Set KeyVault permission to an AAD App in a different tenant works in PowerShell but fails in ARM template

Question

I am trying to grant access to an AAD app under a different tenant, the command below works:

Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $rg -ApplicationId $appId -objectId $appObjectId  `
 -PermissionsToSecrets get -PermissionsToCertificates get -BypassObjectIdValidation

But the corresponding ARM template implementation doesn't:

"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2015-06-01",
"name": "[parameters('KeyVaultName')]",
"properties": {
     "accessPolicies": {
     {
         "tenantId": "current-tenant-id",
         "objectId": "object-id",
         "permissions": {
            "secrets": [
              "get"
            ]
          }
      },
     {
         "tenantId": "another-tenant-id",  /* Raises: An invalid value was provided for 'accessPolicies' */
         "objectId": "object-id",
         "permissions": {
            "secrets": [
              "get"
            ]
          }
      }
}

Is there anything I am missing here?

Check this blog post - http://blog.codenova.pl/post/azure-key-vault-making-it-right — kamil-mrzyglod, Feb 24 '17 at 08:26

score 1 · Answer 1 · edited Jun 20 '20 at 09:12

I am trying to grant access to an AAD app under a different tenant, the command below works

I noticed that you have specified the BypassObjectIdValidation parameter. As the official document mentioned about BypassObjectIdValidation:

Enables you to specify an object ID without validating that the object exists in Azure Active Directory. Use this parameter only if you want to grant access to your key vault to an object ID that refers to a delegated security group from another Azure tenant.

Also, as the description states about Set-AzureRmKeyVaultAccessPolicy cmdlet:

The default directory of the Azure subscription in which the key vault resides.

Your Azure account has multiple directories. If you register an application in a directory other than the default directory, you cannot authorize that application to use your key vault. The application must be in the default directory.

Based on my understanding, you cannot set KeyVault permission to an AAD App in a different tenant. If you specify the BypassObjectIdValidation parameter, you need to set objectId as the object ID of a delegated security group from another Azure tenant.

Additionally, you could leverage resources.azure.com to get/update the Access policies of your existing KeyVault.

Set KeyVault permission to an AAD App in a different tenant works in PowerShell but fails in ARM template

1 Answers1