External co-administrator accounts receive warnings and errors when they work with Azure Key Vault

Symptoms
An external user is made a co-administrator of a tenant and is tasked with creating a new Azure Key Vault. However, that user receives the following warning when the vault is created:

PS C:\> New-AzureRmKeyVault -VaultName <Key_Vault_Name> -ResourceGroupName <Resource_Group> -Location <Region>
WARNING: The usage of Tag parameter in this cmdlet will be modified in a future release. This will impact creating,
updating and appending tags for Azure resources. For more details about the change, please visit https://github.com/Azure/azure-powershell/issues/726#issuecomment-213545494
WARNING: Guest users are not allowed to perform this action.

Vault Name : <Key_Vault_Name>
Resource Group Name : <Resource_Group>
Location : <Region>
Resource
ID : /subscriptions/<SubscriptionID>/resourceGroups/<Resource_Group>/providers/Microsoft.KeyVault/vaults/<Key_Vault_Name>
Vault URI : https://.vault.azure.net
Tenant ID : <TenantID>
SKU : Standard
Enabled For Deployment? : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : False
Access Policies :
Tags :

WARNING: Access policy is not set. No user or application have access permission to use this vault. Please use Set-AzureRmKeyVaultAccessPolicy to set access policies.

Additionally, all attempts by that user to manage the Key Vault access policy or to add keys or secrets to the vault trigger errors and fail.

If the external user tries to perform the recommended step of running Set-AzureRmKeyVaultAccessPolicy to configure the access policy, the following error is triggered:

PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName <Key_Vault_Name> -ResourceGroupName <Resource_Group> -UserPrincipalName <username>@contoso.com -PermissionsToKeys get,create,delete,list,update,import,backup,restore -PermissionsToSecrets all
Set-AzureRmKeyVaultAccessPolicy : Guest users are not allowed to perform this action.
At line:1 char:1

+ Set-AzureRmKeyVaultAccessPolicy -VaultName <Key_Vault_Name> -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureRmKeyVaultAccessPolicy], ODataErrorException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultAccessPolicy
If the user attempts to view the Key Vault it fails with this error:PS C:\> Get-AzureKeyVaultKey -VaultName <Key_Vault_Name>
Get-AzureKeyVaultKey : Operation "list" is not allowed
At line:1 char:1
+ Get-AzureKeyVaultKey -VaultName <Key_Vault_Name>
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzureKeyVaultKey], KeyVaultClientException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultKeyIf the user attempts to add a Key to the Key Vault it fails with this error:If the user attempts to add a Key to the Key Vault it fails with this error:PS C:\> Add-AzureKeyVaultKey -VaultName <Key_Vault_Name> -Name <Key_Encryption_Key> -Destination Software

Add-AzureKeyVaultKey : Operation "create" is not allowed
At line:1 char:1
+ Add-AzureKeyVaultKey -VaultName <Key_Vault_Name> -Name KEK -Destination Softwa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureKeyVaultKey], KeyVaultClientException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultKeyIf the user attempts to add a Secret to the Key Vault it fails with this error:PS C:\> $Secret = ConvertTo-SecureString -String 'Password1' -AsPlainText -Force
PS C:\> Set-AzureKeyVaultSecret -VaultName <Key_Vault_Name> -Name G-Secret -SecretValue $Secret
Set-AzureKeyVaultSecret : Operation "set" is not allowed
At line:1 char:1

+ Set-AzureKeyVaultSecret -VaultName <Key_Vault_Name> -Name G-Secret -SecretValu ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureKeyVaultSecret], KeyVaultClientException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultSecret
Cause
External accounts that are guest accounts don't have the required access level to manage Key Vaults and the keys and secrets that are stored in them. This is true even though their account is listed as a co-administrator of the subscription.
Resolution
There are two options to grant external accounts the permissions they need to manage Key Vaults as a co-administrator in the tenant:
  • A global admin in the tenant can make the guest account the owner of the Key Vault by running the following command:

    PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName <Key_Vault_Name> -ResourceGroupName <Resource_Group> -UserPrincipalName <username>@outlook.com -PermissionsToKeys get,create,delete,list,update,import,backup,restore -PermissionsToSecrets all
  • If the external account will be creating more Key Vaults in this tenant in the future, and the tenant's global admin does not want to grant permissions to all new Key Vaults going forward, the global admin can convert the guest account to a member by following these steps:

    1. Use the Azure Active Directory PowerShell module:

      PS C:\> Install-Module -Name AzureADPreview

      PS C:\> Import-Module -Name AzureADPreview
      The global admin can convert the user from guest to member by running the following command:

      PS C:\> Get-AzureADUser -Filter "displayname eq 'Firstname Lastname'" | Set-AzureADUser -UserType Member
    2. Now the external user can create new Key Vaults without a problem. If they want, they can set the access policy on the existing Key Vault by making themselves the Creator/Owner. To do this, they should run the following commands:

      PS C:\> Login-AzureRMAccount

      Note If the external user is a Microsoft Account (MSA), they must include the -TenantID parameter when they connect by using Connect-AzureAD, as shown in the following example. Running Login-AzureRMAccount first provides you with the TenantID. Copy the TenantID from the output of this logon, and then use it to log the Microsoft account into the Azure tenant.

      PS C:\> Connect-AzureAD -TenantId <TenantID>
       

    3. After external users are authenticated, they can make themselves owners of a Key Vault that they created earlier and for which they received the warning that's described in the "Symptoms" section by running the following command: 

      PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName <Key_Vault_Name> -ResourceGroupName <Resource_Group> -UserPrincipalName <username>@outlook.com -PermissionsToKeys get,create,delete,list,update,import,backup,restore -PermissionsToSecrets all

      Using this same command, external users can grant servicePrincipals for Azure AD applications the necessary permissions to access keys and secrets in the vault.

      Additionally, they can enable flags such as -EnabledForDeployment or -EnabledForDiskEncryption by running the following command:

      PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName <Key_Vault_Name> -ResourceGroupName <Resource_Group> -EnabledForDeployment -EnabledForDiskEncryption
Properties

Article ID: 3192496 - Last Review: 09/19/2016 22:59:00 - Revision: 1.0

  • KB3192496
Feedback