Do you have an idea or a suggestion for Azure Key Vault based on your experience?

← Azure Key Vault

Make it possible with an ARM template to set an Access Policy for a Application Registration Principal

After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able to determine, the only way to obtain this 'hidden id', is using the -PassThru argument while running AzureRmKeyVaultAccessPolicy, which at this point the Key vault must already exist, and it creates the access policy so this is useless for use in an Arm template that you want to create the initial key vault with. If there is some other way to obtain this hidden id, that would be a start, ideally if it was visible from the portal. Ideally, some more intuitive way, such as the ApplicationId that exists in the Arm template (though what it is for I don't know), would of course be better.

I have attached some of the relevant information from the ticket.

Thanks!
Danny Green

16 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Danny green shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

4 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Dan Polivy commented  ·   ·  Flag as inappropriate

    I also had the same issue -- trying to pre-provision the Microsoft.Azure.Cdn identity via ARM template on my Key Vault. Using Mark's command (Get-AzAdServicePrincipal -DisplayName 'Microsoft.Azure.Cdn'), I was able to pull the Id property out, and use that as the "objectId" value in my ARM template. Works great! Would be nice if this were documented somewhere.

  • Sam Kirsch commented  ·   ·  Flag as inappropriate

    Curious if anyone found a workaround for this, as I'm currently trying to configure an ARM template for a CI/CD pipeline using a resource that doesn't implement managed identity, and it's impossible to set up a keyvault with a created app registration if I can't get this "secret id"

  • paulio_globetrotter commented  ·   ·  Flag as inappropriate

    I have the exact same issue. When I create the access policy on the portal, I get it as application [
    APPLICATION (Directory ID: 72aa0.....10, Directory Name: undefined) ]. However when I create it via the ARM, it looks something like [
    (Directory ID: 72aa0.....10, Directory Name: undefined)]. I think there is a need for a property to mark this as "APPLICATION".

Azure Key Vault: Other

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice