How do I register my application locally created with one I created in Azure Active Directory?

0
votes

I am following directions here for learning the AzureKeyVault config settings

Key Vault Configuration Provider sample application (ASP.NET Core 2.x)

This sample illustrates the use of the Azure Key Vault Configuration Provider for ASP.NET Core 2.x. For the ASP.NET Core 1.x sample, see Key Vault Configuration Provider sample application (ASP.NET Core 1.x).

For more information on how the sample works, see the Azure Key Vault configuration provider topic.

Using the sample

  1. Create a key vault and set up Azure Active Directory (Azure AD) for the application following the guidance in Get started with Azure Key Vault.

    • Add secrets to the key vault using the AzureRM Key Vault PowerShell Module available from the PowerShell Gallery, the Azure Key Vault REST API, or the Azure Portal. Secrets are created as either Manual or Certificate secrets. Certificate secrets are certificates for use by apps and services but are not supported by the configuration provider. You should use the Manual option to create name-value pair secrets for use with the configuration provider.
      • Simple secrets are created as name-value pairs. Azure Key Vault secret names are limited to alphanumeric characters and dashes.
      • Hierarchical values (configuration sections) use -- (two dashes) as a separator in the sample. Colons, which are normally used to delimit a section from a subkey in ASP.NET Core configuration, aren't allowed in secret names. Therefore, two dashes are used and swapped for a colon when the secrets are loaded into the app's configuration.
      • Create two Manual secrets with the following name-value pairs. The first secret is a simple name and value, and the second secret creates a secret value with a section and subkey in the secret name:
        • SecretName: secret_value_1
        • Section--SecretName: secret_value_2
    • Register the sample app with Azure Active Directory.
    • Authorize the app to access the key vault. When you use the Set-AzureRmKeyVaultAccessPolicy PowerShell cmdlet to authorize the app to access the key vault, provide List and Get access to secrets with -PermissionsToSecrets list,get.

  2. Update the app's appsettings.json file with the values of Vault, ClientId, and ClientSecret.

  3. Run the sample app, which obtains its configuration values from IConfigurationRoot with the same name as the secret name. * Non-hierarchical values: The value for SecretName is obtained with config["SecretName"]. * Hierarchical values (sections): Use : (colon) notation or the GetSection extension method. Use either of these approaches to obtain the configuration value:
    • config["Section:SecretName"]
    • config.GetSection("Section")["SecretName"]

Okay so I have copied the name of my application into Azure Active Directory as an 'Enterprise Application'. And I have added 'Access policies' for 'get' and 'list' in Azure for my ADD object I just created. Yet I get this error in the program when attempting to start the application:

Exception: {"error":"unauthorized_client","error_description":"AADSTS70001: 
Application with identifier '(guid)' was not found in the directory ...(continues)

Update 8-4-18 Okay I found out that Azure uses the 'ClientId' and 'ClientSecret' in the local appsettings.json to connect to what Azure registers in this tutorial: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#log-in-as-the-application

  1. I get the clientId in appsettings.json from the applicationId on ADD I create with ADD>App Registrations>New
  2. I click settings in ADD on the app I just created and create a key with an expiration to store as ClientSecret in appsettings.json.
  3. I change my 'Vault' in appsettings to my named vault.
  4. I run the powershell above to give access or else do it in ADD.

So now I am getting a simpler error: 

'Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: 'Access denied''

I have tried running as Administrator in Visual Studio. I went under Subscriptions in Azure>Access Control>(IAM)>set my new apps to Reader.

2
azureasp.net-coreazure-powershellazure-keyvault

2 Answers

2
votes

So the reason your powershell is failing is because you are trying to assign a User Principal - a user - when actually you want a Service Principal.

I can’t see your C# to support more there than saying when you use the SDK to log in as the Service Principal you use the application id of the Application/Service Principal (its the same id).

The service principal acts like a user in the local directory but you log in as the application.

Edit:

I looked at the example you posted and ran it myself and had very similar problems. However I have got it working. Here's the steps:

Creating the Application

  1. Create the Registered Application. I do this through the Azure Portal so a Service Principal is created automatically. Make a note of the ApplicationId.
  2. Generate a key credential on the created application and make a note of it.
  3. In the Application click on the link to the Managed app in local directory. This is the Service Principal, make a note of the ObjectId

Creating the Key Vault

  1. Create KeyVault - I used PowerShell to do this. New-AzureRmKeyVault

  2. Apply the Service Principal to the Key Vault.

    Set-AzureRmKeyVaultAccessPolicy -VaultName <vault> -ResourceGroupName <ResourceGroupName> -ObjectId <Object Id of the Created Service Principal> -PermissionsToSecrets Get,List

Running the Sample App

In your application settings follow this format:

{
  "Vault": <the name of your vault>,
  "ClientId": <ApplicationId of the Registered Application>,
  "ClientSecret": <Credential generated from the Registered Application>
}

This worked for me and allowed me to run the sample and retrieve the secrets from the vault.

0
votes

The ultimate problem for me became that running 'Set-AzureRmKeyVaultAccessPolicy' was not needed and for whatever reason it was easier to just ignore it and follow this subsection: https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize

I kept trying to set up Object Id and Keys and really I had just overlooked a section mentioning a 'ServerPrincipalName'

They set one commandlet for keys

Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToKeys decrypt,sign

They set one commandlet for secrets

Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToSecrets Get, List

But I decided to follow the immediate proceeding section on doing it all in the Portal. The key take away for me was that the instructions were not wrong. Just vague when it says: "Register a sample app" then "Authorize the App". Really they should be saying

Register a sample app (https://docs.microsoft.com/en-us/azure/key-vault/key-vault-get-started#register) Authorize the app with Key Vault (https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize)

Ultimately all the information is there it was just confusing if you happen to already have a vault and an application and don't understand the prerequisite is that really you need to have a 1. A Vault, 2. An ADD Web Application, 3. Associate permissions for 2 in 1.