I’m trying to get a certificate for my App Service I’m deploying from Key Vault using this template (https://github.com/Azure/azure-quickstart-templates/tree/master/webapp-keyvault-ssl). Part of this requires creating a Key Vault access policy which grants the Microsoft.Azure.Websites service principal (ID abfa0a7c-a6b6-4736-8310-5855508787cd) get on the Secrets. This works in my subscription just fine, but wasn’t working in the customer’s subscription. We could run the Set-AzKeyVaultAccessPolicy command referencing the service principal’s ID, and it executed without error, but the access policy does not actually get created. When I did a get-azAdServicePrincipal -DisplayNameBeginsWith ‘Microsoft.Azure.Websites’ nothing is returned. Yet when I look in the audit log for the KeyVault I can see a user with ID abfa0a7c-a6b6-4736-8310-5855508787cd trying to log in, so somewhere this identity must exist(?)
Is there something I need to do to enable/create this default (Microsoft.Azure.Websites) service principal? I checked my MSDN account and see the same behavior, in that this principal is not present.
Can deploy this template in a subscription where the Microsoft.Azure.Websites principal exists, but when the principal does not exist, the template deployment will fail.
#Gets the service principal (missing in problem subscription)
get-azAdServicePrincipal -DisplayNameBeginsWith 'Microsoft.Azure.Websites'
#Sets the keyvault access policy for the built in service principal
set-azKeyVaultAccessPolicy -VaultName keyVaultName -ServicePrincipalName "abfa0a7c-a6b6-4736-8310-5855508787cd" -PermissionsToSecrets get
‘abfa0a7c-a6b6-4736-8310-5855508787cd’ is the Resource Provider service principal name and it remains same for all Azure subscriptions. And its display name in service principal is 'Microsoft Azure App Service', not 'Microsoft.Azure.Websites'.
Try with
Get-AzADServicePrincipal -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd
to see if it exists.
If it doesn't exist, check the resource provider of your subscription.