Set-AzKeyVaultAccessPolicy : Cannot find the Active Directory object '' in tenant

1
votes

I have two active directories as follow

  1. Corporate
  2. CorporateSub

All the users even my email id is present in Corporate directory and all the resources/subscriptions are in CorporateSub directory.

I am following this document https://docs.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell to configure Always Encrypted by using Azure Key Vault.

The below PowerShell script fails

Set-AzKeyVaultAccessPolicy  -VaultName $vaultName  -ResourceGroupName $resourceGroupName -ServicePrincipalName $applicationId -PermissionsToKeys get,wrapKey,unwrapKey,sign,verify,list

Error is,

Set-AzKeyVaultAccessPolicy : Cannot find the Active Directory object '' in tenant XXXXXXXXXXXXXXXXXXXXX

1
azurepowershellazure-keyvault
I think you can create a multi-tenant azure ad app in CorporateSub. I assume that you created the application in Corporate.tiny-wa
@Tiny-wa Yes, I have registered application in Corporate , that was the issue. now registering in CorporateSub resolved the issue.kudlatiger
The question you deleted just now, if using managed identity, you can access key vault with the line code var client = new SecretClient(new Uri("xxx.vault.azure.net/"), new DefaultAzureCredential()); I don't know about the debug you mentioned.tiny-wa

1 Answers

1
votes

Update:

As you update in the comment, the issue comes from the app is not registered in CorporateSub.

Original Answer:

I can reproduce the error:

enter image description here

Please make sure the application id is correct or you have log in the correct account.

The app I tested is owned applications:

enter image description here