Greetings!
The issue arises due to the inability to acquire an access token for Key Vault from Azure Active Directory using the identity of the resource. This can happen if the application identifier is not found in the directory, which may occur if the application has not been installed by the tenant administrator or consented to by any user in the tenant, or if the authentication request was sent to the wrong tenant.
In this specific case, the problem occurred after the customer deleted the System Managed Identity and added a User Assigned Managed Identity. The resolution involved re-adding the System Managed Identity, which resolved the access issue.
To resolve this issue:
- Verify that the application identifier exists in the directory and is not in a soft-deleted state.
- Ensure that the System Managed Identity is not deleted if you plan to use it for authentication.
- If you need to use both User Assigned and System Managed Identities, ensure they are properly configured.
- Verify that the managed identities (both System and User Assigned) have the necessary access policies set in the Key Vault.
Go to the Azure Key Vault -> "Access policies" and ensure that the identities have the required permissions (e.g., Get, List, etc.).
Alternatively, ensure the managed identities have the appropriate Role-Based Access Control (RBAC) roles assigned.
For more information on managing identities and configuring access, refer to the following Azure documentation:
Resources:
Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.
Please do not forget to "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.