Bicep deployment of key vault keys fails with error [CaeAuthorizationFailed (Unauthorized)] AKV10203

Dan Russell 0

Attempting to deploy a key vault key via a bicep template fails with the following error:

{
  "code": "CaeAuthorizationFailed",
  "message": "[CaeAuthorizationFailed (Unauthorized)] AKV10203: Continuous access evaluation check failed. Please extract the claims challenge from the www-authenticate header to fetch a new token"
}

The error was first noticed on 2/17/2025. The same template succeeded as late as 2/14/2025.

Key vault keys are created successfully using the following methods:

Azure Portal
Azure PowerShell cmdlet: Add-AzKeyVaultKey

Any ideas on troubleshooting the bicep deployment.

Martin Cairney 2,256 Reputation points

2025-02-20T22:12:22.24+00:00

I had a similar issue with a BICEP deployment - mine was for a SQL Managed Instance that needed to reference a Key Vault key and provided exactly the same error message. My deployment was running under my credentials as Subscription Owner and the User Assigned Identity of the SQL MI had correct RBAC role to access the key. This same pattern with the same credentials had worked previously so I'm suspecting something got messed up with Key Vault (we also observed another SQL MI losing access to it's TDE key in Key Vault)
Martin Cairney 2,256 Reputation points

2025-02-20T22:15:41.74+00:00

Perhaps Microsoft messed up Key Vault in the last couple of days?

1 answer

Stanislav Zhelyazkov 26,256 Reputation points MVP

2025-02-20T07:07:28.8866667+00:00

Hi,

This is not likely related strictly to backup but the authentication method you use when deploying via Bicep. What kind of authentication method you use? Can you provide the full template? I have seen cases where CSP authentication (AOBO/GDAP) with Service principal is not working with certain type of resources in Azure. The workaround is to use service principal from the tenant where the deployment is.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Dan Russell 0 Reputation points

2025-02-20T22:49:18.85+00:00

I'm authenticating using the PowerShell cmdlet, Connect-AzAccount, with my credentials.

My access on the key vault:

Owner (scope: Management group)

Key Vault Administrator (scope: This resource)

Here's the template:

@description('Name of the Key vault.') param keyVaultName string @description('Name of the key') param keyName string @allowed([ 'EC' 'EC-HSM' 'RSA' 'RSA-HSM' ]) param keyType string = 'RSA' @description('Permitted JSON web key operations of the key to be created.') param keyOps array = [] @allowed([ 2048 3072 4096 ]) @description('Size in bits of the key to be created.') param keySize int = 2048 @description('JsonWebKeyCurveName of the key to be created.') @allowed([ '' 'P-256' 'P-256K' 'P-384' 'P-521' ]) param curveName string = '' resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = { name: keyVaultName } resource key 'Microsoft.KeyVault/vaults/keys@2023-07-01' = { name: keyName parent: keyVault properties: { kty: keyType keyOps: keyOps keySize: keySize curveName: curveName } } output proxyKey object = key.properties

The keyType, keyOps, keySize and curveName params are set to their defaults.

The error occurs from these environment:

Azure virtual machine joined to Entra domain services

Laptop connected via Azure VPN (Virtual WAN)

Dan Russell 0 Reputation points

2025-02-20T23:14:12.41+00:00

Your comment regarding CSP authentication lead me to here which reminded me that starting the beginning of this week, I was in an Azure portal sign-in loop until I confirmed my MFA default devices.

I don't recall if that last time I attempted to deploy the template was before or after I confirmed MFA default devices before moving on to possible workarounds. So, I don't know if it is related or not.

I just tried it again. Good news is that it is again deploying successfully.

Stanislav Zhelyazkov 26,256 Reputation points MVP

2025-02-21T06:26:09.09+00:00

Does not sound like it is related to me as if you have some problems with Microsoft Entra and MFA you will not be be able to login at all and start deployment. The error you have is from deployment. As you are saying that it now works, it could be some temporary issue in the Key Vault service.

Sakshi Devkante 920 Reputation points Microsoft Vendor

2025-02-21T16:07:21.3833333+00:00

Hello Dan,

I'm glad that you were able to resolve your issue, I am following up to see If you have any further questions or need additional assistance, please don’t hesitate to reach out.

Dan Russell 0 Reputation points

2025-02-21T16:16:49.65+00:00

Hi Sakshi,

I would really like to know the root cause to prevent similar issues in the future.

Was it a configuration change initiated by our organization?

Was it something caused by Microsoft as Michael suggested?

Is this issue really fixed or is it temporary?

I'm unclear on what the root cause of the problem is.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Bicep deployment of key vault keys fails with error [CaeAuthorizationFailed (Unauthorized)] AKV10203

1 answer

Your answer