If you happen to encounter any security exception with keyvault, make sure you pay attention to how you grant access to the Azure Active Directory Application. To grant access to the application, make sure you grant it to the corresponding service principal and not to the app itself.
One of my team mate went through the application endpoint of the Graph Explorer this way:
and found the app he wanted. He took its object id and granted it via the Set-AzureRmKeyVaultAccessPolicy cmdlet. This guy doesn’t complain and doesn’t tell you that the objectid is not related to a user or a service principal. Therefore, you think that your setup is correct…
So, make sure to browse the correct endpoint being :
and to find the object id corresponding to the service principal of your app….As it bugged me for a while, I thought it might help others to blog it 🙂