I was getting the following error message when trying to grant my GitHub Action runner (running under a service principal I had created whose creds were stored in a github secret) access to my key vault:
***"code": "KeyVaultParameterReferenceAuthorizationFailed", "message": "The client 'fe8a****-****-****-****-****eb2da782' with object id 'fe8a****-****-*****-****-****eb2da782' does not have permission to perform action 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION' on the specified KeyVault resource '/subscriptions/***/resourceGroups/rg_AADAccessAzureSQLPerm/providers/Microsoft.KeyVault/vaults/kv-AADAccessAzureSQLPerm'. Please see https://aka.ms/arm-keyvault for usage details."***
The problem was resolved when a MS support engineer guided me in getting the corresponding enterprise service principal (SP) from the application service principal (using the portal) and adding that enterprise Object ID (with the key vault contributor RBAC role) to the key vault. Getting the corresponding Enterprise SP as described here: app-registration-vs-enterprise-applications.html.
Unfortunately, I did not take notes on how we did this in the portal (because I assumed we could do this in powershell) and I don't see this "Enterprise Application Blade" (described in the last link) in the portal... I have sent an email to the support engineer for details on what we did. Since this support engineer did not know how to automate this, I'm asking here in this post. Of course I'd also like to know how to do this in the portal!
Since I don't want to create snow flakes, I want to know how to do this with the powershell or (better yet) azure CLI: Given a service principal created with the "az ad sp create-for-rbac" command, how do get the enterprise Ojbect ID?
After thinking about this some more, I suspect it is not possible to do with powershell or Azure CLI... I suspect it needs to be done with curl... Can anyone guide me on this?
Thank you
Siegfried
**Morning Update Wed Sep 21 2022 **:
amanpreetsingh-msft: As per install-adv2 I have installed AzureAD.
I type Connect-AzureAd and it prompts me for my username and password and I respond with my credentials for the azure portal. This is a surprise since I have already logged in to azure with az login.
Now I attempt your command:
PS C:\Users\shein> Get-AzureADServicePrincipal -All $true
Get-AzureADServicePrincipal : Error occurred while executing GetServicePrincipals
Code: Authentication_Unauthorized
Message: User was not found.
RequestId: 1d95d371-4025-4129-808a-8780f5b2112d
DateTimeStamp: Wed, 21 Sep 2022 16:28:52 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ Get-AzureADServicePrincipal -All $true
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADServicePrincipal], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetServ
icePrincipal
Ooops, I wonder if I accidently did that from Powershell 5.3.1? I don't know. It would have been nice if it had checked to tell me that my powershell was too old... The problem is that after I installed Powershell 7.2.6 months ago, the <FLAG+X>-A was still pointing to the old powershell.
OK, I try a reboot and try again with the new Powershell 7.2.6 in elevated admin mode:
PS C:\Users\shein> Install-Module AzureAD
PS C:\Users\shein> Get-AzureADServicePrincipal -All $true
Get-AzureADServicePrincipal: The term 'Get-AzureADServicePrincipal' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
PS C:\Users\shein> Connect-AzureAd
Connect-AzureAd: The term 'Connect-AzureAd' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
PS C:\Users\shein>
Hmmm... This looks like the command I need!
Can you help me make this work?
While I would like to see this work with powershell, I'm wondering if there is a (semi) redundant command for the Azure CLI?
**Evening Update Wed Sep 21 2022 **:
So the purpose of this is to use RBAC access for the key vault which requires the enterprise application (RBAC access won't work with the application service principal). Please explain what is different between the application service principal and the enterprise application.
- They have the same name ... correct?
- They have the same object Id... correct?
So when I'm adding RBAC access to the key vault for the enterprise application instead of the application service principal, what do I specify (since they both have the same name)? When I look at the portal display for access to the key vault, I see it now says "enterprise"... I thought I did this by telling the portal that I wanted to add a role assignment and specified the object id... But then I see they object Id for the enterprise is the same as the application... Am I mistaken? I'm confused.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 23%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
