Azure data factory access policies assigment using azure powershell inline script in devops pipline

Question

There is one task which is simple and easily achieved using cloud shell, I need to give access to my
Datafactory get, set in access policies commands

    $objectid = (Get-AzDataFactoryV2 -ResourceGroupName "BDAZE1ENRG01" -Name 
    "BDAZE1INDF03").Identity.PrincipalId                          
    Set-AzKeyVaultAccessPolicy –VaultName "BDAZE1ENKV01" -PermissionsToKeys get,list - 
    PermissionsToSecrets get,list -ObjectId $objectid 

Devops task screen shot enter image description here

JEpOB.png

error is devops log

powershell version 3.1.0 task version inline script 4.0

Answer 1

To run the command Set-AzKeyVaultAccessPolicy, it will call the Azure AD Graph to validate the $objectid you passed. In could shell, it uses the credential of your user account, it works means your user account has the permission. In devops, the service principal has no permission to do that by default.

To solve the issue, the easiest way is to use the -BypassObjectIdValidation parameter like below, then it will work fine.

Set-AzKeyVaultAccessPolicy –VaultName "joykeyvault" -PermissionsToKeys get,list -PermissionsToSecrets get,list -ObjectId $objectid -BypassObjectIdValidation

Of course there is another way, just grant the application permission in Azure AD Graph like below for the AD App of your devops connection. (Must be Application type permission in Azure Active Directory Graph, not Microsoft Graph, don't forget to click Grant admin consent button)