Using Azure KeyVault I have set up a ResourceGroup, KeyVault and Key by following this guide:
https://azure.microsoft.com/en-gb/documentation/articles/key-vault-get-started/
I have set up the application client in Active Directory. However when I try to use:
Set-AzureKeyVaultAccessPolicy
I get the following error when granting permissions to the Service Principal account:
"Cannot find the Active Directory object 'clientId' in tenant 'tenantId'. Please make sure that the user of application service principal you are authorizing is registered in the current subscription's Azure Active directory."
The clientId is correct as this was copied from the application configuration page in the portal. The tenant Id is the tenant ID for the current subscription.. but not for the active directory.
The problem seems to be that the tenant ID for the Active Directory is different to the tenant ID for the subscription I'm using. How do I change the tenant ID of my Active Directory in the Azure Portal to match the subscription tenant ID?
The tenant ID refers to the unique identifier of the Azure AD directory. Every Azure subscription is associated with a directory (or "tenant").
It sounds like you've created the application in a different directory from the directory that is associated with the Azure subscription in which you've created the Key Vault.
When registering the applications, when you go to the "Active Directory" section of the Azure Management portal, be sure to choose the same directory as the one to which you subscription (the subscription where you created the Azure Key Vault) is associated.
There is two things wrong with the documentation you can find on https://learn.microsoft.com/en-us/azure/key-vault/key-vault-get-started#a-idauthorizeaauthorize-the-application-to-use-the-key-or-secret
1) The -ServicePrincipalName parameter should NOT (as the example in the link suggests) be the Client Id (Guid), but the AD Apps Identifier Uri (you can find that on the properties page of the AD App)
2) If you did not create your AD App using the portal, but created it from Powershell Azure Resource Manager scripts, there is no Service Principal created for your AD App yet. You have to do this using the New-AzureRmADServicePrincipal cmdlet, before running Set-AzureRmKeyVaultAccessPolicy.
In total, you should then have
$app = New-AzureRmADApplication -DisplayName "Test" -HomePage "http://myapp.contoso.com" -IdentifierUris "http://myapp.contoso.com" -Password "password"
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Set-AzureRmKeyVaultAccessPolicy -VaultName "vaultname" -ServicePrincipalName "http://myapp.contoso.com" -PermissionsToSecrets Get
You can also find the discussion regarind this on https://social.msdn.microsoft.com/Forums/azure/en-US/ae8d2782-ecf7-4d35-9859-d4455e65a668/setazurermkeyvaultaccesspolicy-cannot-find-the-active-directory-object-in-tenant-?forum=AzureKeyVault
Related
I'm trying to add Azure CDN as a service account, in order to connect it to KeyVault.
Following the official guide and other suggestions such as Can't add Microsoft.Azure.Cdn service principal to Key Vault access policies
However this command:
New-AzureRmADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
is giving me this error:
New-AzureRmADServicePrincipal : When using this permission, the backing application of the service principal being created must in the local tenant.
Even after I've set the context to the correct tenant using Set-AzureRmContext -TenantId xxx.
any help is appreciated!
The error
When using this permission, the backing application of the service principal being created must in the local tenant.
is reported when you don't have sufficient permissions in AAD to add service principal for application defined in different tenant. This is case of e.g. normal user, who does not have any specific Azure Active Directory Role. With Global Administrator or Application Administrator (or possibly other roles) the command would succeed (please note that these are AAD Administrative Roles, not RBAC roles which are used for resources).
The same error could be reported by az cli call to create principal:
az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
We have 2 subscriptions
Development
UAT
We are able to assign webapp to allow access to key vault to get credentials and its working fine thru Key Vault -> Access Policies -> Add New -> Select Principal
With UAT subscription, WebApp is not listed when we want to select it to allow access to read credentials.
I can see APIM is listed but not the webapp.
I checked with app service plan, other default configuration, all looks same.
Are there any more rule applied to the list?
Identity status in Azure portal was in "Off" mode
Webapp -> Settings -> Identity
I changed it to "On" and saved it.
Now i can see webapp inside select principal option.
Web app and Key vault should be in the same tenant when you enable the access policy of key vault for your web app. Taken from this doc.
When you create a new key vault in a subscription, it is automatically
tied to the default Azure Active Directory tenant ID for that
subscription. All access policy entries are also tied to this tenant
ID. When you move your Azure subscription from tenant A to tenant B,
your existing key vaults are inaccessible by the principals (users and
applications) in tenant B. To fix this issue, you need to:
Change the tenant ID associated with all existing key vaults in this subscription to tenant B.
Remove all existing access policy entries.
Add new access policy entries that are associated with tenant B.
For example, if you have key vault 'myvault' in a subscription that has been moved from tenant A to tenant B, here's how to change the tenant ID for this key vault and remove old access policies.
Select-AzSubscription -SubscriptionId YourSubscriptionID
$vaultResourceId = (Get-AzKeyVault -VaultName myvault).ResourceId
$vault = Get-AzResource –ResourceId $vaultResourceId -ExpandProperties
$vault.Properties.TenantId = (Get-AzContext).Tenant.TenantId
$vault.Properties.AccessPolicies = #()
Set-AzResource -ResourceId $vaultResourceId -Properties $vault.Properties
If you want to know moving resources to a new resource group or subscription, read here.
I’m trying to get a certificate for my App Service I’m deploying from Key Vault using this template (https://github.com/Azure/azure-quickstart-templates/tree/master/webapp-keyvault-ssl). Part of this requires creating a Key Vault access policy which grants the Microsoft.Azure.Websites service principal (ID abfa0a7c-a6b6-4736-8310-5855508787cd) get on the Secrets. This works in my subscription just fine, but wasn’t working in the customer’s subscription. We could run the Set-AzKeyVaultAccessPolicy command referencing the service principal’s ID, and it executed without error, but the access policy does not actually get created. When I did a get-azAdServicePrincipal -DisplayNameBeginsWith ‘Microsoft.Azure.Websites’ nothing is returned. Yet when I look in the audit log for the KeyVault I can see a user with ID abfa0a7c-a6b6-4736-8310-5855508787cd trying to log in, so somewhere this identity must exist(?)
Is there something I need to do to enable/create this default (Microsoft.Azure.Websites) service principal? I checked my MSDN account and see the same behavior, in that this principal is not present.
Can deploy this template in a subscription where the Microsoft.Azure.Websites principal exists, but when the principal does not exist, the template deployment will fail.
#Gets the service principal (missing in problem subscription)
get-azAdServicePrincipal -DisplayNameBeginsWith 'Microsoft.Azure.Websites'
#Sets the keyvault access policy for the built in service principal
set-azKeyVaultAccessPolicy -VaultName keyVaultName -ServicePrincipalName "abfa0a7c-a6b6-4736-8310-5855508787cd" -PermissionsToSecrets get
‘abfa0a7c-a6b6-4736-8310-5855508787cd’ is the Resource Provider service principal name and it remains same for all Azure subscriptions. And its display name in service principal is 'Microsoft Azure App Service', not 'Microsoft.Azure.Websites'.
Try with
Get-AzADServicePrincipal -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd
to see if it exists.
If it doesn't exist, check the resource provider of your subscription.
I am trying to use Microsoft.Azure.Management.Logic.LogicManagementClient to programmatically create a Logic App workflow in Azure. Authentication has already worked, but when I call logicManagementClient.Workflows.CreateOrUpdateAsync(), I am getting a CloudException saying that the client does not have authorization to perform action 'Microsoft.Logic/workflows/write'.
How can I give the app the required permissions?
I have already given it (in the Azure Portal) all permissions for Azure AD and Microsoft Graph. But when I try to add permissions for Windows Azure Service Management API (which I assume is the relevant API here), it says "No application permissions available":
You need to give your app at least Contributor access to the resource group via the Access Control (IAM) tab.
To manage Azure resources through the ARM API, you always need a role via RBAC.
I did this via PowerShell. I assigned the Contributor role to my App Registration. Here are the commands.
az login
az account set --subscription "YOURSUBSCRIPTIONNAME"
NOTE: Had to create Resource Group in Portal, Use the Application (client) ID of the App Registration Client
New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName Application(client)ID -ResourceGroupName YOURRESOURCEGROUPNAME
I can't find any documentation on how to choose which AAD to create the service principal in. Basically, I can't find out if there is even a way to add the SP to the local AAD.
So we have a default Global AD which covers all of our enrollment and below that all subscriptions. I'm using Powershell derived from the many many examples on the net to create a SP in the default AD. Then I permission that SP against the subscription it is going to be working in.
At this point I've run into the following problem.
I'm rolling out a Key Vault, this works.
New-AzureRmKeyVault -VaultName $VaultName -EnabledForDeployment -EnabledForTemplateDeployment -ResourceGroupName $ResourceGroupName -Location $Location -Verbose
I need to add the first secret into it as part of the deployment. This bit fails because the SP doesn't have access to the KV.
# Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $ResourceGroupName -PermissionsToSecrets get,set -ServicePrincipalName $ServicePrincipalName
This is the result of that command.
Set-AzureRmKeyVaultAccessPolicy : Cannot find the Active Directory object
'Service-Principal-Name' in tenant '6166a717-xxxx-xxxxx-b0e8-6b7288c1f7ec'.
Please make sure that the user or application service principal you are
authorizing is registered in the current subscription's Azure Active
directory.
Reading into this, its not possible to set the Global AD Service Principal to have get/set on the local Keyvault. it would have to be a local Service Principal. However, we dont have one of them and nowhere can I work out how to create one of them.
Anyone else feeling this pain and know how to resolve it?
In the settings section of the old portal (manage.windowsazure.com), you will find a list of all subscriptions. The fourth column (Directory) shows the default directory that is associated with each subscription. No matter what, you will have to create the Service Principal in the Directory that is associated with that particular subscription. Please check this link to understand the relationship between Subscriptions and AAD.