This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 57.00000000000001%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
I am an external user for one of my client accounts. I have owner permissions. I am trying to import a certificate into a key vault. The key vault has the Vault Access Policy. As the owner, I have full access to this resource. However, when I try to import a certificate, I am getting an insufficient permission error. I have tried to add an Access Policy but can't find a principal to assign it to.
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
This is just too small a shop to use Azure Key Vault. I was able to add a custom domain and secure it by directly importing the app service certificate
So you mean you were able to add certificate in to KV and then use same certificate for SSL binding in Azure web apps.
Can you please confirm if our answer or comments was helpful to you in anyway so that we can mark it as answer which in turn can help wider community
Thanks
Deepanshu
No, I did not add the certificate to KV. I was able to secure the SSL binding by directly importing the certificate as described in https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex
Sadly your comments were not helpful. We are too small a shop. My client is not familiar enough with Azure to act as a Global Admin.
Ok but since it is a not best practice to use directly we always recommend using through keyvault anyways no problem , I hope will take this scenario as exception since you mentioned it is vey small . lastly , thankyou for your comments , have a good day ahead , bye
Hi Carolyn,
Please check below images for reference
Please check this doc for ref https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal
kindly accept answer if it helps,
Thanks
Deepanshu
I have gone through all of these steps but am unable to find a suitable principal. I have tried my name, email and web app name but none of these works.
Ok so most likely don't have enough rights in Azure AD (EntraID). Even if you have rights to edit the Key Vault, it doesn't mean you have rights to list users for example. You may not be able to find a user in that view by typing their full username in the search field.
So to fix this you need at least directory reader role
The built-in Azure AD roles are reasonably broad by nature but probably the best fit would be the Directory Readers role, which is more restrictive than Global Readers.
Please check this https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#directory-reader...
I have tried to add a role but do not have sufficient permissions to add a group.
Ok then please check with person who has privileged permissions like Global admin, he/she can help with required permission to add your object ID with directory read permissions.
There is only my client who has a Microsoft account for this subscription and myself who is a guest owner. Who has the privileged permissions?
May be the client can answer better on this check with them once that who can help you with providing access at Azure AD level in client tenant