KeyVaultClientException: Operation “get” is not allowed

Hi,

If you happen to encounter any security exception with keyvault, make sure you pay attention to how you grant access to the Azure Active Directory Application. To grant access to the application, make sure you grant it to the corresponding service principal and not to the app itself.

One of my team mate went through the application endpoint of the Graph Explorer this way:

https://graph.windows.net/tenant/applications

and found the app he wanted. He took its object id and granted it via the Set-AzureRmKeyVaultAccessPolicy cmdlet. This guy doesn’t complain and doesn’t tell you that the objectid is not related to a user or a service principal. Therefore, you think that your setup is correct…

So, make sure to browse the correct endpoint being :

https://graph.windows.net/tenant/servicePrincipals

and to find the object id corresponding to the service principal of your app….As it bugged me for a while, I thought it might help others to blog it 🙂

Happy Coding!

Advertisements

About Stephane Eyskens

Office 365, Azure PaaS and SharePoint platform expert
This entry was posted in Azure Active Directory and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s