diff --git a/azurerm/resource_arm_key_vault_access_policy.go b/azurerm/resource_arm_key_vault_access_policy.go
index b4e31181f6f2..3fd3adfa463a 100644
--- a/azurerm/resource_arm_key_vault_access_policy.go
+++ b/azurerm/resource_arm_key_vault_access_policy.go
@@ -100,6 +100,8 @@ func resourceArmKeyVaultAccessPolicy() *schema.Resource {
 			"key_permissions": azure.SchemaKeyVaultKeyPermissions(),
 
 			"secret_permissions": azure.SchemaKeyVaultSecretPermissions(),
+
+			"storage_permissions": azure.SchemaKeyVaultStoragePermissions(),
 		},
 	}
 }
@@ -208,6 +210,9 @@ func resourceArmKeyVaultAccessPolicyCreateOrDelete(d *schema.ResourceData, meta
 	secretPermissionsRaw := d.Get("secret_permissions").([]interface{})
 	secretPermissions := azure.ExpandSecretPermissions(secretPermissionsRaw)
 
+	storagePermissionsRaw := d.Get("storage_permissions").([]interface{})
+	storagePermissions := azure.ExpandStoragePermissions(storagePermissionsRaw)
+
 	accessPolicy := keyvault.AccessPolicyEntry{
 		ObjectID: utils.String(objectId),
 		TenantID: &tenantId,
@@ -215,6 +220,7 @@ func resourceArmKeyVaultAccessPolicyCreateOrDelete(d *schema.ResourceData, meta
 			Certificates: certPermissions,
 			Keys:         keyPermissions,
 			Secrets:      secretPermissions,
+			Storage:      storagePermissions,
 		},
 	}
 
@@ -332,6 +338,11 @@ func resourceArmKeyVaultAccessPolicyRead(d *schema.ResourceData, meta interface{
 		if err := d.Set("secret_permissions", secretPermissions); err != nil {
 			return fmt.Errorf("Error setting `secret_permissions`: %+v", err)
 		}
+
+		storagePermissions := azure.FlattenStoragePermissions(permissions.Storage)
+		if err := d.Set("storage_permissions", storagePermissions); err != nil {
+			return fmt.Errorf("Error setting `storage_permissions`: %+v", err)
+		}
 	}
 
 	return nil
diff --git a/azurerm/resource_arm_key_vault_access_policy_test.go b/azurerm/resource_arm_key_vault_access_policy_test.go
index 137ad3899e6c..4e528584e554 100644
--- a/azurerm/resource_arm_key_vault_access_policy_test.go
+++ b/azurerm/resource_arm_key_vault_access_policy_test.go
@@ -352,6 +352,23 @@ resource "azurerm_key_vault_access_policy" "test_no_application_id" {
     "delete",
   ]
 
+  storage_permissions = [
+    "backup",
+    "delete",
+    "deletesas",
+    "get",
+    "getsas",
+    "list",
+    "listsas",
+    "purge",
+    "recover",
+    "regeneratekey",
+    "restore",
+    "set",
+    "setsas",
+    "update",
+  ]
+
   tenant_id = "${data.azurerm_client_config.current.tenant_id}"
   object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
 }
diff --git a/website/docs/r/key_vault_access_policy.html.markdown b/website/docs/r/key_vault_access_policy.html.markdown
index 552e4316188d..b2a6fa93bb18 100644
--- a/website/docs/r/key_vault_access_policy.html.markdown
+++ b/website/docs/r/key_vault_access_policy.html.markdown
@@ -89,6 +89,8 @@ The following arguments are supported:
 * `secret_permissions` - (Required) List of secret permissions, must be one or more
     from the following: `backup`, `delete`, `get`, `list`, `purge`, `recover`, `restore` and `set`.
 
+* `storage_permissions` - (Optional) List of storage permissions, must be one or more from the following: `backup`, `delete`, `deletesas`, `get`, `getsas`, `list`, `listsas`, `purge`, `recover`, `regeneratekey`, `restore`, `set`, `setsas` and `update`.
+
 ## Attributes Reference
 
 The following attributes are exported: