Using Azure KeyVault, cannot find object in Azure Active Directory tenant

Asked 7/7, 2015 at 10:33 Answered 3/1, 2017 at 9:48

azure azure-active-directory service-principal

Using Azure KeyVault I have set up a ResourceGroup, KeyVault and Key by following this guide:

https://azure.microsoft.com/en-gb/documentation/articles/key-vault-get-started/

I have set up the application client in Active Directory. However when I try to use:

Set-AzureKeyVaultAccessPolicy

I get the following error when granting permissions to the Service Principal account:

"Cannot find the Active Directory object 'clientId' in tenant 'tenantId'. Please make sure that the user of application service principal you are authorizing is registered in the current subscription's Azure Active directory."

The clientId is correct as this was copied from the application configuration page in the portal. The tenant Id is the tenant ID for the current subscription.. but not for the active directory.

The problem seems to be that the tenant ID for the Active Directory is different to the tenant ID for the subscription I'm using. How do I change the tenant ID of my Active Directory in the Azure Portal to match the subscription tenant ID?

Obscuration answered 7/7, 2015 at 10:33 Comment(1)

I think this is an issue for subscriptions that have more than one active directories. The "primary" active directory will work, but the other ones won't. This seems like a bug, because it means you can't use Key Vault with active directories outside your primary one that your subscription is attached to. – Charkha 10/9, 2015 at 3:3

There is two things wrong with the documentation you can find on https://learn.microsoft.com/en-us/azure/key-vault/key-vault-get-started#a-idauthorizeaauthorize-the-application-to-use-the-key-or-secret

1) The -ServicePrincipalName parameter should NOT (as the example in the link suggests) be the Client Id (Guid), but the AD Apps Identifier Uri (you can find that on the properties page of the AD App)

2) If you did not create your AD App using the portal, but created it from Powershell Azure Resource Manager scripts, there is no Service Principal created for your AD App yet. You have to do this using the New-AzureRmADServicePrincipal cmdlet, before running Set-AzureRmKeyVaultAccessPolicy.

In total, you should then have

$app =  New-AzureRmADApplication -DisplayName "Test" -HomePage "http://myapp.contoso.com" -IdentifierUris "http://myapp.contoso.com" -Password "password" 

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

Set-AzureRmKeyVaultAccessPolicy -VaultName "vaultname" -ServicePrincipalName "http://myapp.contoso.com" -PermissionsToSecrets Get

You can also find the discussion regarind this on https://social.msdn.microsoft.com/Forums/azure/en-US/ae8d2782-ecf7-4d35-9859-d4455e65a668/setazurermkeyvaultaccesspolicy-cannot-find-the-active-directory-object-in-tenant-?forum=AzureKeyVault

Peltast answered 3/1, 2017 at 9:48 Comment(0)

The tenant ID refers to the unique identifier of the Azure AD directory. Every Azure subscription is associated with a directory (or "tenant").

It sounds like you've created the application in a different directory from the directory that is associated with the Azure subscription in which you've created the Key Vault.

When registering the applications, when you go to the "Active Directory" section of the Azure Management portal, be sure to choose the same directory as the one to which you subscription (the subscription where you created the Azure Key Vault) is associated.

Artistry answered 19/7, 2015 at 15:40 Comment(2)

Thanks, I do think I'm seeing the wrong AD. The issue is that I can't see any other. I'll investigate this further and update once I find out what's going on. – Obscuration 21/7, 2015 at 7:34

That can happen if it's an EA subcription instead of "consumer/microsoft account" one. – Trinidad 19/10, 2016 at 11:29

Recommended topics

Hot tags