Share via

Error whitelisting subnet to Key Vault

Henri Pihkala 0 Reputation points
10 Mar 2025, 3:46 pm

I'm having trouble whitelisting a new subnet to my Key Vault. I've previously added other subnets from other vnets without any issue. For some reason, for this vnet and subnet I'm getting an error.

I'm in the Networking settings of my Key Vault (via 'Manage' button on Networking page). Note that I have previously added a few subnets successfully via the exact same procedure:

Screenshot 2025-03-10 at 16.19.27

I select the virtual network I want to add:

Screenshot 2025-03-10 at 16.38.10

I click "Add" and it appears in the list:

Screenshot 2025-03-10 at 16.39.35

When I click "Save" I get this error:

Screenshot 2025-03-07 at 20.41.00

I don't understand how come I don't have sufficient permissions, as I was able to add the other subnets AND I have the Owner role in both associated Subscriptions (the one where the Key Vault is, and the one where the Virtual Network is). Checking with "View my access" in the IAM tab for both resources:

Screenshot 2025-03-10 at 16.41.47

I also compared my roles/permissions to the other vnets that I WAS able to successfully add to the Key Vault, and there's no difference at all, so I don't understand why it's failing:

Screenshot 2025-03-10 at 16.45.47

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,395 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SrideviM 755 Reputation points Microsoft External Staff
    15 Mar 2025, 6:56 am

    Hello Henri Pihkala,

    It looks like you have two Owner role assignments in the subscription. One is inherited at the subscription level, which should normally give full access, but the other one has a condition applied to a specific resource.

    enter image description here

    Even though you are an Owner, Azure enforces conditions as additional restrictions, which might be causing this issue. To resolve this, check if the conditional Owner role in IAM restricts any actions and edit or remove it if necessary.

    If the issue persists even after removing conditional role assignments, check whether the ID “f8fd0c48-dc13-4fe4-xxxxxxxxxxxxxx” from your error message is linked to a service principal, application, or user in your tenant.

    enter image description here

    To identify whether that ID is related to any service principal or application or user, search for it in Overview of your Microsoft Entra tenant:

    Go to Azure Portal -> Microsoft Entra ID -> Overview -> Enter ID in Search bar:

    enter image description here

    If the ID is associated with a service principal or application, note it's name and assign "Network Contributor" role to it under either subscription having ID 6e0f0965-4400-4050-xxxxxxxxx or silta-test-vnet virtual network:

    Go to Azure Portal -> Subscriptions -> Select Subscription with above ID -> Access control (IAM) -> Add role assignment -> Select Network Contributor role -> Search for application name in members -> Add -> (Review + assign)

    enter image description here

    For more details, check similar issue in this Microsoft Q&A.

    If that also did not work, try re-registering Microsoft.KeyVault resource provider under subscription where you are facing issue like this:

    User's image

    Hope this helps!

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. If you have any other questions or are still running into more issues, please let me know in "Comments" section.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.