Use ARM to setup App Service access using MSI

Question

There are two properties listed in the key vault documentation:

objectId string Yes The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
applicationId string No Application ID of the client making request on behalf of a principal - globally unique identifier

Questions:

Should I be using objectId for the MSI principalId?
Is the concept of applicationId redudant when working with MSI. There's so much documentation on MSDN that I'm having a hard time figuring out which approach to take, and whether the concept of applicationId/secrets is redudant when using MSI.
Is TenantId required?

score 0 · Accepted Answer · answered Mar 28 '18 at 07:08

Should I be using objectId for the MSI principalId?

Yes, you should use MSI's object ID. You could get it with Power Shell. For example:

Get-AzureRmADServicePrincipal -SearchString "azure-cli-2017-04-13-02-33-36"\

Or get it on Azure Portal.

Is the concept of applicationId redudant when working with MSI. There's so much documentation on MSDN that I'm having a hard time figuring out which approach to take, and whether the concept of applicationId/secrets is redudant when using MSI.

When you create MSI, it will create a service principal, applicationId is sp's application id.

Is TenantId required?

Yes, it is required.

See this document https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults — Shui shengbao, Mar 28 '18 at 07:08

Use ARM to setup App Service access using MSI

1 Answers1