KeyVault Unknown Access Policy

To deploy artefacts via a CI/CD pipeline, you need an Azure DevOps Service Connection. This is an AAD application/service principal with contributor rights to the subscription. When using Key Vault you will have to give the service principal access rights to the KeyVault instance.

When I added the access policy via an ARM template, I saw it was created of type Unknown, where I expected type Application. Googling the issue, I found you have to specify the correct objectId of the service principal. But where to find it?

First let’s look at the Service Connection setting screen in Azure DevOps.

After clicking on the link Manage Service Principal, you get the following screen:

There’s an ObjectId on the screen, but confusingly enough this is the ObjectId of the application, not the ObjectId of the service principal. The bottom link on the right hand side, provides a link to the managed application in the local directory. This is the link you need to click. After doing so, you will get to the screen showing you the correct ObjectId: