diff --git a/sdk/keyvault/keyvault-admin/api-extractor.json b/sdk/keyvault/keyvault-admin/api-extractor.json
new file mode 100644
index 000000000000..c0d4f1b5dc2b
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/api-extractor.json
@@ -0,0 +1,31 @@
+{
+  "$schema": "https://developer.microsoft.com/json-schemas/api-extractor/v7/api-extractor.schema.json",
+  "mainEntryPointFilePath": "types/keyvault-admin/src/index.d.ts",
+  "docModel": {
+    "enabled": true
+  },
+  "apiReport": {
+    "enabled": true,
+    "reportFolder": "./review"
+  },
+  "dtsRollup": {
+    "enabled": true,
+    "untrimmedFilePath": "",
+    "publicTrimmedFilePath": "./types/keyvault-admin.d.ts"
+  },
+  "messages": {
+    "tsdocMessageReporting": {
+      "default": {
+        "logLevel": "none"
+      }
+    },
+    "extractorMessageReporting": {
+      "ae-missing-release-tag": {
+        "logLevel": "none"
+      },
+      "ae-unresolved-link": {
+        "logLevel": "none"
+      }
+    }
+  }
+}
diff --git a/sdk/keyvault/keyvault-admin/package.json b/sdk/keyvault/keyvault-admin/package.json
index b11b1032d16d..4af129d3c1e3 100644
--- a/sdk/keyvault/keyvault-admin/package.json
+++ b/sdk/keyvault/keyvault-admin/package.json
@@ -20,7 +20,7 @@
     "url": "https://github.com/Azure/azure-sdk-for-js/issues"
   },
   "main": "./dist/index.js",
-  "module": "dist-esm/src/index.js",
+  "module": "dist-esm/keyvault-admin/src/index.js",
   "types": "./types/keyvault-admin.d.ts",
   "engine": {
     "node": ">=8.0.0"
@@ -29,10 +29,11 @@
     "node": ">=8.0.0"
   },
   "files": [
-    "types/",
+    "types/keyvault-admin.d.ts",
     "dist/",
     "dist-browser/",
-    "dist-esm/src",
+    "dist-esm/keyvault-admin/src",
+    "dist-esm/keyvault-common/src",
     "README.md",
     "LICENSE"
   ],
@@ -52,13 +53,13 @@
     "execute:js-samples": "echo skipped",
     "execute:ts-samples": "echo skipped",
     "execute:samples": "npm run build:samples && npm run execute:js-samples && npm run execute:ts-samples",
-    "extract-api": "echo skipped",
+    "extract-api": "tsc -p . && api-extractor run --local",
     "format": "prettier --write --config ../../../.prettierrc.json --ignore-path ../../../.prettierignore \"src/**/*.ts\" \"test/**/*.ts\" \"*.{js,json}\"",
     "integration-test:browser": "echo skipped",
     "integration-test:node": "echo skipped",
     "integration-test": "npm run integration-test:node && npm run integration-test:browser",
     "lint:fix": "eslint package.json src --ext .ts --fix --fix-type [problem,suggestion]",
-    "lint": "eslint package.json src --ext .ts -f html -o keyvault-admin-lintReport.html",
+    "lint": "eslint package.json api-extractor.json src --ext .ts",
     "lint:terminal": "eslint package.json src test --ext .ts",
     "pack": "npm pack 2>&1",
     "prebuild": "npm run clean",
@@ -74,12 +75,15 @@
   "dependencies": {
     "@azure/core-http": "^1.1.6",
     "@azure/core-lro": "^1.0.2",
+    "@azure/core-paging": "^1.1.1",
     "@azure/core-tracing": "1.0.0-preview.9",
+    "@azure/logger": "^1.0.0",
     "@opentelemetry/api": "^0.10.2",
     "tslib": "^2.0.0"
   },
   "devDependencies": {
     "@azure/eslint-plugin-azure-sdk": "^3.0.0",
+    "@microsoft/api-extractor": "7.7.11",
     "@rollup/plugin-commonjs": "11.0.2",
     "@rollup/plugin-json": "^4.0.0",
     "@rollup/plugin-multi-entry": "^3.0.0",
diff --git a/sdk/keyvault/keyvault-admin/review/keyvault-admin.api.md b/sdk/keyvault/keyvault-admin/review/keyvault-admin.api.md
new file mode 100644
index 000000000000..0cee2050dfc3
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/review/keyvault-admin.api.md
@@ -0,0 +1,113 @@
+## API Report File for "@azure/keyvault-admin"
+
+> Do not edit this file. It is a report generated by [API Extractor](https://api-extractor.com/).
+
+```ts
+
+import * as coreHttp from '@azure/core-http';
+import { PagedAsyncIterableIterator } from '@azure/core-paging';
+import { TokenCredential } from '@azure/core-http';
+
+// @public
+export interface AccessControlClientOptions extends coreHttp.PipelineOptions {
+    serviceVersion?: SUPPORTED_API_VERSIONS;
+}
+
+// @public
+export interface CreateRoleAssignmentOptions extends coreHttp.OperationOptions {
+}
+
+// @public
+export interface DeleteRoleAssignmentOptions extends coreHttp.OperationOptions {
+}
+
+// @public
+export interface GetRoleAssignmentOptions extends coreHttp.OperationOptions {
+}
+
+// @public
+export class KeyVaultAccessControlClient {
+    constructor(vaultUrl: string, credential: TokenCredential, pipelineOptions?: AccessControlClientOptions);
+    createRoleAssignment(roleScope: RoleAssignmentScope, name: string, roleDefinitionId: string, principalId: string, options?: CreateRoleAssignmentOptions): Promise<KeyVaultRoleAssignment>;
+    deleteRoleAssignment(roleScope: RoleAssignmentScope, name: string, options?: DeleteRoleAssignmentOptions): Promise<KeyVaultRoleAssignment>;
+    getRoleAssignment(roleScope: RoleAssignmentScope, name: string, options?: GetRoleAssignmentOptions): Promise<KeyVaultRoleAssignment>;
+    listRoleAssignments(roleScope: RoleAssignmentScope, options?: ListRoleAssignmentsOptions): PagedAsyncIterableIterator<KeyVaultRoleAssignment>;
+    listRoleDefinitions(roleScope: RoleAssignmentScope, options?: ListRoleDefinitionsOptions): PagedAsyncIterableIterator<KeyVaultRoleDefinition>;
+    readonly vaultUrl: string;
+}
+
+// @public
+export interface KeyVaultPermission {
+    actions?: string[];
+    dataActions?: string[];
+    notActions?: string[];
+    notDataActions?: string[];
+}
+
+// @public
+export interface KeyVaultRoleAssignment {
+    readonly id: string;
+    readonly name: string;
+    properties: KeyVaultRoleAssignmentPropertiesWithScope;
+    readonly type: string;
+}
+
+// @public
+export interface KeyVaultRoleAssignmentProperties {
+    principalId: string;
+    roleDefinitionId: string;
+}
+
+// @public
+export interface KeyVaultRoleAssignmentPropertiesWithScope {
+    principalId: string;
+    roleDefinitionId: string;
+    scope?: RoleAssignmentScope;
+}
+
+// @public
+export interface KeyVaultRoleDefinition {
+    assignableScopes: string[];
+    description: string;
+    readonly id: string;
+    readonly name: string;
+    permissions: KeyVaultPermission[];
+    roleName: string;
+    roleType: string;
+    readonly type: string;
+}
+
+// @public
+export const LATEST_API_VERSION = "7.2-preview";
+
+// @public
+export interface ListRoleAssignmentsOptions extends coreHttp.OperationOptions {
+}
+
+// @public
+export interface ListRoleAssignmentsPageSettings {
+    continuationToken?: string;
+}
+
+// @public
+export interface ListRoleDefinitionsOptions extends coreHttp.OperationOptions {
+}
+
+// @public
+export interface ListRoleDefinitionsPageSettings {
+    continuationToken?: string;
+}
+
+// @public
+export type RoleAssignmentScope = "/" | "/keys" | string;
+
+// @public
+export const SDK_VERSION: string;
+
+// @public
+export type SUPPORTED_API_VERSIONS = "7.2-preview";
+
+
+// (No @packageDocumentation comment for this package)
+
+```
diff --git a/sdk/keyvault/keyvault-admin/rollup.base.config.js b/sdk/keyvault/keyvault-admin/rollup.base.config.js
index f3ff5b9efb1f..92e80dd9e81d 100644
--- a/sdk/keyvault/keyvault-admin/rollup.base.config.js
+++ b/sdk/keyvault/keyvault-admin/rollup.base.config.js
@@ -33,7 +33,7 @@ export function nodeConfig(test = false) {
   const externalNodeBuiltins = [];
   const additionalExternals = [];
   const baseConfig = {
-    input: "dist-esm/src/index.js",
+    input: "dist-esm/keyvault-admin/src/index.js",
     external: depNames.concat(externalNodeBuiltins, additionalExternals),
     output: {
       file: "dist/index.js",
@@ -83,7 +83,7 @@ export function nodeConfig(test = false) {
 
 export function browserConfig(test = false) {
   const baseConfig = {
-    input: "dist-esm/src/index.js",
+    input: "dist-esm/keyvault-admin/src/index.js",
     output: {
       file: "dist-browser/azure-keyvault-admin.js",
       banner: banner,
diff --git a/sdk/keyvault/keyvault-admin/src/accessControlClient.ts b/sdk/keyvault/keyvault-admin/src/accessControlClient.ts
new file mode 100644
index 000000000000..852e7ea1cda8
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/src/accessControlClient.ts
@@ -0,0 +1,439 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/// <reference lib="esnext.asynciterable" />
+
+import {
+  TokenCredential,
+  isTokenCredential,
+  signingPolicy,
+  createPipelineFromOptions
+} from "@azure/core-http";
+import { PagedAsyncIterableIterator } from "@azure/core-paging";
+
+import { challengeBasedAuthenticationPolicy } from "../../keyvault-common/src";
+import { KeyVaultClient } from "./generated/keyVaultClient";
+import {
+  RoleAssignmentsCreateResponse,
+  RoleAssignmentsDeleteResponse,
+  RoleAssignmentsListForScopeOptionalParams
+} from "./generated/models";
+
+import {
+  CreateRoleAssignmentOptions,
+  KeyVaultRoleAssignment,
+  AccessControlClientOptions,
+  RoleAssignmentScope,
+  DeleteRoleAssignmentOptions,
+  ListRoleAssignmentsOptions,
+  ListRoleDefinitionsOptions,
+  KeyVaultRoleDefinition,
+  GetRoleAssignmentOptions,
+  ListRoleDefinitionsPageSettings,
+  ListRoleAssignmentsPageSettings
+} from "./accessControlModels";
+
+import { SDK_VERSION, LATEST_API_VERSION } from "./constants";
+import { createSpan, setParentSpan } from "./tracing";
+import { mappings } from "./mappings";
+import { logger } from "./log";
+
+/**
+ * The KeyVaultAccessControlClient provides methods to manage
+ * access control and role assignments in any given Azure Key Vault instance.
+ * The client supports creating, retrieving and deleting roles.
+ */
+export class KeyVaultAccessControlClient {
+  /**
+   * The base URL to the vault
+   */
+  public readonly vaultUrl: string;
+
+  /**
+   * @internal
+   * @ignore
+   * A reference to the auto-generated Key Vault HTTP client.
+   */
+  private readonly client: KeyVaultClient;
+
+  /**
+   * Creates an instance of the KeyVaultAccessControlClient.
+   *
+   * Example usage:
+   * ```ts
+   * import { KeyVaultAccessControlClient } from "@azure/keyvault-admin";
+   * import { DefaultAzureCredential } from "@azure/identity";
+   *
+   * let vaultUrl = `https://<MY KEY VAULT HERE>.vault.azure.net`;
+   * let credentials = new DefaultAzureCredential();
+   *
+   * let client = new KeyVaultAccessControlClient(vaultUrl, credentials);
+   * ```
+   * @param vaultUrl the URL of the Key Vault. It should have this shape: https://${your-key-vault-name}.vault.azure.net
+   * @param credential An object that implements the `TokenCredential` interface used to authenticate requests to the service. Use the @azure/identity package to create a credential that suits your needs.
+   * @param [pipelineOptions] Pipeline options used to configure Key Vault API requests. Omit this parameter to use the default pipeline configuration.
+   */
+  constructor(
+    vaultUrl: string,
+    credential: TokenCredential,
+    pipelineOptions: AccessControlClientOptions = {}
+  ) {
+    this.vaultUrl = vaultUrl;
+
+    const libInfo = `azsdk-js-keyvault-admin/${SDK_VERSION}`;
+
+    const userAgentOptions = pipelineOptions.userAgentOptions;
+
+    pipelineOptions.userAgentOptions = {
+      ...pipelineOptions.userAgentOptions,
+      userAgentPrefix:
+        userAgentOptions && userAgentOptions.userAgentPrefix
+          ? `${userAgentOptions.userAgentPrefix} ${libInfo}`
+          : libInfo
+    };
+
+    const authPolicy = isTokenCredential(credential)
+      ? challengeBasedAuthenticationPolicy(credential)
+      : signingPolicy(credential);
+
+    const internalPipelineOptions = {
+      ...pipelineOptions,
+      ...{
+        loggingOptions: {
+          logger: logger.info,
+          logPolicyOptions: {
+            allowedHeaderNames: [
+              "x-ms-keyvault-region",
+              "x-ms-keyvault-network-info",
+              "x-ms-keyvault-service-version"
+            ]
+          }
+        }
+      }
+    };
+
+    const pipeline = createPipelineFromOptions(internalPipelineOptions, authPolicy);
+    this.client = new KeyVaultClient({
+      apiVersion: pipelineOptions.serviceVersion || LATEST_API_VERSION,
+      ...pipeline
+    });
+  }
+
+  /**
+   * Creates a role assignment in an Azure Key Vault.
+   *
+   * Example usage:
+   * ```ts
+   * const client = new KeyVaultAccessControlClient(url, credentials);
+   * const roleDefinition = await client.listRoleDefinitions("/").next();
+   * const principalId = "4871f6a6-374f-4b6b-8b0c-f5d84db823f6";
+   * const result = await client.createRoleAssignment("/", "295c179b-9ad3-4117-99cd-b1aa66cf4517", roleDefinition, principalId);
+   * ```
+   * @summary Creates a new role assignment.
+   * @param roleScope The scope of the role assignment.
+   * @param name The name of the role assignment. Must be a UUID.
+   * @param roleDefinitionId The role definition ID used in the role assignment.
+   * @param principalId The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.
+   * @param [options] The optional parameters.
+   */
+  public async createRoleAssignment(
+    roleScope: RoleAssignmentScope,
+    name: string,
+    roleDefinitionId: string,
+    principalId: string,
+    options?: CreateRoleAssignmentOptions
+  ): Promise<KeyVaultRoleAssignment> {
+    const span = createSpan("createRoleAssignment", options);
+
+    if (!(roleScope && name && roleDefinitionId && principalId)) {
+      throw new Error(
+        "createRoleAssignment requires non-empty strings for the parameters: roleScope, name, roleDefinitionId and principalId."
+      );
+    }
+
+    let response: RoleAssignmentsCreateResponse;
+    try {
+      response = await this.client.roleAssignments.create(
+        this.vaultUrl,
+        roleScope,
+        name,
+        {
+          properties: {
+            roleDefinitionId,
+            principalId
+          }
+        },
+        setParentSpan(span, options)
+      );
+    } finally {
+      span.end();
+    }
+
+    return mappings.roleAssignment.generatedToPublic(response);
+  }
+
+  /**
+   * Deletes role assignments previously created in an Azure Key Vault.
+   *
+   * Example usage:
+   * ```ts
+   * const client = new KeyVaultAccessControlClient(url, credentials);
+   * const roleAssignment = await client.createRoleAssignment("/", "295c179b-9ad3-4117-99cd-b1aa66cf4517");
+   * const deletedRoleAssignment = const await client.deleteRoleAssignment(roleAssignment.properties.roleScope, roleAssignment.name);
+   * console.log(deletedRoleAssignment);
+   * ```
+   * @summary Deletes an existing role assignment.
+   * @param roleScope The scope of the role assignment.
+   * @param name The name of the role assignment.
+   * @param [options] The optional parameters.
+   */
+  public async deleteRoleAssignment(
+    roleScope: RoleAssignmentScope,
+    name: string,
+    options?: DeleteRoleAssignmentOptions
+  ): Promise<KeyVaultRoleAssignment> {
+    const span = createSpan("deleteRoleAssignment", options);
+
+    let response: RoleAssignmentsDeleteResponse;
+    try {
+      response = await this.client.roleAssignments.delete(
+        this.vaultUrl,
+        roleScope,
+        name,
+        setParentSpan(span, options)
+      );
+    } finally {
+      span.end();
+    }
+
+    return mappings.roleAssignment.generatedToPublic(response);
+  }
+
+  /**
+   * Gets a role assignments previously created in an Azure Key Vault.
+   *
+   * Example usage:
+   * ```ts
+   * const client = new KeyVaultAccessControlClient(url, credentials);
+   * let roleAssignment = await client.createRoleAssignment("/", "295c179b-9ad3-4117-99cd-b1aa66cf4517");
+   * roleAssignment = const await client.getRoleAssignment(roleAssignment.properties.roleScope, roleAssignment.name);
+   * console.log(roleAssignment);
+   * ```
+   * @summary Gets an existing role assignment.
+   * @param roleScope The scope of the role assignment.
+   * @param name The name of the role assignment.
+   * @param [options] The optional parameters.
+   */
+  public async getRoleAssignment(
+    roleScope: RoleAssignmentScope,
+    name: string,
+    options?: GetRoleAssignmentOptions
+  ): Promise<KeyVaultRoleAssignment> {
+    const span = createSpan("getRoleAssignment", options);
+
+    let response: RoleAssignmentsDeleteResponse;
+    try {
+      response = await this.client.roleAssignments.get(
+        this.vaultUrl,
+        roleScope,
+        name,
+        setParentSpan(span, options)
+      );
+    } finally {
+      span.end();
+    }
+
+    return mappings.roleAssignment.generatedToPublic(response);
+  }
+
+  /**
+   * @internal
+   * @ignore
+   * Deals with the pagination of {@link listRoleAssignments}.
+   * @param roleScope The scope of the role assignments.
+   * @param continuationState An object that indicates the position of the paginated request.
+   * @param [options] Common options for the iterative endpoints.
+   */
+  private async *listRoleAssignmentsPage(
+    roleScope: RoleAssignmentScope,
+    continuationState: ListRoleAssignmentsPageSettings,
+    options?: ListRoleAssignmentsOptions
+  ): AsyncIterableIterator<KeyVaultRoleAssignment[]> {
+    if (!continuationState.continuationToken) {
+      const optionsComplete: RoleAssignmentsListForScopeOptionalParams = options || {};
+      const currentSetResponse = await this.client.roleAssignments.listForScope(
+        this.vaultUrl,
+        roleScope,
+        optionsComplete
+      );
+      continuationState.continuationToken = currentSetResponse.nextLink;
+      if (currentSetResponse.value) {
+        yield currentSetResponse.value.map(mappings.roleAssignment.generatedToPublic, this);
+      }
+    }
+    while (continuationState.continuationToken) {
+      const currentSetResponse = await this.client.roleAssignments.listForScopeNext(
+        this.vaultUrl,
+        roleScope,
+        continuationState.continuationToken,
+        options
+      );
+      continuationState.continuationToken = currentSetResponse.nextLink;
+      if (currentSetResponse.value) {
+        yield currentSetResponse.value.map(mappings.roleAssignment.generatedToPublic, this);
+      } else {
+        break;
+      }
+    }
+  }
+
+  /**
+   * @internal
+   * @ignore
+   * Deals with the iteration of all the available results of {@link listRoleAssignments}.
+   * @param roleScope The scope of the role assignments.
+   * @param [options] Common options for the iterative endpoints.
+   */
+  private async *listRoleAssignmentsAll(
+    roleScope: RoleAssignmentScope,
+    options?: ListRoleAssignmentsOptions
+  ): AsyncIterableIterator<KeyVaultRoleAssignment> {
+    for await (const page of this.listRoleAssignmentsPage(roleScope, {}, options)) {
+      yield* page;
+    }
+  }
+
+  /**
+   * Iterates over all of the available role assignments in an Azure Key Vault.
+   *
+   * Example usage:
+   * ```ts
+   * let client = new KeyVaultAccessControlClient(url, credentials);
+   * for await (const roleAssignment of client.listRoleAssignments("/")) {
+   *   console.log("Role assignment: ", roleAssignment);
+   * }
+   * ```
+   * @summary Lists all of the role assignments in a given scope.
+   * @param roleScope The scope of the role assignments.
+   * @param [options] The optional parameters.
+   */
+  public listRoleAssignments(
+    roleScope: RoleAssignmentScope,
+    options: ListRoleAssignmentsOptions = {}
+  ): PagedAsyncIterableIterator<KeyVaultRoleAssignment> {
+    const span = createSpan("listRoleAssignments", options);
+    const updatedOptions: ListRoleAssignmentsOptions = {
+      ...options,
+      ...setParentSpan(span, options)
+    };
+
+    const iter = this.listRoleAssignmentsAll(roleScope, updatedOptions);
+
+    span.end();
+    return {
+      next() {
+        return iter.next();
+      },
+      [Symbol.asyncIterator]() {
+        return this;
+      },
+      byPage: (settings: ListRoleAssignmentsPageSettings = {}) =>
+        this.listRoleAssignmentsPage(roleScope, settings, updatedOptions)
+    };
+  }
+
+  /**
+   * @internal
+   * @ignore
+   * Deals with the pagination of {@link listRoleDefinitions}.
+   * @param roleScope The scope of the role definition.
+   * @param continuationState An object that indicates the position of the paginated request.
+   * @param [options] Common options for the iterative endpoints.
+   */
+  private async *listRoleDefinitionsPage(
+    roleScope: RoleAssignmentScope,
+    continuationState: ListRoleDefinitionsPageSettings,
+    options?: ListRoleDefinitionsOptions
+  ): AsyncIterableIterator<KeyVaultRoleDefinition[]> {
+    if (!continuationState.continuationToken) {
+      const optionsComplete: RoleAssignmentsListForScopeOptionalParams = options || {};
+      const currentSetResponse = await this.client.roleDefinitions.list(
+        this.vaultUrl,
+        roleScope,
+        optionsComplete
+      );
+      continuationState.continuationToken = currentSetResponse.nextLink;
+      if (currentSetResponse.value) {
+        yield currentSetResponse.value.map(mappings.roleDefinition.generatedToPublic, this);
+      }
+    }
+    while (continuationState.continuationToken) {
+      const currentSetResponse = await this.client.roleDefinitions.listNext(
+        this.vaultUrl,
+        roleScope,
+        continuationState.continuationToken,
+        options
+      );
+      continuationState.continuationToken = currentSetResponse.nextLink;
+      if (currentSetResponse.value) {
+        yield currentSetResponse.value.map(mappings.roleDefinition.generatedToPublic, this);
+      } else {
+        break;
+      }
+    }
+  }
+
+  /**
+   * @internal
+   * @ignore
+   * Deals with the iteration of all the available results of {@link listRoleDefinitions}.
+   * @param roleScope The scope of the role definition.
+   * @param [options] Common options for the iterative endpoints.
+   */
+  private async *listRoleDefinitionsAll(
+    roleScope: RoleAssignmentScope,
+    options?: ListRoleDefinitionsOptions
+  ): AsyncIterableIterator<KeyVaultRoleDefinition> {
+    for await (const page of this.listRoleDefinitionsPage(roleScope, {}, options)) {
+      yield* page;
+    }
+  }
+
+  /**
+   * Iterates over all of the available role definitions in an Azure Key Vault.
+   *
+   * Example usage:
+   * ```ts
+   * let client = new KeyVaultAccessControlClient(url, credentials);
+   * for await (const roleDefinitions of client.listRoleDefinitions("/")) {
+   *   console.log("Role definition: ", roleDefinitions);
+   * }
+   * ```
+   * @summary Lists all of the role definition in a given scope.
+   * @param roleScope The scope of the role definition.
+   * @param [options] The optional parameters.
+   */
+  public listRoleDefinitions(
+    roleScope: RoleAssignmentScope,
+    options: ListRoleDefinitionsOptions = {}
+  ): PagedAsyncIterableIterator<KeyVaultRoleDefinition> {
+    const span = createSpan("listRoleDefinitions", options);
+    const updatedOptions: ListRoleDefinitionsOptions = {
+      ...options,
+      ...setParentSpan(span, options)
+    };
+
+    const iter = this.listRoleDefinitionsAll(roleScope, updatedOptions);
+
+    span.end();
+    return {
+      next() {
+        return iter.next();
+      },
+      [Symbol.asyncIterator]() {
+        return this;
+      },
+      byPage: (settings: ListRoleDefinitionsPageSettings = {}) =>
+        this.listRoleDefinitionsPage(roleScope, settings, updatedOptions)
+    };
+  }
+}
diff --git a/sdk/keyvault/keyvault-admin/src/accessControlModels.ts b/sdk/keyvault/keyvault-admin/src/accessControlModels.ts
new file mode 100644
index 000000000000..06a8ed6814b0
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/src/accessControlModels.ts
@@ -0,0 +1,185 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import * as coreHttp from "@azure/core-http";
+import { SUPPORTED_API_VERSIONS } from "./constants";
+
+/**
+ * The optional parameters accepted by the Key Vault's AccessControlClient
+ */
+export interface AccessControlClientOptions extends coreHttp.PipelineOptions {
+  /**
+   * The accepted versions of the Key Vault's service API.
+   */
+  serviceVersion?: SUPPORTED_API_VERSIONS;
+}
+
+/**
+ * A Key Vault role assignment.
+ */
+export interface KeyVaultRoleAssignment {
+  /**
+   * The role assignment ID.
+   */
+  readonly id: string;
+  /**
+   * The role assignment name.
+   */
+  readonly name: string;
+  /**
+   * The role assignment type.
+   */
+  readonly type: string;
+  /**
+   * Role assignment properties.
+   */
+  properties: KeyVaultRoleAssignmentPropertiesWithScope;
+}
+
+/**
+ * VaA list of Key Vault permissions.
+ */
+export interface KeyVaultPermission {
+  /**
+   * Allowed actions.
+   */
+  actions?: string[];
+  /**
+   * Denied actions.
+   */
+  notActions?: string[];
+  /**
+   * Allowed Data actions.
+   */
+  dataActions?: string[];
+  /**
+   * Denied Data actions.
+   */
+  notDataActions?: string[];
+}
+
+/**
+ * A Key Vault role definition.
+ */
+export interface KeyVaultRoleDefinition {
+  /**
+   * The role definition ID.
+   */
+  readonly id: string;
+  /**
+   * The role definition name.
+   */
+  readonly name: string;
+  /**
+   * The role definition type.
+   */
+  readonly type: string;
+  /**
+   * The role name.
+   */
+  roleName: string;
+  /**
+   * The role definition description.
+   */
+  description: string;
+  /**
+   * The role type.
+   */
+  roleType: string;
+  /**
+   * A list of Key Vault permissions.
+   */
+  permissions: KeyVaultPermission[];
+  /**
+   * Role definition assignable scopes.
+   */
+  assignableScopes: string[];
+}
+
+/**
+ * Role assignment properties.
+ */
+export interface KeyVaultRoleAssignmentProperties {
+  /**
+   * The role definition ID.
+   */
+  roleDefinitionId: string;
+  /**
+   * The principal ID.
+   */
+  principalId: string;
+}
+
+/**
+ * A scope of the role assignment.
+ * The valid scopes are: "/", "/keys" and any a specific resource Id followed by a slash, as in "ID/".
+ */
+export type RoleAssignmentScope = "/" | "/keys" | string;
+
+/**
+ * Role assignment properties with the scope property.
+ */
+export interface KeyVaultRoleAssignmentPropertiesWithScope {
+  /**
+   * The role assignment scope.
+   */
+  scope?: RoleAssignmentScope;
+  /**
+   * The role definition ID.
+   */
+  roleDefinitionId: string;
+  /**
+   * The principal ID.
+   */
+  principalId: string;
+}
+
+/**
+ * An interface representing the optional parameters that can be
+ * passed to {@link createRoleAssignment}
+ */
+export interface CreateRoleAssignmentOptions extends coreHttp.OperationOptions {}
+
+/**
+ * An interface representing the optional parameters that can be
+ * passed to {@link deleteRoleAssignment}
+ */
+export interface DeleteRoleAssignmentOptions extends coreHttp.OperationOptions {}
+
+/**
+ * An interface representing the optional parameters that can be
+ * passed to {@link getRoleAssignment}
+ */
+export interface GetRoleAssignmentOptions extends coreHttp.OperationOptions {}
+
+/**
+ * An interface representing optional parameters passed to {@link listRoleAssignments}.
+ */
+export interface ListRoleAssignmentsOptions extends coreHttp.OperationOptions {}
+
+/**
+ * An interface representing optional parameters passed to {@link listRoleDefinitions}.
+ */
+export interface ListRoleDefinitionsOptions extends coreHttp.OperationOptions {}
+
+/**
+ * Arguments for retrieving the next page of search results.
+ */
+export interface ListRoleDefinitionsPageSettings {
+  /**
+   * A token used for retrieving the next page of results when the server
+   * enforces pagination.
+   */
+  continuationToken?: string;
+}
+
+/**
+ * Arguments for retrieving the next page of search results.
+ */
+export interface ListRoleAssignmentsPageSettings {
+  /**
+   * A token used for retrieving the next page of results when the server
+   * enforces pagination.
+   */
+  continuationToken?: string;
+}
diff --git a/sdk/keyvault/keyvault-admin/src/constants.ts b/sdk/keyvault/keyvault-admin/src/constants.ts
new file mode 100644
index 000000000000..338927424b4e
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/src/constants.ts
@@ -0,0 +1,17 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+/**
+ * Current version of the Key Vault Admin SDK.
+ */
+export const SDK_VERSION: string = "4.1.0";
+
+/**
+ * The latest supported Key Vault service API version.
+ */
+export const LATEST_API_VERSION = "7.2-preview";
+
+/**
+ * Supported API versions
+ */
+export type SUPPORTED_API_VERSIONS = "7.2-preview";
diff --git a/sdk/keyvault/keyvault-admin/src/index.ts b/sdk/keyvault/keyvault-admin/src/index.ts
index b5ec5831c9a8..7f1f9077ad59 100644
--- a/sdk/keyvault/keyvault-admin/src/index.ts
+++ b/sdk/keyvault/keyvault-admin/src/index.ts
@@ -1,5 +1,6 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-export * from "./generated/keyVaultClient";
-export * from "./generated/keyVaultClientContext";
+export * from "./accessControlClient";
+export * from "./accessControlModels";
+export * from "./constants";
diff --git a/sdk/keyvault/keyvault-admin/src/log.ts b/sdk/keyvault/keyvault-admin/src/log.ts
new file mode 100644
index 000000000000..2aab0b1de238
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/src/log.ts
@@ -0,0 +1,9 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import { createClientLogger } from "@azure/logger";
+
+/**
+ * The @azure/logger configuration for this package.
+ */
+export const logger = createClientLogger("keyvault-admin");
diff --git a/sdk/keyvault/keyvault-admin/src/mappings.ts b/sdk/keyvault/keyvault-admin/src/mappings.ts
new file mode 100644
index 000000000000..daf3bed27b8b
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/src/mappings.ts
@@ -0,0 +1,52 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import { RoleAssignment, RoleDefinition } from "./generated/models";
+import {
+  KeyVaultRoleAssignment,
+  KeyVaultRoleDefinition,
+  RoleAssignmentScope
+} from "./accessControlModels";
+
+export const mappings = {
+  roleAssignment: {
+    generatedToPublic(roleAssignment: RoleAssignment): KeyVaultRoleAssignment {
+      const { id, name, type, properties } = roleAssignment;
+      const { scope, roleDefinitionId, principalId } = properties || {};
+      return {
+        id: id!,
+        name: name!,
+        type: type!,
+        properties: {
+          scope: scope as RoleAssignmentScope,
+          roleDefinitionId: roleDefinitionId!,
+          principalId: principalId!
+        }
+      };
+    }
+  },
+  roleDefinition: {
+    generatedToPublic(roleDefinition: RoleDefinition): KeyVaultRoleDefinition {
+      const {
+        id,
+        name,
+        type,
+        roleName,
+        description,
+        roleType,
+        permissions,
+        assignableScopes
+      } = roleDefinition;
+      return {
+        id: id!,
+        name: name!,
+        type: type!,
+        roleName: roleName!,
+        description: description!,
+        roleType: roleType!,
+        permissions: permissions!,
+        assignableScopes: assignableScopes!
+      };
+    }
+  }
+};
diff --git a/sdk/keyvault/keyvault-admin/src/tracing.ts b/sdk/keyvault/keyvault-admin/src/tracing.ts
new file mode 100644
index 000000000000..efad53af1033
--- /dev/null
+++ b/sdk/keyvault/keyvault-admin/src/tracing.ts
@@ -0,0 +1,47 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import { getTracer } from "@azure/core-tracing";
+import { RequestOptionsBase } from "@azure/core-http";
+import { Span } from "@opentelemetry/api";
+
+/**
+ * @internal
+ * @ignore
+ * Creates a span using the tracer that was set by the user.
+ * @param {string} methodName The name of the method creating the span.
+ * @param {RequestOptionsBase} [options] The options for the underlying HTTP request.
+ */
+export function createSpan(methodName: string, requestOptions?: RequestOptionsBase): Span {
+  const tracer = getTracer();
+  const span = tracer.startSpan(methodName, requestOptions && requestOptions.spanOptions);
+  span.setAttribute("az.namespace", "Microsoft.KeyVault");
+  return span;
+}
+
+/**
+ * @internal
+ * @ignore
+ * Returns updated HTTP options with the given span as the parent of future spans,
+ * if applicable.
+ * @param {Span} span The span for the current operation.
+ * @param {RequestOptionsBase} [options] The options for the underlying HTTP request.
+ */
+export function setParentSpan(span: Span, options: RequestOptionsBase = {}): RequestOptionsBase {
+  if (span.isRecording()) {
+    const spanOptions = options.spanOptions || {};
+    return {
+      ...options,
+      spanOptions: {
+        ...spanOptions,
+        parent: span.context(),
+        attributes: {
+          ...spanOptions.attributes,
+          "az.namespace": "Microsoft.KeyVault"
+        }
+      }
+    };
+  } else {
+    return options;
+  }
+}
diff --git a/sdk/keyvault/keyvault-admin/tsconfig.json b/sdk/keyvault/keyvault-admin/tsconfig.json
index 86808b640e4c..39e5962ffd82 100644
--- a/sdk/keyvault/keyvault-admin/tsconfig.json
+++ b/sdk/keyvault/keyvault-admin/tsconfig.json
@@ -2,9 +2,9 @@
   "extends": "../../../tsconfig.package",
   "compilerOptions": {
     "declarationDir": "./types",
-    "outDir": "./dist-esm/src",
+    "outDir": "./dist-esm",
     "resolveJsonModule": true
   },
-  "exclude": ["node_modules", "./samples/**/*.ts"],
-  "include": ["./src/**/*.ts", "./test/**/*.ts"]
+  "exclude": ["node_modules", "../keyvault-common/node_modules", "./samples/**/*.ts"],
+  "include": ["./src/**/*.ts", "./test/**/*.ts", "../keyvault-common/**/*.ts"]
 }