{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Root(大扎) 的问题《Azure Key Vault - Access denied》','https://www.manongdao.com/q-1017539.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am creating an Azure Key Vault. I am using the below ARM JSON template. I have an App created in Azure AD and I am trying to give that app all permissions so that I can use this Apps credentials to connect to the Key Vault from a Key Vault client.
I am using TFS, and have created a "Azure Deployment:Create Or Update Resource Group" Release definition task to automate this.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_qnvaultdev_name": {
"type": "string"
},
"vaults_location": {
"type": "string"
},
"vaults_skufamily": {
"type": "string"
},
"vaults_skuname": {
"type": "string"
},
"vaults_tenantid": {
"type": "string"
},
"vaults_objectid": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"comments": "Generalized from resource: '/subscriptions/subscription().subscriptionId/resourceGroups/resourceGroup().name/providers/Microsoft.KeyVault/vaults/[parameters('vaults_qnvaultdev_name')]'.",
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('vaults_qnvaultdev_name')]",
"apiVersion": "2015-06-01",
"location": "[parameters('vaults_location')]",
"tags": {},
"scale": null,
"properties": {
"sku": {
"family": "[parameters('vaults_skufamily')]",
"name": "[parameters('vaults_skuname')]"
},
"tenantId": "[parameters('vaults_tenantid')]",
"accessPolicies": [
{
"tenantId": "[parameters('vaults_tenantid')]",
"objectId": "[parameters('vaults_objectid')]",
"permissions": {
"keys": [
"All",
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"All",
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
]
}
}
],
"enabledForDeployment": true
},
"dependsOn": []
}
]
}
The template executes fine, and the Key Vault is getting created. I also can see in the vault's Access Policies the Principal is getting added with all the permissions. However, after creating the vault, when I use the Principal's client id and secret to connect from a client application, I get an "Access Denied" error.
I have noticed that if I go through the portal and manually add the App through the Key Vault's Access Policies, the Vault client is able to successfully authenticate. Am I missing something here?
Update: Issue fixed I gave the app permissions manually to the vault's Access Policy and checked the Resources Portal. Then I see that the "Object Id" for this App generated in the Resources portal is different from what I see in Azure AD - in the portal for this app. Any ideas why these are different?
Please refer to this link.
You could find the object id on
Enterprise applications - All applicationsnotApp registrations.You also could get the object id with Power Shell.
The root reason is that when you register an Azure AD application in the Azure portal, two objects are created in your Azure AD tenant: an application object, and a service principal object.
More information about this please refer to this link.