使用Azure KeyVault，无法在Azure Active Directory租户中找到对象

Question

Using Azure KeyVault I have set up a ResourceGroup, KeyVault and Key by following this guide:

https://azure.microsoft.com/en-gb/documentation/articles/key-vault-get-started/

I have set up the application client in Active Directory. However when I try to use:

Set-AzureKeyVaultAccessPolicy

I get the following error when granting permissions to the Service Principal account:

"Cannot find the Active Directory object ' clientId ' in tenant ' tenantId '. Please make sure that the user of application service principal you are authorizing is registered in the current subscription's Azure Active directory."

The clientId is correct as this was copied from the application configuration page in the portal. The tenant Id is the tenant ID for the current subscription.. but not for the active directory.

The problem seems to be that the tenant ID for the Active Directory is different to the tenant ID for the subscription I'm using. How do I change the tenant ID of my Active Directory in the Azure Portal to match the subscription tenant ID?

Answer 1

The tenant ID refers to the unique identifier of the Azure AD directory. Every Azure subscription is associated with a directory (or "tenant").

It sounds like you've created the application in a different directory from the directory that is associated with the Azure subscription in which you've created the Key Vault.

When registering the applications, when you go to the "Active Directory" section of the Azure Management portal, be sure to choose the same directory as the one to which you subscription (the subscription where you created the Azure Key Vault) is associated.

Answer 2

There is two things wrong with the documentation you can find on https://docs.microsoft.com/en-us/azure/key-vault/key-vault-get-started#a-idauthorizeaauthorize-the-application-to-use-the-key-or-secret

1) The -ServicePrincipalName parameter should NOT (as the example in the link suggests) be the Client Id (Guid), but the AD Apps Identifier Uri (you can find that on the properties page of the AD App)

2) If you did not create your AD App using the portal, but created it from Powershell Azure Resource Manager scripts, there is no Service Principal created for your AD App yet. You have to do this using the New-AzureRmADServicePrincipal cmdlet, before running Set-AzureRmKeyVaultAccessPolicy.

In total, you should then have

$app =  New-AzureRmADApplication -DisplayName "Test" -HomePage "http://myapp.contoso.com" -IdentifierUris "http://myapp.contoso.com" -Password "password" 

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

Set-AzureRmKeyVaultAccessPolicy -VaultName "vaultname" -ServicePrincipalName "http://myapp.contoso.com" -PermissionsToSecrets Get 

You can also find the discussion regarind this on https://social.msdn.microsoft.com/Forums/azure/en-US/ae8d2782-ecf7-4d35-9859-d4455e65a668/setazurermkeyvaultaccesspolicy-cannot-find-the-active-directory-object-in-tenant-?forum=AzureKeyVault