We have 2 subscriptions
We are able to assign webapp to allow access to key vault to get credentials and its working fine thru Key Vault -> Access Policies -> Add New -> Select Principal
With UAT subscription, WebApp is not listed when we want to select it to allow access to read credentials. I can see APIM is listed but not the webapp.
I checked with app service plan, other default configuration, all looks same.
Are there any more rule applied to the list?
Identity status in Azure portal was in "Off" mode Webapp -> Settings -> Identity
I changed it to "On" and saved it.
Now i can see webapp inside select principal option.
Web app and Key vault should be in the same tenant when you enable the access policy of key vault for your web app. Taken from this doc.
When you create a new key vault in a subscription, it is automatically tied to the default Azure Active Directory tenant ID for that subscription. All access policy entries are also tied to this tenant ID. When you move your Azure subscription from tenant A to tenant B, your existing key vaults are inaccessible by the principals (users and applications) in tenant B. To fix this issue, you need to:
- Change the tenant ID associated with all existing key vaults in this subscription to tenant B.
- Remove all existing access policy entries.
- Add new access policy entries that are associated with tenant B.
For example, if you have key vault 'myvault' in a subscription that has been moved from tenant A to tenant B, here's how to change the tenant ID for this key vault and remove old access policies.
Select-AzSubscription -SubscriptionId YourSubscriptionID
$vaultResourceId = (Get-AzKeyVault -VaultName myvault).ResourceId
$vault = Get-AzResource –ResourceId $vaultResourceId -ExpandProperties
$vault.Properties.TenantId = (Get-AzContext).Tenant.TenantId
$vault.Properties.AccessPolicies = @()
Set-AzResource -ResourceId $vaultResourceId -Properties $vault.Properties
If you want to know moving resources to a new resource group or subscription, read here.
