[英]Using Azure KeyVault, cannot find object in Azure Active Directory tenant
Using Azure KeyVault I have set up a ResourceGroup, KeyVault and Key by following this guide: 使用Azure KeyVault我按照本指南设置了ResourceGroup,KeyVault和Key:
https://azure.microsoft.com/en-gb/documentation/articles/key-vault-get-started/ https://azure.microsoft.com/en-gb/documentation/articles/key-vault-get-started/
I have set up the application client in Active Directory. 我在Active Directory中设置了应用程序客户端。 However when I try to use:
但是当我尝试使用时:
Set-AzureKeyVaultAccessPolicy
I get the following error when granting permissions to the Service Principal account: 授予服务主体帐户权限时出现以下错误:
"Cannot find the Active Directory object ' clientId ' in tenant ' tenantId '. Please make sure that the user of application service principal you are authorizing is registered in the current subscription's Azure Active directory." “无法在租户' tenantId '中找到Active Directory对象' clientId '。请确保您授权的应用程序服务主体的用户已在当前订阅的Azure Active目录中注册。”
The clientId is correct as this was copied from the application configuration page in the portal. clientId是正确的,因为它是从门户网站中的应用程序配置页面复制的。 The tenant Id is the tenant ID for the current subscription.. but not for the active directory.
租户ID是当前订阅的租户ID,但不是活动目录的租户ID。
The problem seems to be that the tenant ID for the Active Directory is different to the tenant ID for the subscription I'm using. 问题似乎是Active Directory的租户ID与我正在使用的订阅的租户ID不同。 How do I change the tenant ID of my Active Directory in the Azure Portal to match the subscription tenant ID?
如何更改Azure门户中Active Directory的租户ID以匹配订阅租户ID?
The tenant ID refers to the unique identifier of the Azure AD directory. 租户ID是指Azure AD目录的唯一标识符。 Every Azure subscription is associated with a directory (or "tenant").
每个Azure订阅都与目录(或“租户”)相关联。
It sounds like you've created the application in a different directory from the directory that is associated with the Azure subscription in which you've created the Key Vault. 听起来您已将应用程序创建在与您在其中创建密钥保管库的Azure订阅关联的目录的不同目录中。
When registering the applications, when you go to the "Active Directory" section of the Azure Management portal, be sure to choose the same directory as the one to which you subscription (the subscription where you created the Azure Key Vault) is associated. 注册应用程序时,当您转到Azure管理门户的“Active Directory”部分时,请确保选择与您订阅的目录(创建Azure密钥库的订阅)相关联的目录。
There is two things wrong with the documentation you can find on https://docs.microsoft.com/en-us/azure/key-vault/key-vault-get-started#a-idauthorizeaauthorize-the-application-to-use-the-key-or-secret 您可以在https://docs.microsoft.com/en-us/azure/key-vault/key-vault-get-started#a-idauthorizeaauthorize-the-application-to-找到的文档有两个问题。 使用最关键还是秘密
1) The -ServicePrincipalName parameter should NOT (as the example in the link suggests) be the Client Id (Guid), but the AD Apps Identifier Uri (you can find that on the properties page of the AD App) 1)-ServicePrincipalName参数不应该(如链接中的示例所示)是客户端ID(Guid),而是AD应用标识符Uri(您可以在AD App的属性页面上找到它)
2) If you did not create your AD App using the portal, but created it from Powershell Azure Resource Manager scripts, there is no Service Principal created for your AD App yet. 2)如果您未使用门户创建AD应用程序,但是已从Powershell Azure Resource Manager脚本创建AD应用程序,则尚未为您的AD应用程序创建服务主体。 You have to do this using the New-AzureRmADServicePrincipal cmdlet, before running Set-AzureRmKeyVaultAccessPolicy.
在运行Set-AzureRmKeyVaultAccessPolicy之前,必须使用New-AzureRmADServicePrincipal cmdlet执行此操作。
In total, you should then have 总的来说,你应该拥有
$app = New-AzureRmADApplication -DisplayName "Test" -HomePage "http://myapp.contoso.com" -IdentifierUris "http://myapp.contoso.com" -Password "password"
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Set-AzureRmKeyVaultAccessPolicy -VaultName "vaultname" -ServicePrincipalName "http://myapp.contoso.com" -PermissionsToSecrets Get
You can also find the discussion regarind this on https://social.msdn.microsoft.com/Forums/azure/en-US/ae8d2782-ecf7-4d35-9859-d4455e65a668/setazurermkeyvaultaccesspolicy-cannot-find-the-active-directory-object-in-tenant-?forum=AzureKeyVault 你也可以在https://social.msdn.microsoft.com/Forums/azure/en-US/ae8d2782-ecf7-4d35-9859-d4455e65a668/setazurermkeyvaultaccesspolicy-cannot-find-the-active-directory上找到讨论的问题。 -object-的租客?论坛= AzureKeyVault
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.