'access_denied', error_description: 'AADSTS650052: The app needs access to a service ('https://vault.azure.net') that your organization ...

Lubomir Juriga 1 Reputation point
2021-03-31T15:29:20.627+00:00

Hi, we have problem to connect from active directory to key vault during authentication.
Something in Azure or in AD has to change, because we used the same way of authentication including key vault as before and now we are unable to proceed with authentication for any new app registrations in AD. All previously created app registrations in AD are working just fine (using key vault), any new one is not working. We only receive error:
System.Exception: An error was encountered while handling the remote login. ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'access_denied', error_description: 'AADSTS650052: The app needs access to a service ('https://vault.azure.net') that your organization 'AZURE TENANT ID' has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.

We have multiple Azure ADs: AD1 containing all azure resources (including key vault), and AD2 only for user authentication (there are no subscriptions or resources in AD2).
Our app is hosted in Azure App service and its identity is included into key vault access policy - all in AD1.
In AD2 we created app registration as usually, added user_impersonation to have full access to the Azure Key Vault service. We did the same scenario as we did before for other environments in different ADs (all of them are connecting to AD1).

Environment is set in the same way as other working environments, however we receive only error above when trying to access out application.

If we use already created app registration (created in the year 2020) everything works just fine. When we try to create new app registration in Azure AD, nothing is working after connecting to this app registration. Environment which was operating just fine have the error above after connected via new app registration.
And new app registration is set in the same way as the operating one.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,128 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,595 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,051 Reputation points Microsoft Employee
    2021-03-31T20:05:36.1+00:00

    Can you please provide a screenshot of your key vault access policy? If you follow the steps in this blog post to give the application permission to access the key vault, it should work. 

    Set-AzureRmKeyVaultAccessPolicy -VaultName access-key-vault -ObjectId 296546541096da-acc2-4576-a4a2-47654a4389e45d7 -PermissionsToSecrets get

    Or via portal:

    83416-image.png

    I would also check the solution in this thread answered by Aman to make sure the consent is fulfilled.

    0 comments
  2. Lubomir Juriga 1 Reputation point
    2021-04-06T07:13:15.947+00:00

    Hi, thanks for the info, this is our key vault access policy picture.

    84773-kvaccess.png

    We have access granted for out APP Service application and then for some users (the same settings as used in other environments).
    If I'm trying to add access (via portal) in the key vault for our Azure AD application (located in different AD then key vault itself), I'm unable to find it (by name or ID). I can see only values from the AD where key vault is located. We will check more closely articles you've mentioned and will let you know ...

    0 comments
  3. Lubomir Juriga 1 Reputation point
    2021-04-08T09:13:53.207+00:00

    Our problem seems not to be related with key vault access policies settings, but to the Azure AD app registration settings for API permissions.

    In the past we added API Permission for the key vault as visible on picture below. We did not need to grant or consent something, but now when access did not work for us, we tried to "Grant Admin consent" and error message (similar to the one we have in our log) was displayed in azure portal:

    85695-image.png

    The only way we found to proceed was to remove Api permission for Key Vault and grant the consent. This can be done in portal or during first authentication to our app for the administrator. After granting, we are able to proceed to our application and everything seems to be OK.
    API Permission in AD app registration also changed and granted consent is visible:

    85697-image.png

    Key vault access policy did not change from the picture in my previous answer above.
    Anyway we have few environments created in the past, where Azure AD app registration API permissions for Key Vault is still presenting and everything works fine ...

    Post, which was also helpful for us was Create KeyVault access policy for application in another Azure Active Directory

    0 comments