Azure permission requirements
While there are multiple ways to configure and meet permissions requirements, to successfully provision certificates to Azure Key Vault and Web Application, the following is recommended:
- Certificate key/pair must be present
- Application Registration must be created (which is the "user", also referred to as Application ID)
- Azure Key Vault and Azure Service Management API permissions must be granted to the Application Registration
- The Contributor Role must be granted to the Application Registration in the Service Plan resource
- The Contributor Role must be granted to the Application Registration in the Resource Group to which the Web Application belongs
-
For Azure role-based access control (RBAC) Key Vaults:
-
The Key Vault Certificates Officer and Key Vault Secrets Officer roles must be granted to the Application Registration for the Key Vault
-
The Key Vault Secrets User role must be granted to the Microsoft Azure App Service for the Key Vault
-
-
For Vault access policy Key Vaults:
-
The Contributor role and Key Vault Contributor role must be granted to the Application Registration for the Key Vault
-
The Application Registration and Microsoft Azure App Service must be added as principals to the Key, Secret and Certificate Management policy in the Access Policy of the Key Vault
-
TIP When integrating Azure with Trust Protection Foundation, you might encounter the following error message:
Error: Failed to bind a key vault certificate to the web application. No default Subscription has been designated. Check your Azure account Subscriptions and select a default one.
This error typically occurs when you use an Application ID / Principal that does not have the proper permissions set. Verify the permissions settings and try again.