"Failed to update permissions on selected Key Vault" attempting to configure app service certificate

Bob Trabucco 16

Purchased an app service certificate.

Attempting to configure. Step 1 - Key vault.

Select my key vault.

Get error "Failed to update permissions on selected Key Vault. Check below errors for more detail."

No errors displayed below.

Go to activity log. "An invalid value was provided for 'accessPolicies'.

I am a co-owner on the subscription and have all rights.

Thanks in advance

Grmacjon-MSFT 15,856 Reputation points

2021-05-19T23:30:17.623+00:00

Hello @Bob Trabucco ,

Thanks for bringing this to our attention. We apologize for any inconvenience this issue may have caused.

Can you please share the ARM template you're using? It sounds like this is a known issue based on this Github thread.

-Grace
Bob Trabucco 16 Reputation points

2021-05-20T00:31:05.203+00:00

Hi!

Thanks for the response.

I am not using any templates for this. I am doing this entirely through the Azure Portal UI.

Selected the new App Service Certificate.

Selected "Certificate Configuration"

Checked the box "Step 1: Store"

Selected my Key Vault.

Got the error.

Thanks
Grmacjon-MSFT 15,856 Reputation points

2021-05-20T00:34:09.387+00:00

Thanks for the clarification @Bob Trabucco . This seems like a bug. We will share this with the engineering team and get back to you. We appreciate your patience

-Grace
Bob Trabucco 16 Reputation points

2021-05-20T00:39:38.987+00:00

Thanks Grace. Looking forward to it since the site currently can't be protected using a SSL.

Thanks!
Grmacjon-MSFT 15,856 Reputation points

2021-05-20T01:05:10.57+00:00

Hi Bob,

One more thing, can you tell us a little bit more about the type of Azure app service you have and please share a screenshot of what you're seeing in the Azure portal? We want to reproduce your exact setup and scenario on our end.

-Grace
Keith Rowe 11 Reputation points

2021-05-20T12:03:51.547+00:00

@Grmacjon-MSFT : I am experiencing the same error message on a new wildcard certificate and new vault.
Jahangir Alam 1 Reputation point

2021-05-21T13:31:46.213+00:00

I am also experiencing the same error :(
Bob Trabucco 16 Reputation points

2021-05-24T17:03:15.85+00:00

Nope. Still waiting on @Grmacjon-MSFT ....
Teemu Nylander 6 Reputation points

2021-05-25T14:03:36.833+00:00

I have the same issue as well. Any update on this issue?
Keith Rowe 11 Reputation points

2021-05-25T14:23:29.4+00:00

@Teemu Nylander no update yet. Still waiting on @Grmacjon-MSFT

4 answers

Grmacjon-MSFT 15,856 Reputation points

2021-05-25T22:32:06.32+00:00

Thank you so much for your patience everyone. The App Service team investigated this issue and it turns out it can be resolved by adding the account configuring the App Service into a Global Administrator role in AAD. A Global Administrator can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. There can be more than one Global Administrator at your company. Global Administrators can reset the password for any user and all other administrators.

If you are not the owner of the subscription, the owner can add you as a Global Admin by following the steps in this documentation: Assign administrator and non-administrator roles to users with Azure Active Directory.

Can you try this solution and let us know if it works for you? If you run into any issues please let us know.
@Teemu Nylander @Frits , @Bob Trabucco , @Keith Rowe

Best,
Grace
Please sign in to rate this answer.

2 people found this answer helpful.
Keith Rowe 11 Reputation points

2021-05-26T12:36:09.49+00:00

@Grmacjon-MSFT confirmed this does work and I am able to use the certificate in my app services. Thank you.

Teemu Nylander 6 Reputation points

2021-05-26T14:40:11.72+00:00

Thanks @Grmacjon-MSFT ! It works.

Grmacjon-MSFT 15,856 Reputation points

2021-05-28T16:57:54.547+00:00

Hi @Jason Ford , @Bob Trabucco and @Frits

just checking to see if you're still facing this issue. The above solution should resolve this issue. If you further questions please let us know.

Thanks,
Grace

Casper Andersen 1 Reputation point

2021-06-16T11:38:10.29+00:00

Iis there a fix to this issue? Facing the same problem, and I'm and owner on the account.
The only fix is still to let my customer set me as Global Administrator in Azure AD?

Keith Rowe 11 Reputation points

2021-06-16T12:33:48.483+00:00

@Casper Andersen yes, that is the only fix or workaround that I am familiar with.

Grmacjon-MSFT 15,856 Reputation points

2021-06-17T22:10:01.233+00:00

Hi @Casper Andersen , yes that is the solution for this issue. If you are still facing this issue after being set as Global Administrator in Azure AD please let me know.

Thanks,
Grace

Chris Spanellis 26 Reputation points

2022-10-04T20:36:43.037+00:00

Hi, this really isn't a solution, but a workaround. I shouldn't have to be a global admin to select a key vault (that I created) for a certificate (that I created). Most security folks won't go around assigning global access to people.

Chris Lahey 0 Reputation points

2024-01-15T22:30:43.59+00:00

Adding to the comments chain here. We have many customers who we have no business being a global AD admin for who we need to manage their Azure subscriptions and there needs to be a solution to this issue. I'm still facing it today.
Sign in to comment
Gregory Suvalian 186 Reputation points

2022-11-28T21:26:03.163+00:00

Microsoft please provide actual solution, being Global Administrator for this to work is work around. Why owner permission on keyvault is not sufficient for RBAC changes?
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Bob Trabucco 16 Reputation points

2021-05-20T01:13:54.263+00:00

The App Service is a standard ASP.NET C# web app.

But the problem happens long before I am doing anything with the app service.

The problem happens in the newly purchased "App Service CERTIFICATE"

See attached images
Please sign in to rate this answer.
Keith Rowe 11 Reputation points

2021-05-21T19:04:18.14+00:00

@Bob Trabucco / @Grmacjon-MSFT :
Any update on this issue? I have purchased a wildcard SSL that I am unable to use as I am experiencing the exact same issue.

Thank you.

-Keith

Bob Trabucco 16 Reputation points

2021-05-21T19:06:30.23+00:00

I'll still waiting for @Grmacjon-MSFT to respond as well...

Keith Rowe 11 Reputation points

2021-05-21T19:18:26.61+00:00

Ok, thank you. I'm going to upgrade my support plan and submit a ticket and see if that gets any traction.

Grmacjon-MSFT 15,856 Reputation points

2021-05-21T20:46:17.537+00:00

@Bob Trabucco & @Keith Rowe

Thank you so much for your patience. The engineering team is still working on this issue and needs some additional information so they can investigate further.

Can you please email us at azcommunity@microsoft.com with the subject "ATTN: Grace" and in the body of the email include

HAR trace before and after assigning KeyVault + during the operation of assigning the KeyVault

Ownership details (Owner? admin? contributor? etc) for the account that is assigning the KeyVault

Azure Subscription ID

We look forward to hearing from you.

Thanks, -Grace

Keith Rowe 11 Reputation points

2021-05-21T21:21:39.567+00:00

@Grmacjon-MSFT : Done, emailed over! Thank you, let me know if you do not receive it.

Bob Trabucco 16 Reputation points

2021-05-21T21:35:31.03+00:00

Email sent

Jason Ford 1 Reputation point

2021-05-23T16:40:24.237+00:00

I have the same problem with a purchased app service certificate and new key vault.

Frits 1 Reputation point

2021-05-24T17:01:46.7+00:00

I am having this problem as well. Any updates?
Sign in to comment
Henry 0 Reputation points

2023-09-26T19:10:08.48+00:00

Did anyone actually find a solution to this? We get the same error even with subscription owner and global admin permission.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment