-        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
       },
       "StatusCode": 201,
       "ResponseHeaders": {
@@ -217,14 +217,14 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "properties": {
-          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
-          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
           "scope": "/"
         },
         "type": "Microsoft.Authorization/roleAssignments"
@@ -235,7 +235,7 @@
       "RequestMethod": "DELETE",
       "RequestHeaders": {
         "Authorization": "Sanitized",
-        "Request-Id": "|6e6b2bc8-4048e160b0eca19f.",
+        "Request-Id": "|3e6cb381-4eecfa4a673ebe60.",
         "User-Agent": [
           "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
           "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
@@ -251,14 +251,14 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "properties": {
-          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
-          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
           "scope": "/"
         },
         "type": "Microsoft.Authorization/roleAssignments"
@@ -267,6 +267,7 @@
   ],
   "Variables": {
     "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
     "RandomSeed": "26204039"
   }
 }
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json
index 0f3d60c8400d3..cb8521a63bd3a 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/DeleteRoleAssignmentAsync.json
@@ -18,7 +18,7 @@
         "Content-Type": "application/json",
         "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
         "X-Content-Type-Options": "nosniff",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": "OK"
     },
@@ -42,7 +42,7 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "value": [
@@ -198,7 +198,7 @@
         "Authorization": "Sanitized",
         "Content-Length": "181",
         "Content-Type": "application/json",
-        "Request-Id": "|6e6b2bce-4048e160b0eca19f.",
+        "Request-Id": "|3e6cb387-4eecfa4a673ebe60.",
         "User-Agent": [
           "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
           "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
@@ -207,8 +207,8 @@
         "x-ms-return-client-request-id": "true"
       },
       "RequestBody": {
-        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
-        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
       },
       "StatusCode": 201,
       "ResponseHeaders": {
@@ -217,14 +217,14 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "properties": {
-          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
-          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
           "scope": "/"
         },
         "type": "Microsoft.Authorization/roleAssignments"
@@ -235,7 +235,7 @@
       "RequestMethod": "DELETE",
       "RequestHeaders": {
         "Authorization": "Sanitized",
-        "Request-Id": "|6e6b2bcf-4048e160b0eca19f.",
+        "Request-Id": "|3e6cb388-4eecfa4a673ebe60.",
         "User-Agent": [
           "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
           "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
@@ -251,14 +251,14 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "properties": {
-          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
-          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
           "scope": "/"
         },
         "type": "Microsoft.Authorization/roleAssignments"
@@ -267,6 +267,7 @@
   ],
   "Variables": {
     "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
     "RandomSeed": "829785785"
   }
 }
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json
index 95b8dca6baf04..2531a69048408 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignment.json
@@ -18,7 +18,7 @@
         "Content-Type": "application/json",
         "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
         "X-Content-Type-Options": "nosniff",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": "OK"
     },
@@ -42,7 +42,7 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "value": [
@@ -198,7 +198,7 @@
         "Authorization": "Sanitized",
         "Content-Length": "181",
         "Content-Type": "application/json",
-        "Request-Id": "|6e6b2bc9-4048e160b0eca19f.",
+        "Request-Id": "|3e6cb382-4eecfa4a673ebe60.",
         "User-Agent": [
           "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
           "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
@@ -207,8 +207,8 @@
         "x-ms-return-client-request-id": "true"
       },
       "RequestBody": {
-        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
-        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
       },
       "StatusCode": 201,
       "ResponseHeaders": {
@@ -217,14 +217,14 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "properties": {
-          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
-          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
           "scope": "/"
         },
         "type": "Microsoft.Authorization/roleAssignments"
@@ -235,7 +235,7 @@
       "RequestMethod": "GET",
       "RequestHeaders": {
         "Authorization": "Sanitized",
-        "Request-Id": "|6e6b2bca-4048e160b0eca19f.",
+        "Request-Id": "|3e6cb383-4eecfa4a673ebe60.",
         "User-Agent": [
           "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
           "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
@@ -251,14 +251,14 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "properties": {
-          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
-          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
           "scope": "/"
         },
         "type": "Microsoft.Authorization/roleAssignments"
@@ -267,6 +267,7 @@
   ],
   "Variables": {
     "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
     "RandomSeed": "1965379599"
   }
 }
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json
index 44ff97a8f6c5c..12c3e3506ff8c 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/SessionRecords/AccessControlClientLiveTests/GetRoleAssignmentAsync.json
@@ -18,7 +18,7 @@
         "Content-Type": "application/json",
         "WWW-Authenticate": "Bearer authorization=\u0022https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\u0022, resource=\u0022https://managedhsm.azure.net\u0022",
         "X-Content-Type-Options": "nosniff",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": "OK"
     },
@@ -42,7 +42,7 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "value": [
@@ -198,7 +198,7 @@
         "Authorization": "Sanitized",
         "Content-Length": "181",
         "Content-Type": "application/json",
-        "Request-Id": "|6e6b2bd0-4048e160b0eca19f.",
+        "Request-Id": "|3e6cb389-4eecfa4a673ebe60.",
         "User-Agent": [
           "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
           "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
@@ -207,8 +207,8 @@
         "x-ms-return-client-request-id": "true"
       },
       "RequestBody": {
-        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
-        "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd"
+        "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
+        "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d"
       },
       "StatusCode": 201,
       "ResponseHeaders": {
@@ -217,14 +217,14 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "properties": {
-          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
-          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
           "scope": "/"
         },
         "type": "Microsoft.Authorization/roleAssignments"
@@ -235,7 +235,7 @@
       "RequestMethod": "GET",
       "RequestHeaders": {
         "Authorization": "Sanitized",
-        "Request-Id": "|6e6b2bd1-4048e160b0eca19f.",
+        "Request-Id": "|3e6cb38a-4eecfa4a673ebe60.",
         "User-Agent": [
           "azsdk-net-Security.KeyVault.Administration/4.1.0-dev.20200608.1",
           "(.NET Core 4.6.28801.04; Microsoft Windows 10.0.18363 )"
@@ -251,14 +251,14 @@
         "X-Content-Type-Options": "nosniff",
         "x-ms-keyvault-network-info": "addr=72.176.254.191",
         "x-ms-keyvault-region": "EASTUS",
-        "x-ms-request-id": "03c34d72-a07e-11ea-b186-0242ac12000a"
+        "x-ms-request-id": "040cdf98-a06d-11ea-af9a-0242ac12000b"
       },
       "ResponseBody": {
         "id": "/providers/Microsoft.Authorization/roleAssignments/e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "name": "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16",
         "properties": {
-          "principalId": "4ae6842b-2a3e-4919-8305-7db89f3d6edd",
-          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4",
+          "principalId": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
+          "roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b",
           "scope": "/"
         },
         "type": "Microsoft.Authorization/roleAssignments"
@@ -267,6 +267,7 @@
   ],
   "Variables": {
     "AZURE_KEYVAULT_URL": "https://eastus.clitest.managedhsm-preview.azure.net",
+    "CLIENT_OBJECTID": "693a17da-7022-4cdd-9d4e-4e72e4ad449d",
     "RandomSeed": "1144294929"
   }
 }
\ No newline at end of file
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Shared/tests/KeyVaultTestEnvironment.cs b/sdk/keyvault/Azure.Security.KeyVault.Shared/tests/KeyVaultTestEnvironment.cs
index 54adec82b9ba7..1332f74aa6e72 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Shared/tests/KeyVaultTestEnvironment.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Shared/tests/KeyVaultTestEnvironment.cs
@@ -13,6 +13,8 @@ public KeyVaultTestEnvironment() : base("keyvault")
 
         public string KeyVaultUrl => GetRecordedVariable("AZURE_KEYVAULT_URL");
 
+        public string ClientObjectId => GetRecordedVariable("CLIENT_OBJECTID");
+
         /// <summary>
         /// Gets the value of the "KEYVAULT_SKU" variable, or "premium" if not defined.
         /// </summary>
diff --git a/sdk/keyvault/test-resources.json b/sdk/keyvault/test-resources.json
index 8a13ad7b1d2ce..caf28fce42381 100644
--- a/sdk/keyvault/test-resources.json
+++ b/sdk/keyvault/test-resources.json
@@ -134,6 +134,10 @@
         "KEYVAULT_SKU": {
             "type": "string",
             "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('baseName'))).sku.name]"
+        },
+        "CLIENT_OBJECTID" : {
+            "type": "string",
+            "value": "[parameters('testApplicationOid')]"
         }
     }
 }

From 4a29e4a0dc4bc732a192a58c4abb50f287212223 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 8 Jun 2020 16:51:34 -0500
Subject: [PATCH 12/20] diagnostic scopes

---
 ....KeyVault.Administration.netstandard2.0.cs |  22 +-
 .../src/KeyVaultAccessControlClient.cs        | 224 +++++++++++++-----
 2 files changed, 180 insertions(+), 66 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
index 492a785d99b03..a7f7b2ac20895 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -6,17 +6,17 @@ protected KeyVaultAccessControlClient() { }
         public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential) { }
         public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions options) { }
         public virtual System.Uri VaultUri { get { throw null; } }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, string name = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, string name = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> GetRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignments(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignmentsAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitions(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitionsAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope scope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, string name = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, string name = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> GetRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignments(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignmentsAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Pageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitions(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.AsyncPageable<Azure.Security.KeyVault.Administration.Models.RoleDefinition> GetRoleDefinitionsAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
     }
     public partial class KeyVaultAccessControlClientOptions : Azure.Core.ClientOptions
     {
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
index 589304f95cc86..9c715a897a521 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
@@ -17,6 +17,7 @@ namespace Azure.Security.KeyVault.Administration
     /// </summary>
     public class KeyVaultAccessControlClient
     {
+        private readonly ClientDiagnostics _diagnostics;
         private readonly RoleDefinitionsRestClient _definitionsRestClient;
         private readonly RoleAssignmentsRestClient _assignmentsRestClient;
 
@@ -66,164 +67,277 @@ public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential, Key
             HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
                     new ChallengeBasedAuthenticationPolicy(credential));
 
-            var diagnostics = new ClientDiagnostics(options);
-            _definitionsRestClient = new RoleDefinitionsRestClient(diagnostics, pipeline, apiVersion);
-            _assignmentsRestClient = new RoleAssignmentsRestClient(diagnostics, pipeline, apiVersion);
+            _diagnostics = new ClientDiagnostics(options);
+            _definitionsRestClient = new RoleDefinitionsRestClient(_diagnostics, pipeline, apiVersion);
+            _assignmentsRestClient = new RoleAssignmentsRestClient(_diagnostics, pipeline, apiVersion);
         }
 
         /// <summary>
         /// Get all role definitions that are applicable at scope and above.
         /// </summary>
-        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="roleScope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual Pageable<RoleDefinition> GetRoleDefinitions(RoleAssignmentScope scope, CancellationToken cancellationToken = default)
+        public virtual Pageable<RoleDefinition> GetRoleDefinitions(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
-            return PageableHelpers.CreateEnumerable(_ =>
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
+            scope.Start();
+            try
             {
-                var response = _definitionsRestClient.List(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken);
+                return PageableHelpers.CreateEnumerable(_ =>
+            {
+                var response = _definitionsRestClient.List(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             }, (nextLink, _) =>
             {
-                var response = _definitionsRestClient.ListNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken);
+                var response = _definitionsRestClient.ListNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             });
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
         }
 
         /// <summary>
         /// Get all role definitions that are applicable at scope and above.
         /// </summary>
-        /// <param name="scope"> The scope of the role definition. </param>
+        /// <param name="roleScope"> The scope of the role definition. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(RoleAssignmentScope scope, CancellationToken cancellationToken = default)
+        public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
-            return PageableHelpers.CreateAsyncEnumerable(async _ =>
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
+            scope.Start();
+            try
+            {
+                return PageableHelpers.CreateAsyncEnumerable(async _ =>
             {
-                var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken)
+                var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             }, async (nextLink, _) =>
             {
-                var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken)
+                var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             });
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
         }
 
         /// <summary>
         ///
         /// </summary>
-        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="roleScope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual Pageable<RoleAssignment> GetRoleAssignments(RoleAssignmentScope scope, CancellationToken cancellationToken = default)
+        public virtual Pageable<RoleAssignment> GetRoleAssignments(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
-            return PageableHelpers.CreateEnumerable(_ =>
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
+            scope.Start();
+            try
+            {
+                return PageableHelpers.CreateEnumerable(_ =>
             {
-                var response = _assignmentsRestClient.ListForScope(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken);
+                var response = _assignmentsRestClient.ListForScope(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             }, (nextLink, _) =>
             {
-                var response = _assignmentsRestClient.ListForScopeNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken);
+                var response = _assignmentsRestClient.ListForScopeNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             });
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
         }
 
         /// <summary>0
         /// Gets the <see cref="RoleAssignment"/>s for a scope.
         /// </summary>
-        /// <param name="scope"> The scope of the role assignments. </param>
+        /// <param name="roleScope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(RoleAssignmentScope scope, CancellationToken cancellationToken = default)
+        public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
-            return PageableHelpers.CreateAsyncEnumerable(async _ =>
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
+            scope.Start();
+            try
+            {
+                return PageableHelpers.CreateAsyncEnumerable(async _ =>
             {
-                var response = await _assignmentsRestClient.ListForScopeAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken)
+                var response = await _assignmentsRestClient.ListForScopeAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             }, async (nextLink, _) =>
             {
-                var response = await _assignmentsRestClient.ListForScopeNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: scope.ToString(), cancellationToken: cancellationToken)
+                var response = await _assignmentsRestClient.ListForScopeNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
                     .ConfigureAwait(false);
                 return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
             });
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
         }
 
         /// <summary>
         /// Creates a <see cref="RoleAssignment"/>.
         /// </summary>
-        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="roleScope"> The scope of the role assignment to create. </param>
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope scope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default) =>
-            _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope.ToString(), Guid.NewGuid().ToString(), properties, cancellationToken);
+        public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return _assignmentsRestClient.Create(VaultUri.AbsoluteUri, roleScope.ToString(), Guid.NewGuid().ToString(), properties, cancellationToken);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
 
         /// <summary>
         /// Creates a <see cref="RoleAssignment"/>.
         /// </summary>
-        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="roleScope"> The scope of the role assignment to create. </param>
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="name">The Name used to create the role assignment.</param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope scope, RoleAssignmentProperties properties, string name = null, CancellationToken cancellationToken = default) =>
-            _assignmentsRestClient.Create(VaultUri.AbsoluteUri, scope.ToString(), name ?? Guid.NewGuid().ToString(), properties, cancellationToken);
+        public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, string name = null, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return _assignmentsRestClient.Create(VaultUri.AbsoluteUri, roleScope.ToString(), name ?? Guid.NewGuid().ToString(), properties, cancellationToken);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
 
         /// <summary>
         /// Creates a <see cref="RoleAssignment"/>.
         /// </summary>
-        /// <param name="scope"> The scope of the role assignment to create. </param>
+        /// <param name="roleScope"> The scope of the role assignment to create. </param>
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="name">The name used to create the role assignment.</param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(RoleAssignmentScope scope, RoleAssignmentProperties properties, string name = null, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, scope.ToString(), name ?? Guid.NewGuid().ToString(), properties, cancellationToken)
+        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, string name = null, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, roleScope.ToString(), name ?? Guid.NewGuid().ToString(), properties, cancellationToken)
                 .ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
 
         /// <summary>
         /// Get the specified role assignment.
         /// </summary>
-        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleScope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual Response<RoleAssignment> GetRoleAssignment(RoleAssignmentScope scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
-            _assignmentsRestClient.Get(VaultUri.AbsoluteUri, scope.ToString(), roleAssignmentName, cancellationToken);
+        public virtual Response<RoleAssignment> GetRoleAssignment(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return _assignmentsRestClient.Get(VaultUri.AbsoluteUri, roleScope.ToString(), roleAssignmentName, cancellationToken);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
 
         /// <summary>
         /// Get the specified role assignment.
         /// </summary>
-        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleScope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(RoleAssignmentScope scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.GetAsync(VaultUri.AbsoluteUri, scope.ToString(), roleAssignmentName, cancellationToken)
+        public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return await _assignmentsRestClient.GetAsync(VaultUri.AbsoluteUri, roleScope.ToString(), roleAssignmentName, cancellationToken)
                 .ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
 
         /// <summary>
         /// Delete the specified role assignment.
         /// </summary>
-        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleScope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual Response<RoleAssignment> DeleteRoleAssignment(RoleAssignmentScope scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
-            _assignmentsRestClient.Delete(VaultUri.AbsoluteUri, scope.ToString(), roleAssignmentName, cancellationToken);
+        public virtual Response<RoleAssignment> DeleteRoleAssignment(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(DeleteRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return _assignmentsRestClient.Delete(VaultUri.AbsoluteUri, roleScope.ToString(), roleAssignmentName, cancellationToken);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
 
         /// <summary>
         /// Delete the specified role assignment.
         /// </summary>
-        /// <param name="scope"> The scope of the role assignment. </param>
+        /// <param name="roleScope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        [ForwardsClientCalls]
-        public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(RoleAssignmentScope scope, string roleAssignmentName, CancellationToken cancellationToken = default) =>
-            await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, scope.ToString(), roleAssignmentName, cancellationToken)
+        public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
+        {
+            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(DeleteRoleAssignment)}");
+            scope.Start();
+            try
+            {
+                return await _assignmentsRestClient.DeleteAsync(VaultUri.AbsoluteUri, roleScope.ToString(), roleAssignmentName, cancellationToken)
                 .ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                scope.Failed(ex);
+                throw;
+            }
+        }
     }
 }

From e94d7d24b2f71bcbc823e7065a7990beddeb2e41 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 8 Jun 2020 17:11:53 -0500
Subject: [PATCH 13/20] model factory

---
 ....KeyVault.Administration.netstandard2.0.cs |  5 +++
 .../src/KeyVaultModelFactory.cs               | 37 +++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultModelFactory.cs

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
index a7f7b2ac20895..1104fbb6d6a65 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -49,6 +49,11 @@ public enum ServiceVersion
 }
 namespace Azure.Security.KeyVault.Administration.Models
 {
+    public static partial class KeyVaultModelFactory
+    {
+        public static Azure.Security.KeyVault.Administration.Models.RoleAssignment RoleAssignment(string id, string name, string type, Azure.Security.KeyVault.Administration.Models.RoleAssignmentPropertiesWithScope properties) { throw null; }
+        public static Azure.Security.KeyVault.Administration.Models.RoleDefinition RoleDefinition(string id, string name, string type, string roleName, string description, string roleType, System.Collections.Generic.IReadOnlyList<Azure.Security.KeyVault.Administration.Models.KeyVaultPermission> permissions, System.Collections.Generic.IReadOnlyList<string> assignableScopes) { throw null; }
+    }
     public partial class KeyVaultPermission
     {
         internal KeyVaultPermission() { }
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultModelFactory.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultModelFactory.cs
new file mode 100644
index 0000000000000..749bda651f949
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultModelFactory.cs
@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary>
+    /// A factory class which constructs model classes for mocking purposes.
+    /// </summary>
+    public static class KeyVaultModelFactory
+    {
+        /// <summary>
+        /// Initializes a new instance of RoleDefinition.
+        /// </summary>
+        /// <param name="id"> The role definition ID. </param>
+        /// <param name="name"> The role definition name. </param>
+        /// <param name="type"> The role definition type. </param>
+        /// <param name="roleName"> The role name. </param>
+        /// <param name="description"> The role definition description. </param>
+        /// <param name="roleType"> The role type. </param>
+        /// <param name="permissions"> Role definition permissions. </param>
+        /// <param name="assignableScopes"> Role definition assignable scopes. </param>
+        public static RoleDefinition RoleDefinition(string id, string name, string type, string roleName, string description, string roleType, IReadOnlyList<KeyVaultPermission> permissions, IReadOnlyList<string> assignableScopes) =>
+            new RoleDefinition(id, name, type, roleName, description, roleType, permissions, assignableScopes);
+
+        /// <summary>
+        /// Initializes a new instance of RoleAssignment.
+        /// </summary>
+        /// <param name="id"> The role assignment ID. </param>
+        /// <param name="name"> The role assignment name. </param>
+        /// <param name="type"> The role assignment type. </param>
+        /// <param name="properties"> Role assignment properties. </param>
+        public static RoleAssignment RoleAssignment(string id, string name, string type, RoleAssignmentPropertiesWithScope properties) =>
+            new RoleAssignment(id, name, type, properties);
+    }
+}

From 6e728fa639ef816deaac5ec2c654bb68cfef78e4 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Tue, 9 Jun 2020 15:21:45 -0500
Subject: [PATCH 14/20] adjust diagnostic scopes

---
 .../src/KeyVaultAccessControlClient.cs        | 168 +++++++++++-------
 1 file changed, 104 insertions(+), 64 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
index 9c715a897a521..1a9b647d0c7d3 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
@@ -79,25 +79,35 @@ public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential, Key
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         public virtual Pageable<RoleDefinition> GetRoleDefinitions(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
-            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
-            scope.Start();
-            try
-            {
-                return PageableHelpers.CreateEnumerable(_ =>
+            return PageableHelpers.CreateEnumerable(_ =>
             {
-                var response = _definitionsRestClient.List(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
-                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
+                scope.Start();
+                try
+                {
+                    var response = _definitionsRestClient.List(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
             }, (nextLink, _) =>
             {
-                var response = _definitionsRestClient.ListNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
-                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
+                scope.Start();
+                try
+                {
+                    var response = _definitionsRestClient.ListNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
             });
-            }
-            catch (Exception ex)
-            {
-                scope.Failed(ex);
-                throw;
-            }
         }
 
         /// <summary>
@@ -107,27 +117,37 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(RoleAssignmentScope r
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
-            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
-            scope.Start();
-            try
-            {
-                return PageableHelpers.CreateAsyncEnumerable(async _ =>
+            return PageableHelpers.CreateAsyncEnumerable(async _ =>
             {
-                var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
-                    .ConfigureAwait(false);
-                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
+                scope.Start();
+                try
+                {
+                    var response = await _definitionsRestClient.ListAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
+                            .ConfigureAwait(false);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
             }, async (nextLink, _) =>
             {
-                var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
-                    .ConfigureAwait(false);
-                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleDefinitions)}");
+                scope.Start();
+                try
+                {
+                    var response = await _definitionsRestClient.ListNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
+                        .ConfigureAwait(false);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
             });
-            }
-            catch (Exception ex)
-            {
-                scope.Failed(ex);
-                throw;
-            }
         }
 
         /// <summary>
@@ -137,25 +157,35 @@ public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(RoleAssignm
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         public virtual Pageable<RoleAssignment> GetRoleAssignments(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
-            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
-            scope.Start();
-            try
-            {
-                return PageableHelpers.CreateEnumerable(_ =>
+            return PageableHelpers.CreateEnumerable(_ =>
             {
-                var response = _assignmentsRestClient.ListForScope(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
-                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
+                scope.Start();
+                try
+                {
+                    var response = _assignmentsRestClient.ListForScope(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
             }, (nextLink, _) =>
             {
-                var response = _assignmentsRestClient.ListForScopeNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
-                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
+                scope.Start();
+                try
+                {
+                    var response = _assignmentsRestClient.ListForScopeNextPage(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
             });
-            }
-            catch (Exception ex)
-            {
-                scope.Failed(ex);
-                throw;
-            }
         }
 
         /// <summary>0
@@ -165,27 +195,37 @@ public virtual Pageable<RoleAssignment> GetRoleAssignments(RoleAssignmentScope r
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
-            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
-            scope.Start();
-            try
-            {
-                return PageableHelpers.CreateAsyncEnumerable(async _ =>
+            return PageableHelpers.CreateAsyncEnumerable(async _ =>
             {
-                var response = await _assignmentsRestClient.ListForScopeAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
-                    .ConfigureAwait(false);
-                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
+                scope.Start();
+                try
+                {
+                    var response = await _assignmentsRestClient.ListForScopeAsync(vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
+                            .ConfigureAwait(false);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
             }, async (nextLink, _) =>
             {
-                var response = await _assignmentsRestClient.ListForScopeNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
-                    .ConfigureAwait(false);
-                return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignments)}");
+                scope.Start();
+                try
+                {
+                    var response = await _assignmentsRestClient.ListForScopeNextPageAsync(nextLink: nextLink, vaultBaseUrl: VaultUri.AbsoluteUri, scope: roleScope.ToString(), cancellationToken: cancellationToken)
+                        .ConfigureAwait(false);
+                    return Page.FromValues(response.Value.Value, response.Value.NextLink, response.GetRawResponse());
+                }
+                catch (Exception ex)
+                {
+                    scope.Failed(ex);
+                    throw;
+                }
             });
-            }
-            catch (Exception ex)
-            {
-                scope.Failed(ex);
-                throw;
-            }
         }
 
         /// <summary>

From 1afc1043b629bb78162681b5c3b340ac359d53a4 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Wed, 10 Jun 2020 09:31:09 -0500
Subject: [PATCH 15/20] change assignment name to Guid

---
 ...ure.Security.KeyVault.Administration.netstandard2.0.cs | 4 ++--
 .../src/KeyVaultAccessControlClient.cs                    | 8 ++++----
 .../tests/AccessControlClientLiveTests.cs                 | 3 ++-
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
index 1104fbb6d6a65..4ddf76bcf1d52 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -6,9 +6,9 @@ protected KeyVaultAccessControlClient() { }
         public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential) { }
         public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions options) { }
         public virtual System.Uri VaultUri { get { throw null; } }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, string name = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Guid name = default(System.Guid), System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, string name = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Guid name = default(System.Guid), System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> GetRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
index 1a9b647d0c7d3..02460c894bea6 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
@@ -256,13 +256,13 @@ public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="name">The Name used to create the role assignment.</param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, string name = null, CancellationToken cancellationToken = default)
+        public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, Guid name = default, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
             scope.Start();
             try
             {
-                return _assignmentsRestClient.Create(VaultUri.AbsoluteUri, roleScope.ToString(), name ?? Guid.NewGuid().ToString(), properties, cancellationToken);
+                return _assignmentsRestClient.Create(VaultUri.AbsoluteUri, roleScope.ToString(), name == default ? Guid.NewGuid().ToString() : name.ToString(), properties, cancellationToken);
             }
             catch (Exception ex)
             {
@@ -278,13 +278,13 @@ public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="name">The name used to create the role assignment.</param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
-        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, string name = null, CancellationToken cancellationToken = default)
+        public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, Guid name = default, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
             scope.Start();
             try
             {
-                return await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, roleScope.ToString(), name ?? Guid.NewGuid().ToString(), properties, cancellationToken)
+                return await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, roleScope.ToString(), name == default ? Guid.NewGuid().ToString() : name.ToString(), properties, cancellationToken)
                 .ConfigureAwait(false);
             }
             catch (Exception ex)
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
index 49c6dc0eb9057..bdec80fab07da 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
@@ -7,13 +7,14 @@
 using Azure.Security.KeyVault.Administration.Models;
 using NUnit.Framework;
 using System.Linq;
+using System;
 
 namespace Azure.Security.KeyVault.Administration.Tests
 {
     public class AccessControlClientLiveTests : AccessControlTestBase
     {
         private const string roleName = "Azure Key Vault Managed HSM Crypto User";
-        private const string roleAssignmentId = "e7ae2aff-eb17-4c9d-84f0-d12f7f468f16";
+        private readonly Guid roleAssignmentId = new Guid("e7ae2aff-eb17-4c9d-84f0-d12f7f468f16");
 
         public AccessControlClientLiveTests(bool isAsync) : base(isAsync, RecordedTestMode.Playback /* To record tests, add this argument, RecordedTestMode.Record */)
         { }

From f2285502a3fc892d55dc1e4211b6acd5dbdc0df2 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Wed, 10 Jun 2020 12:05:18 -0500
Subject: [PATCH 16/20] make RoleAssignmentListResult internal

---
 ...re.Security.KeyVault.Administration.netstandard2.0.cs | 6 ------
 .../Models/RoleAssignmentListResult.Serialization.cs     | 2 +-
 .../src/Generated/Models/RoleAssignmentListResult.cs     | 2 +-
 .../Azure.Security.KeyVault.Administration/src/Result.cs | 9 +++++++++
 4 files changed, 11 insertions(+), 8 deletions(-)
 create mode 100644 sdk/keyvault/Azure.Security.KeyVault.Administration/src/Result.cs

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
index 4ddf76bcf1d52..c877eedc90e3b 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -70,12 +70,6 @@ internal RoleAssignment() { }
         public Azure.Security.KeyVault.Administration.Models.RoleAssignmentPropertiesWithScope Properties { get { throw null; } }
         public string Type { get { throw null; } }
     }
-    public partial class RoleAssignmentListResult
-    {
-        internal RoleAssignmentListResult() { }
-        public string NextLink { get { throw null; } }
-        public System.Collections.Generic.IReadOnlyList<Azure.Security.KeyVault.Administration.Models.RoleAssignment> Value { get { throw null; } }
-    }
     public partial class RoleAssignmentProperties
     {
         public RoleAssignmentProperties(string roleDefinitionId, string principalId) { }
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs
index fcbf054d8326e..cb979b294af25 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.Serialization.cs
@@ -11,7 +11,7 @@
 
 namespace Azure.Security.KeyVault.Administration.Models
 {
-    public partial class RoleAssignmentListResult
+    internal partial class RoleAssignmentListResult
     {
         internal static RoleAssignmentListResult DeserializeRoleAssignmentListResult(JsonElement element)
         {
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs
index b8643f65c58b6..361d417848f46 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/Models/RoleAssignmentListResult.cs
@@ -10,7 +10,7 @@
 namespace Azure.Security.KeyVault.Administration.Models
 {
     /// <summary> Role assignment list operation result. </summary>
-    public partial class RoleAssignmentListResult
+    internal partial class RoleAssignmentListResult
     {
         /// <summary> Initializes a new instance of RoleAssignmentListResult. </summary>
         internal RoleAssignmentListResult()
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Result.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Result.cs
new file mode 100644
index 0000000000000..41825b12e3e62
--- /dev/null
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Result.cs
@@ -0,0 +1,9 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Azure.Security.KeyVault.Administration.Models
+{
+    /// <summary> Role assignment list operation result. </summary>
+    internal partial class RoleAssignmentListResult
+    { }
+}

From 036c3c66694ceb9daa1652ff91586c3e285ad405 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Wed, 10 Jun 2020 12:26:04 -0500
Subject: [PATCH 17/20] rename file

---
 .../src/{Result.cs => RoleAssignmentListResult.cs}                | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename sdk/keyvault/Azure.Security.KeyVault.Administration/src/{Result.cs => RoleAssignmentListResult.cs} (100%)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Result.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentListResult.cs
similarity index 100%
rename from sdk/keyvault/Azure.Security.KeyVault.Administration/src/Result.cs
rename to sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentListResult.cs

From 31c4551762d4a4a7c5f2f111317b208592981aed Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Wed, 10 Jun 2020 18:29:28 -0500
Subject: [PATCH 18/20] pr comments

---
 ....KeyVault.Administration.netstandard2.0.cs |  3 +-
 ...re.Security.KeyVault.Administration.csproj | 12 +++++-
 .../src/KeyVaultAccessControlClient.cs        | 41 +++++++------------
 .../src/KeyVaultAccessControlClientOptions.cs |  2 +-
 .../src/RoleAssignmentScope.cs                |  8 ++--
 .../tests/AccessControlClientLiveTests.cs     | 20 ++++-----
 6 files changed, 42 insertions(+), 44 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
index c877eedc90e3b..b1ad2553e86ee 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -7,7 +7,6 @@ public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredenti
         public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azure.Security.KeyVault.Administration.KeyVaultAccessControlClientOptions options) { }
         public virtual System.Uri VaultUri { get { throw null; } }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Guid name = default(System.Guid), System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
-        public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> CreateRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> CreateRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, Azure.Security.KeyVault.Administration.Models.RoleAssignmentProperties properties, System.Guid name = default(System.Guid), System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment> DeleteRoleAssignment(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Administration.Models.RoleAssignment>> DeleteRoleAssignmentAsync(Azure.Security.KeyVault.Administration.RoleAssignmentScope roleScope, string roleAssignmentName, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
@@ -34,8 +33,8 @@ public enum ServiceVersion
         private readonly int _dummyPrimitive;
         public RoleAssignmentScope(string value) { throw null; }
         public RoleAssignmentScope(System.Uri ResourceId) { throw null; }
+        public static Azure.Security.KeyVault.Administration.RoleAssignmentScope Global { get { throw null; } }
         public static Azure.Security.KeyVault.Administration.RoleAssignmentScope Keys { get { throw null; } }
-        public static Azure.Security.KeyVault.Administration.RoleAssignmentScope Root { get { throw null; } }
         public bool Equals(Azure.Security.KeyVault.Administration.RoleAssignmentScope other) { throw null; }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
         public override bool Equals(object obj) { throw null; }
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
index f2ed6719d9549..a763052009aa0 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
@@ -10,15 +10,24 @@
     <NoWarn>$(NoWarn);3021;CA1812</NoWarn>
   </PropertyGroup>
 
-  <Import Project="..\..\Azure.Security.KeyVault.Shared\src\Azure.Security.KeyVault.Shared.projitems" Label="Shared" />
+  <!-- <Import Project="..\..\Azure.Security.KeyVault.Shared\src\Azure.Security.KeyVault.Shared.projitems" Label="Shared" /> -->
     
   <ItemGroup>
     <PackageReference Include="System.Text.Json" />
   </ItemGroup>
+
+  <ItemGroup>
+    <!-- Include just the few items we need from Azure.Security.KeyVault.Shared -->
+    <Compile Include="$(MSBuildThisFileDirectory)\..\..\Azure.Security.KeyVault.Shared\src\ChallengeBasedAuthenticationPolicy.cs" />
+    <Compile Include="$(MSBuildThisFileDirectory)\..\..\Azure.Security.KeyVault.Shared\src\ClientOptionsExtensions.cs" />
+    <Compile Include="$(MSBuildThisFileDirectory)\..\..\Azure.Security.KeyVault.Shared\src\IJsonSerializable.cs" />
+  </ItemGroup>
+
   <ItemGroup>
     <Compile Include="$(AzureCoreSharedSources)NoBodyResponse{T}.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)ForwardsClientCallsAttribute.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
   </ItemGroup>
+  
   <ItemGroup>
     <Compile Include="$(AzureCoreSharedSources)Argument.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)ArrayBufferWriter.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
@@ -28,6 +37,7 @@
     <Compile Include="$(AzureCoreSharedSources)ContentTypeUtilities.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)DiagnosticScope.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)DiagnosticScopeFactory.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
+    <Compile Include="$(AzureCoreSharedSources)HashCodeBuilder.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)HttpMessageSanitizer.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)OperationHelpers.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)TaskExtensions.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
index 02460c894bea6..a544649e465af 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
@@ -58,8 +58,6 @@ public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential, Key
             Argument.AssertNotNull(credential, nameof(credential));
 
             VaultUri = vaultUri;
-            Argument.AssertNotNull(vaultUri, nameof(vaultUri));
-            Argument.AssertNotNull(credential, nameof(credential));
 
             options ??= new KeyVaultAccessControlClientOptions();
             string apiVersion = options.GetVersionString();
@@ -77,6 +75,7 @@ public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential, Key
         /// </summary>
         /// <param name="roleScope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
         public virtual Pageable<RoleDefinition> GetRoleDefinitions(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateEnumerable(_ =>
@@ -115,6 +114,7 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(RoleAssignmentScope r
         /// </summary>
         /// <param name="roleScope"> The scope of the role definition. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
         public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateAsyncEnumerable(async _ =>
@@ -151,10 +151,11 @@ public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(RoleAssignm
         }
 
         /// <summary>
-        ///
+        /// Gets the <see cref="RoleAssignment"/>s for a scope.
         /// </summary>
         /// <param name="roleScope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
         public virtual Pageable<RoleAssignment> GetRoleAssignments(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateEnumerable(_ =>
@@ -193,6 +194,7 @@ public virtual Pageable<RoleAssignment> GetRoleAssignments(RoleAssignmentScope r
         /// </summary>
         /// <param name="roleScope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
         public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateAsyncEnumerable(async _ =>
@@ -228,27 +230,6 @@ public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(RoleAssignm
             });
         }
 
-        /// <summary>
-        /// Creates a <see cref="RoleAssignment"/>.
-        /// </summary>
-        /// <param name="roleScope"> The scope of the role assignment to create. </param>
-        /// <param name="properties"> Properties for the role assignment. </param>
-        /// <param name="cancellationToken"> The cancellation token to use. </param>
-        public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, CancellationToken cancellationToken = default)
-        {
-            using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
-            scope.Start();
-            try
-            {
-                return _assignmentsRestClient.Create(VaultUri.AbsoluteUri, roleScope.ToString(), Guid.NewGuid().ToString(), properties, cancellationToken);
-            }
-            catch (Exception ex)
-            {
-                scope.Failed(ex);
-                throw;
-            }
-        }
-
         /// <summary>
         /// Creates a <see cref="RoleAssignment"/>.
         /// </summary>
@@ -256,13 +237,15 @@ public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="name">The Name used to create the role assignment.</param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
         public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, Guid name = default, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
             scope.Start();
             try
             {
-                return _assignmentsRestClient.Create(VaultUri.AbsoluteUri, roleScope.ToString(), name == default ? Guid.NewGuid().ToString() : name.ToString(), properties, cancellationToken);
+                var _name = name == default ? Guid.NewGuid().ToString() : name.ToString();
+                return _assignmentsRestClient.Create(VaultUri.AbsoluteUri, roleScope.ToString(), _name, properties, cancellationToken);
             }
             catch (Exception ex)
             {
@@ -278,13 +261,15 @@ public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope
         /// <param name="properties"> Properties for the role assignment. </param>
         /// <param name="name">The name used to create the role assignment.</param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
         public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, Guid name = default, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
             scope.Start();
             try
             {
-                return await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, roleScope.ToString(), name == default ? Guid.NewGuid().ToString() : name.ToString(), properties, cancellationToken)
+                var _name = name == default ? Guid.NewGuid().ToString() : name.ToString();
+                return await _assignmentsRestClient.CreateAsync(VaultUri.AbsoluteUri, roleScope.ToString(), _name, properties, cancellationToken)
                 .ConfigureAwait(false);
             }
             catch (Exception ex)
@@ -300,6 +285,7 @@ public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(Ro
         /// <param name="roleScope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
         public virtual Response<RoleAssignment> GetRoleAssignment(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignment)}");
@@ -321,6 +307,7 @@ public virtual Response<RoleAssignment> GetRoleAssignment(RoleAssignmentScope ro
         /// <param name="roleScope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
         public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignment)}");
@@ -343,6 +330,7 @@ public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(RoleA
         /// <param name="roleScope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
         public virtual Response<RoleAssignment> DeleteRoleAssignment(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(DeleteRoleAssignment)}");
@@ -364,6 +352,7 @@ public virtual Response<RoleAssignment> DeleteRoleAssignment(RoleAssignmentScope
         /// <param name="roleScope"> The scope of the role assignment. </param>
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
+        /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
         public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(DeleteRoleAssignment)}");
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs
index 32e597b7d2a15..4011a7d066857 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClientOptions.cs
@@ -7,7 +7,7 @@
 namespace Azure.Security.KeyVault.Administration
 {
     /// <summary>
-    /// Options that allow you to configure the requests sent to Key Vault.
+    /// Options to configure the requests sent to Key Vault.
     /// </summary>
     public class KeyVaultAccessControlClientOptions : ClientOptions
     {
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs
index 1f46f0d41384f..f4ec996ff293a 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/RoleAssignmentScope.cs
@@ -11,7 +11,7 @@ namespace Azure.Security.KeyVault.Administration
     /// </summary>
     public readonly struct RoleAssignmentScope : IEquatable<RoleAssignmentScope>
     {
-        internal const string RootValue = "/";
+        internal const string GlobalValue = "/";
         internal const string KeysValue = "/keys";
 
         private readonly string _value;
@@ -35,12 +35,12 @@ public RoleAssignmentScope(Uri ResourceId)
         }
 
         /// <summary>
-        /// Root.
+        /// Role assignments apply to everything on the resource.
         /// </summary>
-        public static RoleAssignmentScope Root { get; } = new RoleAssignmentScope(RootValue);
+        public static RoleAssignmentScope Global { get; } = new RoleAssignmentScope(GlobalValue);
 
         /// <summary>
-        /// Keys.
+        /// Role assignments apply to all Keys.
         /// </summary>
         public static RoleAssignmentScope Keys { get; } = new RoleAssignmentScope(KeysValue);
 
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
index bdec80fab07da..b91259d723477 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AccessControlClientLiveTests.cs
@@ -16,13 +16,13 @@ public class AccessControlClientLiveTests : AccessControlTestBase
         private const string roleName = "Azure Key Vault Managed HSM Crypto User";
         private readonly Guid roleAssignmentId = new Guid("e7ae2aff-eb17-4c9d-84f0-d12f7f468f16");
 
-        public AccessControlClientLiveTests(bool isAsync) : base(isAsync, RecordedTestMode.Playback /* To record tests, add this argument, RecordedTestMode.Record */)
+        public AccessControlClientLiveTests(bool isAsync) : base(isAsync, RecordedTestMode.Playback /* To record tests, change this argument to RecordedTestMode.Record */)
         { }
 
         [Test]
         public async Task GetRoleDefinitions()
         {
-            List<RoleDefinition> results = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
+            List<RoleDefinition> results = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Global).ToEnumerableAsync().ConfigureAwait(false);
 
             Assert.That(results.Count, Is.Not.Zero);
             Assert.That(results[0].AssignableScopes, Is.Not.Empty);
@@ -38,11 +38,11 @@ public async Task GetRoleDefinitions()
         [Test]
         public async Task CreateRoleAssignment()
         {
-            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Global).ToEnumerableAsync().ConfigureAwait(false);
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
             var properties = new RoleAssignmentProperties(definitionToAssign.Id, TestEnvironment.ClientObjectId);
-            RoleAssignment result = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Root, properties, roleAssignmentId).ConfigureAwait(false);
+            RoleAssignment result = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Global, properties, roleAssignmentId).ConfigureAwait(false);
 
             RegisterForCleanup(result);
 
@@ -56,15 +56,15 @@ public async Task CreateRoleAssignment()
         [Test]
         public async Task GetRoleAssignment()
         {
-            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Global).ToEnumerableAsync().ConfigureAwait(false);
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
             var properties = new RoleAssignmentProperties(definitionToAssign.Id, TestEnvironment.ClientObjectId);
-            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Root, properties, roleAssignmentId).ConfigureAwait(false);
+            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Global, properties, roleAssignmentId).ConfigureAwait(false);
 
             RegisterForCleanup(assignment);
 
-            RoleAssignment result = await Client.GetRoleAssignmentAsync(RoleAssignmentScope.Root, assignment.Name).ConfigureAwait(false);
+            RoleAssignment result = await Client.GetRoleAssignmentAsync(RoleAssignmentScope.Global, assignment.Name).ConfigureAwait(false);
 
             Assert.That(result.Id, Is.EqualTo(assignment.Id));
             Assert.That(result.Name, Is.EqualTo(assignment.Name));
@@ -77,13 +77,13 @@ public async Task GetRoleAssignment()
         [Test]
         public async Task DeleteRoleAssignment()
         {
-            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Root).ToEnumerableAsync().ConfigureAwait(false);
+            List<RoleDefinition> definitions = await Client.GetRoleDefinitionsAsync(RoleAssignmentScope.Global).ToEnumerableAsync().ConfigureAwait(false);
             var definitionToAssign = definitions.FirstOrDefault(d => d.RoleName == roleName);
 
             var properties = new RoleAssignmentProperties(definitionToAssign.Id, TestEnvironment.ClientObjectId);
-            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Root, properties, roleAssignmentId).ConfigureAwait(false);
+            RoleAssignment assignment = await Client.CreateRoleAssignmentAsync(RoleAssignmentScope.Global, properties, roleAssignmentId).ConfigureAwait(false);
 
-            RoleAssignment result = await Client.DeleteRoleAssignmentAsync(RoleAssignmentScope.Root, assignment.Name).ConfigureAwait(false);
+            RoleAssignment result = await Client.DeleteRoleAssignmentAsync(RoleAssignmentScope.Global, assignment.Name).ConfigureAwait(false);
 
             Assert.That(result.Id, Is.EqualTo(assignment.Id));
             Assert.That(result.Name, Is.EqualTo(assignment.Name));

From 01ae6098c81eb9c428cb8a79a93d0552f6640081 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Thu, 11 Jun 2020 09:15:09 -0500
Subject: [PATCH 19/20] remove commented shared import

---
 .../src/Azure.Security.KeyVault.Administration.csproj         | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
index a763052009aa0..15013c57703a6 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj
@@ -10,8 +10,6 @@
     <NoWarn>$(NoWarn);3021;CA1812</NoWarn>
   </PropertyGroup>
 
-  <!-- <Import Project="..\..\Azure.Security.KeyVault.Shared\src\Azure.Security.KeyVault.Shared.projitems" Label="Shared" /> -->
-    
   <ItemGroup>
     <PackageReference Include="System.Text.Json" />
   </ItemGroup>
@@ -27,7 +25,7 @@
     <Compile Include="$(AzureCoreSharedSources)NoBodyResponse{T}.cs" Link="Shared\Core\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)ForwardsClientCallsAttribute.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
   </ItemGroup>
-  
+
   <ItemGroup>
     <Compile Include="$(AzureCoreSharedSources)Argument.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />
     <Compile Include="$(AzureCoreSharedSources)ArrayBufferWriter.cs" Link="Shared\%(RecursiveDir)\%(Filename)%(Extension)" />

From 914473eba7f9580179dcdf9160581cc7fa5a3da4 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Thu, 11 Jun 2020 09:21:00 -0500
Subject: [PATCH 20/20] add xml docs for ArgumentNullExceptions

---
 .../src/KeyVaultAccessControlClient.cs                 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
index a544649e465af..7c0dc383a4233 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
@@ -76,6 +76,7 @@ public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential, Key
         /// <param name="roleScope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> is null.</exception>
         public virtual Pageable<RoleDefinition> GetRoleDefinitions(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateEnumerable(_ =>
@@ -115,6 +116,7 @@ public virtual Pageable<RoleDefinition> GetRoleDefinitions(RoleAssignmentScope r
         /// <param name="roleScope"> The scope of the role definition. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> is null.</exception>
         public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateAsyncEnumerable(async _ =>
@@ -156,6 +158,7 @@ public virtual AsyncPageable<RoleDefinition> GetRoleDefinitionsAsync(RoleAssignm
         /// <param name="roleScope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> is null.</exception>
         public virtual Pageable<RoleAssignment> GetRoleAssignments(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateEnumerable(_ =>
@@ -195,6 +198,7 @@ public virtual Pageable<RoleAssignment> GetRoleAssignments(RoleAssignmentScope r
         /// <param name="roleScope"> The scope of the role assignments. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> is null.</exception>
         public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(RoleAssignmentScope roleScope, CancellationToken cancellationToken = default)
         {
             return PageableHelpers.CreateAsyncEnumerable(async _ =>
@@ -238,6 +242,7 @@ public virtual AsyncPageable<RoleAssignment> GetRoleAssignmentsAsync(RoleAssignm
         /// <param name="name">The Name used to create the role assignment.</param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="properties"/> is null.</exception>
         public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, Guid name = default, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
@@ -262,6 +267,7 @@ public virtual Response<RoleAssignment> CreateRoleAssignment(RoleAssignmentScope
         /// <param name="name">The name used to create the role assignment.</param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="properties"/> is null.</exception>
         public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(RoleAssignmentScope roleScope, RoleAssignmentProperties properties, Guid name = default, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(CreateRoleAssignment)}");
@@ -286,6 +292,7 @@ public virtual async Task<Response<RoleAssignment>> CreateRoleAssignmentAsync(Ro
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="roleAssignmentName"/> is null.</exception>
         public virtual Response<RoleAssignment> GetRoleAssignment(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignment)}");
@@ -308,6 +315,7 @@ public virtual Response<RoleAssignment> GetRoleAssignment(RoleAssignmentScope ro
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="roleAssignmentName"/> is null.</exception>
         public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(GetRoleAssignment)}");
@@ -331,6 +339,7 @@ public virtual async Task<Response<RoleAssignment>> GetRoleAssignmentAsync(RoleA
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="roleAssignmentName"/> is null.</exception>
         public virtual Response<RoleAssignment> DeleteRoleAssignment(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(DeleteRoleAssignment)}");
@@ -353,6 +362,7 @@ public virtual Response<RoleAssignment> DeleteRoleAssignment(RoleAssignmentScope
         /// <param name="roleAssignmentName"> The name of the role assignment to get. </param>
         /// <param name="cancellationToken"> The cancellation token to use. </param>
         /// <exception cref="RequestFailedException">The server returned an error. See <see cref="Exception.Message"/> for details returned from the server.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="roleScope"/> or <paramref name="roleAssignmentName"/> is null.</exception>
         public virtual async Task<Response<RoleAssignment>> DeleteRoleAssignmentAsync(RoleAssignmentScope roleScope, string roleAssignmentName, CancellationToken cancellationToken = default)
         {
             using DiagnosticScope scope = _diagnostics.CreateScope($"{nameof(KeyVaultAccessControlClient)}.{nameof(DeleteRoleAssignment)}");