The Microsoft.Azure.CertificateRegistration is an sp used by App Svcs to pull certificates from Key Vault.
I'm assuming you added the access policies, but in any case here is how to do it:
Go to the Azure Portal.
- Navigate to your Key Vault.
- Under 'Settings', select 'Access policies'.
- Click '+ Add Access Policy'.
- Configure from template: select the appropriate permission model based on your use case, e.g.,
Secret Management
. - Under 'Select principal', search for
Microsoft.Azure.WebSites
and select it. - Click 'Add' and then 'Save' to apply the changes.
If that still doesn't work, from past experience it typically boils down to 4 possible scenarios:
- You might not need this principal if you're trying to import a certificate to an Azure App Service. The
Microsoft.Azure.WebSites
permission should be sufficient. - Check your Identity:
- Ensure that your Azure App Service has a system-assigned managed identity enabled. This identity is what will be used to authenticate against the Key Vault.
- Go to your Azure App Service in the portal. - Under 'Settings', select 'Identity'. - Ensure 'System assigned' is set to 'On'
- Ensure that your Azure App Service has a system-assigned managed identity enabled. This identity is what will be used to authenticate against the Key Vault.
- Troubleshoot your network
- Check If your Key Vault is configured with Virtual Network Service Endpoints or Private Endpoints
1. Then ensure that your App Service can access the Key Vault over the network.
- Check If your Key Vault is configured with Virtual Network Service Endpoints or Private Endpoints
All of the above is assuming that no dependencies are interfering, there might be intermediary resources or dependencies that need access to the Key Vault as well. Ensure all dependencies that might be trying to fetch the certificate have the appropriate access.
Hopefully, this resolves your issue. Let me know!