Azure Keyvault - "The operation "List" is not enabled in this key vault's access policy." while creating keyvault programmatically

Question

I am creating azure keyvault using .net core 2.1 with OpenIdConnect with following AccessPolicies

 AccessPolicies = new List<AccessPolicyEntry>()
                {
                    new AccessPolicyEntry
                    {
                        TenantId = Guid.Parse(tenantId),
                        ObjectId = objectId,
                        Permissions = new Permissions
                        {
                          Secrets = new List<string> { "all" },
                          Keys = new string[] { "all" },
                          Certificates = new string[]{"all" }
                        }
                    }
                }

using that, now, I can create keyvault but while go to newly created keyvault(in Azure portal) settings blade {Key,Secrete,Certificate} it shows warning "The operation "List" is not enabled in this key vault's access policy."

Note :- As shown in above code "All permission are given".I can see it in azure portal.

What I have tried :- I have tried to refer following stack-overflow already question-answer

• Azure Keyvault - "Operation "list" is not allowed by vault policy" but all permissions are checked
• How do I fix an "Operation 'set' not allowed" error when creating an Azure KeyVault secret programmatically?

according to above stackoverflow answer(s) "need to pass the object ID of the service principal of the Azure AD application instead of object ID of your Azure AD application".

I have tried to find out object ID of the service principal of the azure AD application using following powershell script

Get-AzADServicePrincipal -ServicePrincipalName "<app client ID>"

it gives following result

I have tried to use "Id"(in above screenshot) in objectId of AccessPolicyEntry but it not solved problem.

Question :-

1. Is any other permission need to set in AccessPolicyEntry?
2. What should be the objectID in AccessPolicyEntry(currently, I am giving obectId of Azure AD application)?
3. If needed objectId of service princpal. how can get it programmatically?

Answer 1

Well, I can reproduce your issue on my side.

First, the operation pass the object ID of the service principal instead of object ID of your Azure AD application is completely correct. After giving all the permissions to the service principal in the Access policies, the service principal will have the permissions.

But when you check the keyvault in the portal, you are using your user account which login the azure portal instead of the service principal, it caused the warning.

So if you want to fix the warning, just add your user account in the Access policies via + Add Access Policy button in the portal, or you can specify the object id of your user account in your code with the permissions when creating the keyvault.

Then about your questions:

Is any other permission need to set in AccessPolicyEntry?

No, the permissions are enough.

What should be the objectID in AccessPolicyEntry(currently, I am giving obectId of Azure AD application)?

You should not use the object id of the AD App, your option is to use the object id of the service principal/security group/user account, it depends on your requirement, details here.

If needed objectId of service principal. how can get it programmatically?

You can use the powershell command as you used, or the Azure CLI az ad sp show via the service principal name.

Or if you could use Microsoft Graph SDK for C# along with the filter, something like:

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var serviceprincipals = await graphClient.Serviceprincipals
    .Request().
    .Filter("some condition").
    .GetAsync();