Azure-docs: Azure Key Vault application identity permissions

I assume the following would work?:

# Get ObjectId of Azure Key Vault Identity
$servicePrincipalId = (Get-AzureRmADServicePrincipal -DisplayName 'Azure Key Vault').Id

# Assign Storage Key Operator role to Azure Key Vault Identity
New-AzureRmRoleAssignment -ObjectId $servicePrincipalId -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope $storage.Id

Thanks for your feedback! We will investigate and update as appropriate.

Hi @rohancragg - correct, the GUID is the identifier for the service principal, also known as the Application ID, or Client ID, which gets assigned when an application is registered with Azure AD. See Integrating applications with Azure Active Directory for more background.

And yes, you could also use Get-AzureRmADServicePrincipal to query by registered display name instead. In the case of Power Shell, it would be querying against the apps registered in the Azure AD tenant of the account you used for sign-in, for your Power Shell session. I'll add some text to the article to clarify the meaning of the "application identity".

@MarileeTurscak-MSFT - feel free to assign this one to me.

Thanks @BryanLa - I was aware of being able to register Applications in AAD, but in this case I have not registered an Application (and the doc does not mention doing that). The GUID is presumably for an already 'built-in' Application (the instance of the Azure Key Vault service in our tenant presumably?) We've not explicitly added this ourselves - it's already there - hence why I'm trying to clarify...?

Hi @rohancragg - yes, you are correct again. The application/client ID being cited, is the one assigned to the Azure Key Vault AAD registration. I was just providing more background on the concept of registration and a service principal, but as you said, several Microsoft ones are "built in".

So in the PowerShell script, Azure Key Vault is the client, and it needs to access Azure Storage, to manage your storage account keys for you. So the script is extracting the identity of the Azure Key Vault app (its service principal), and using RBAC to add it to the appropriate roles on the Storage service.

Please have a look at the article again in about 1.5-2.0 hours, and let me know if the changes help clarify.
HTH!

Bryan

Changes have been published: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-keys#give-key-vault-access-to-your-storage-account

CXP #please-close

Thanks for the update, but this is still not as clear as it could be.

I provided a line of pwerShell that I think people would find really useful that should be added into the code block in https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-keys#getting-started:

# Get ObjectId of Azure Key Vault Identity
$servicePrincipalId = (Get-AzureRmADServicePrincipal -DisplayName 'Azure Key Vault').Id

Thea reason for this is that the Application ID seems to be different in different Subscriptions (or is it perhaps in different Regions?). In any case - it's not the same as the GUID in the doc when I execute the above command.

Totally agree with @rohancragg and I don't understand why this issue is closed. It is still not clear what is Azure Key Vault application identity nor does it say that this identity is "built-in". Considering other Key Vault experience, I'd expected Key Vault application to be a "dummy" application a user should register Azure AD and use it's Application Id. Please make this part about "Azure Key Vault application identity" more clear