Using Azure KeyVault, cannot find object in Azure Active Directory tenant
Question
Using Azure KeyVault I have set up a ResourceGroup, KeyVault and Key by following this guide:
https://azure.microsoft.com/en-gb/documentation/articles/key-vault-get-started/
I have set up the application client in Active Directory. However when I try to use:
Set-AzureKeyVaultAccessPolicy
I get the following error when granting permissions to the Service Principal account:
"Cannot find the Active Directory object ' clientId ' in tenant ' tenantId '. Please make sure that the user of application service principal you are authorizing is registered in the current subscription's Azure Active directory."
The clientId is correct as this was copied from the application configuration page in the portal. The tenant Id is the tenant ID for the current subscription.. but not for the active directory.
The problem seems to be that the tenant ID for the Active Directory is different to the tenant ID for the subscription I'm using. How do I change the tenant ID of my Active Directory in the Azure Portal to match the subscription tenant ID?
2 answers
solution1
4 2015-07-19 15:40:04
The tenant ID refers to the unique identifier of the Azure AD directory. Every Azure subscription is associated with a directory (or "tenant").
It sounds like you've created the application in a different directory from the directory that is associated with the Azure subscription in which you've created the Key Vault.
When registering the applications, when you go to the "Active Directory" section of the Azure Management portal, be sure to choose the same directory as the one to which you subscription (the subscription where you created the Azure Key Vault) is associated.
solution2
2 2017-01-03 09:48:04
There is two things wrong with the documentation you can find on https://docs.microsoft.com/en-us/azure/key-vault/key-vault-get-started#a-idauthorizeaauthorize-the-application-to-use-the-key-or-secret
1) The -ServicePrincipalName parameter should NOT (as the example in the link suggests) be the Client Id (Guid), but the AD Apps Identifier Uri (you can find that on the properties page of the AD App)
2) If you did not create your AD App using the portal, but created it from Powershell Azure Resource Manager scripts, there is no Service Principal created for your AD App yet. You have to do this using the New-AzureRmADServicePrincipal cmdlet, before running Set-AzureRmKeyVaultAccessPolicy.
In total, you should then have
$app = New-AzureRmADApplication -DisplayName "Test" -HomePage "http://myapp.contoso.com" -IdentifierUris "http://myapp.contoso.com" -Password "password"
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Set-AzureRmKeyVaultAccessPolicy -VaultName "vaultname" -ServicePrincipalName "http://myapp.contoso.com" -PermissionsToSecrets Get
You can also find the discussion regarind this on https://social.msdn.microsoft.com/Forums/azure/en-US/ae8d2782-ecf7-4d35-9859-d4455e65a668/setazurermkeyvaultaccesspolicy-cannot-find-the-active-directory-object-in-tenant-?forum=AzureKeyVault
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.