System-assigned Managed Identities fails to remove a KeyVault Access policies on a user

Red Admin 0 Reputation points
2025-01-04T15:23:09.6433333+00:00

Hi everyone, please help me with a problem that is driving me crazy and I've been chasing it for 2 days without understanding where the problem lies, so I configured a :

  • KeyVault in which I saved a test secret.
  • I created a runbook inside a test Automation Account, the automation account runs with a System-assigned managed identity.
  • The goal is to allow this managed identities to remove a Keyvault access policies of a test user.

This is the script inside the runbook:

    # Ensures you do not inherit an AzContext in your runbook
    Disable-AzContextAutosave -Scope Process

    # Connect to Azure with system-assigned managed identity
    $AzureContext = (Connect-AzAccount -Identity).context

    # Set and store context
    $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
    
    # Grab A.T. for Graph
    $Token = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/"
    Connect-MgGraph -AccessToken ($Token.Token | ConvertTo-SecureString -AsPlainText -Force)

    # Reset permission
    Remove-AzKeyVaultAccessPolicy -VaultName 'MyTestKeyVault' -UserPrincipalName 'mytestuser@lab-contoso.com' -PassThru -verbose
    

Even though I assigned the KeyVault Contributor role to managed identities, I still get a forbidden!! error.

User's image

User's image

Doing the same thing in the security context of a user with the same role (KeyVault Contributor) the operation is successful... and I can't understand why!

I also tried assigning the reader role at subscription level to managed identities but it still doesn't work. Thanks to anyone who can help me.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,359 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,296 questions
{count} votes

2 answers

Sort by: Most helpful
  1. hossein jalilian 9,700 Reputation points
    2025-01-04T19:05:15.47+00:00

    Hello Red Admin,

    Thanks for posting your question in the Microsoft Q&A forum.

    To resolve this issue, you should assign the "Key Vault Administrator" role to the System-assigned Managed Identity of your Automation Account. This role provides full control over Key Vault resources, including the ability to manage access policies.

    If assigning the Key Vault Administrator role is not feasible, you can use the Azure Resource Manager (ARM) API to update the access policies. This approach requires the Microsoft.KeyVault/vaults/accessPolicies/write permission, which is included in the KeyVault Contributor role

    Another approach is to use the Microsoft Graph API to manage access policies. This method requires appropriate Graph API permissions for the Managed Identity

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments No comments

  2. Raja Pothuraju 11,515 Reputation points Microsoft Vendor
    2025-01-09T12:30:35.8166667+00:00

    Hello @Red Admin,

    Thank you for posting your query on Microsoft Q&A.

    Based on your observations, the forbidden error seems to be occurring due to insufficient API permissions assigned to your system-assigned managed identity.

    As you've successfully tested with a service principal by adding the KeyVault Contributor role and the User.Read.All permission, which allowed you to remove permissions for a user in Key Vault, I recommend extending the same approach to your system-assigned managed identity.

    You can achieve this by assigning the User.Read.All Graph API permission to the system-assigned managed identity. To do so, connect to Microsoft Graph using the following command (interactive sign-in with a Global Administrator account is required):

    Connect-MgGraph -Scopes "User.Read.All"

    If the above approach does not help you consent to the application for the User.Read.All API permission, please refer to the following document to request the required permissions from a directory administrator:

    Request the permissions from a directory admin

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.