We recently purchased an Azure App Service Certificate. I created a new Key Vault Store in the set up process for this certificate, and imported the certificate.
Now I'm trying to create a local copy of an App Service Certificate, using the powershell script provided here: https://blogs.msdn.microsoft.com/appserviceteam/2017/02/24/creating-a-local-pfx-copy-of-app-service-certificate/
However, I get an error:
Set-AzureRmKeyVaultAccessPolicy : Cannot find the Active Directory object '' in tenant 'my tenant id'. Please make sure that the user or application service principal you are authorizing is registered in the curren t subscription's Azure Active directory. The TenantID displayed by the cmdlet 'Get-AzureRmContext' is the current subsc ription's Azure Active directory. At C:\Projekt\Certificates\Azure\copyasc.ps1:22 char:1...
I'm not sure what else is relevant, but here's a few notes:
The username I'm sending into the failing Set-AzureRmKeyVaultAccessPolicy -UserPrincipalName [email protected], corresponds to the username of the only user I see in the default directory of Azure Active Directory.
This user's ObjectId is in the list of access policies for the keyvault (I see this by adding -Debug to the cmdlet that fails).
There are no keys in the keyvault. There is one (unmanaged) secret, the certificate.
Some threads mention stuff about AD applications. I'm not sure I understood what I read about these. Is this something I need to do when creating a keyvault?
Hope someone can help me? :)
According to the error log, your UserPrincipalName value is wrong. Please execute following command to get the UserPrincipalName.
Get-Azureaduser
[email protected] is not a Azure AD account, its userprincipalname should be [email protected]#EXT#@<your AD>.
Or you could replace UserPrincipalName to user's object id.
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -ObjectId $userobjectid -PermissionsToSecrets get