Azure Key Vault - Access denied

I am creating an Azure Key Vault. I am using the below ARM JSON template. I have an App created in Azure AD and I am trying to give that app all permissions so that I can use this Apps credentials to connect to the Key Vault from a Key Vault client.

I am using TFS, and have created a "Azure Deployment:Create Or Update Resource Group" Release definition task to automate this.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
  "parameters": {
    "vaults_qnvaultdev_name": {      
      "type": "string"
    },
    "vaults_location": {     
      "type": "string"
    },
    "vaults_skufamily": {      
      "type": "string"
    },
    "vaults_skuname": {
      "type": "string"
    },
    "vaults_tenantid": {
      "type": "string"
    },
    "vaults_objectid": {
      "type": "string"
    }
  },
    "variables": {},
    "resources": [
      {
        "comments": "Generalized from resource: '/subscriptions/subscription().subscriptionId/resourceGroups/resourceGroup().name/providers/Microsoft.KeyVault/vaults/[parameters('vaults_qnvaultdev_name')]'.",
        "type": "Microsoft.KeyVault/vaults",
        "name": "[parameters('vaults_qnvaultdev_name')]",
        "apiVersion": "2015-06-01",
        "location": "[parameters('vaults_location')]",
        "tags": {},
        "scale": null,
        "properties": {
          "sku": {
            "family": "[parameters('vaults_skufamily')]",
            "name": "[parameters('vaults_skuname')]"
          },
          "tenantId": "[parameters('vaults_tenantid')]",
          "accessPolicies": [
            {
              "tenantId": "[parameters('vaults_tenantid')]",
              "objectId": "[parameters('vaults_objectid')]",
              "permissions": {
                "keys": [
                  "All",
                  "Get",
                  "List",
                  "Update",
                  "Create",
                  "Import",
                  "Delete",
                  "Recover",
                  "Backup",
                  "Restore"
                ],
                "secrets": [
                  "All",
                  "Get",
                  "List",
                  "Set",
                  "Delete",
                  "Recover",
                  "Backup",
                  "Restore"
                ]
              }
            }
          ],
          "enabledForDeployment": true
        },
        "dependsOn": []
      }
    ]
}

The template executes fine, and the Key Vault is getting created. I also can see in the vault's Access Policies the Principal is getting added with all the permissions. However, after creating the vault, when I use the Principal's client id and secret to connect from a client application, I get an "Access Denied" error.

I have noticed that if I go through the portal and manually add the App through the Key Vault's Access Policies, the Vault client is able to successfully authenticate. Am I missing something here?

Update: Issue fixed I gave the app permissions manually to the vault's Access Policy and checked the Resources Portal. Then I see that the "Object Id" for this App generated in the Resources portal is different from what I see in Azure AD - in the portal for this app. Any ideas why these are different?

Please refer to this link.

objectId string Yes The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

You could find the object id on Enterprise applications - All applications not App registrations.

You also could get the object id with Power Shell.

Get-AzureADServicePrincipal

The root reason is that when you register an Azure AD application in the Azure portal, two objects are created in your Azure AD tenant: an application object, and a service principal object.

Application object

An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered, known as the application's "home" tenant. The Azure AD Graph Application entity defines the schema for an application object's properties.

Service principal object

The service principal object defines the policy and permissions for an application's use in a specific tenant, providing the basis for a security principal to represent the application at run-time. The Azure AD Graph ServicePrincipal entity defines the schema for a service principal object's properties.

More information about this please refer to this link.