A user will need to provide Access Control to the AAD Application for it to manage the user’s Azure Services (Key Vault, DNS Zone and App Services).
Go to Azure Subscriptions, and open the subscription that contains your Azure Key Vault, DNS Zone, App Services
In the subscription, click on ‘Access control (IAM)’ and add a new role assignment
- Select the ‘Contributor’ role and click the ‘Next’ button
Assign access to : ‘User, groups or service principal’ and click the ‘Select members’ link
Search for the AAD App that was registered and select it. (If you did not register an AAD app previously, please follow the instruction in this link : Registering an AAD Application)
- Click the ‘Review + assign’ button
- In the ‘Role assignments’ tab, you will see the new role assignment you just added
You must repeat these steps for each Azure Subscription that a user may wish to access.
If a user is creating SSL/TLS certificates for Azure Key Vault, they will need to set Access policies for the certificate in Key Vault.
This step is not required, if SSL/TLS certificates are not being created for Key Vault.
- In Key Vault, click on ‘Access policies’ and ‘Add Access Policy’
- In the ‘Certificate permissions’ dropdown, select all 16 permissions, including ‘Purge’ permission.
Then , click on ‘Select principal’
Search for the application that was registered and click the ‘Select’ button to select it
- Click the ‘Add’ button when you are done
- Click the ‘Save’ button to save the access policy
- The newly added access policy will be displayed