Make it possible with an ARM template to set an Access Policy for a Application Registration Principal
After submitting a ticket and working with MS Support, I learned that the only way to associate an Access Policy with an AD Registered Application, was to use a 'Hidden Id' for that application. No combination of the Object Id as displayed in the Portal, or the Application Id as displayed in the Portal for that AD application registration, will result in a usable Access Policy (it does not error, and the portal actually shows the policy (though it looks different then one created via the portal), however it will not work when used. As far as I've been able to determine, the only way to obtain this 'hidden id', is using the -PassThru argument while running AzureRmKeyVaultAccessPolicy, which at this point the Key vault must already exist, and it creates the access policy so this is useless for use in an Arm template that you want to create the initial key vault with. If there is some other way to obtain this hidden id, that would be a start, ideally if it was visible from the portal. Ideally, some more intuitive way, such as the ApplicationId that exists in the Arm template (though what it is for I don't know), would of course be better.
I have attached some of the relevant information from the ticket.
Thanks!
Danny Green

4 comments
-
Dan Polivy commented
I also had the same issue -- trying to pre-provision the Microsoft.Azure.Cdn identity via ARM template on my Key Vault. Using Mark's command (Get-AzAdServicePrincipal -DisplayName 'Microsoft.Azure.Cdn'), I was able to pull the Id property out, and use that as the "objectId" value in my ARM template. Works great! Would be nice if this were documented somewhere.
-
Mark Bowler commented
I ran into the same problem. In my case I was able to obtain the ID using Get-AzADServicePrincipal and pass it in as a parameter to my template as per https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-service-principal-powershell
-
Sam Kirsch commented
Curious if anyone found a workaround for this, as I'm currently trying to configure an ARM template for a CI/CD pipeline using a resource that doesn't implement managed identity, and it's impossible to set up a keyvault with a created app registration if I can't get this "secret id"
-
paulio_globetrotter commented
I have the exact same issue. When I create the access policy on the portal, I get it as application [
APPLICATION (Directory ID: 72aa0.....10, Directory Name: undefined) ]. However when I create it via the ARM, it looks something like [
(Directory ID: 72aa0.....10, Directory Name: undefined)]. I think there is a need for a property to mark this as "APPLICATION".