KeyVaultClientException: Operation “get” is not allowed


If you happen to encounter any security exception with keyvault, make sure you pay attention to how you grant access to the Azure Active Directory Application. To grant access to the application, make sure you grant it to the corresponding service principal and not to the app itself.

One of my team mate went through the application endpoint of the Graph Explorer this way:

and found the app he wanted. He took its object id and granted it via the Set-AzureRmKeyVaultAccessPolicy cmdlet. This guy doesn’t complain and doesn’t tell you that the objectid is not related to a user or a service principal. Therefore, you think that your setup is correct…

So, make sure to browse the correct endpoint being :

and to find the object id corresponding to the service principal of your app….As it bugged me for a while, I thought it might help others to blog it 🙂

Happy Coding!

About Stephane Eyskens

Office 365, Azure PaaS and SharePoint platform expert
This entry was posted in Azure Active Directory and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s