After deleting access policy from Azure Key Vault, the respective app can still access the secret

claus.net 6 Reputation points
2021-05-28T14:39:13.463+00:00

After I delete an access policy for read access to a secret for an AAD principal, the respective app can still access the secret (via Key Vault reference in application settings). This was all done over the Azure portal. I restarted the app - still has access.

Why can the app still access the secret?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,856 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. claus.net 6 Reputation points
    2021-06-15T07:59:33.897+00:00

    Sorry for the late reply, I checked the azure portal again right now.

    In the app configuration, the secrets now show up correctly (after such a long time, I didn't change the configuration since then):

    105677-image.png

    Then, I tested the app - still has access(!).

    After that, I restarted the app -> no access anymore.

    The questions is then:

    Why is access not revoked immediately after removing the access policy? It seems to take hours or even days to come into effect and only an app restart then actually denies access. This seems a potentially significant security risk.

    1 person found this answer helpful.

  2. Marilee Turscak-MSFT 37,056 Reputation points Microsoft Employee
    2021-05-28T18:10:02.553+00:00

    Are you able to show that the access policy is fully removed and specified the ObjectID for that application? You can try running Remove-AzKeyVaultAccessPolicy to ensure that all access is gone. https://learn.microsoft.com/en-us/powershell/module/az.keyvault/remove-azkeyvaultaccesspolicy?view=azps-6.0.0

    Also, have you made sure that key vault firewall is configured so that "All networks" is not allowed? https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-diagnostics

    Otherwise it may be some token issue. If neither of the above work I will reach out to the feature team to about this.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.