Getting validation error(s) "Frontdoor application does not have read permission for the key vault" trying to migrate from classic to standard/premium

Babarske 21 Reputation points
2022-11-30T18:48:25.863+00:00

Granted "Get" certificate permission in the key vault, however, still getting the same error. Not sure what is the issue here

265881-image.png
265849-image.png

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
727 questions
0 comments No comments
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,956 Reputation points Microsoft Employee
    2022-11-30T21:00:33.977+00:00

    @Babarske ,
    Welcome to the Microsoft Q&A forum. I understand you are trying to Migrate your Classic AFD to standard/premium AFD and you are getting the error Frontdoor application does not have read permission for the key vault.

    As per the Prerequisite section of the Migration documentation here can you please confirm if you have added the Microsoft.AzureFrontDoor-Cdn as an app in your Azure Active Directory and have granted Microsoft.AzureFrontDoor-Cdn access to your Key Vault?
    You can follow the steps mentioned here for implementation.

    265804-image.png

    Note- The Application Id of 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8 is predefined by Azure for Front Door Standard and Premium tier across all Azure tenants and subscriptions. Azure Front Door (Classic) has a different Application Id.

    Hope this helps! Please let me know if the issue still exists. Thank you!

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Maira Wenzel 1 Reputation point Microsoft Employee
    2023-07-11T02:23:18.17+00:00

    I'm coming back to this thread after successfully being able to finish the migration just using the portal. Under your Access policies in your Azure Key Vault, you should see Microsoft.AzureFrontDoor-Cdn listed as one of the apps, not only Microsoft.Azure.FrontDoor as your screenshot shows. If you don't, you can click on the Create button on the access policies page to add that. I hope this helps!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.