Azure KeyVault Extension for PowerShell Secret Management requires Azure Resource Read Permission to create Secrets.

[bebravosch]

Description

When a user tries to create a Secret in KeyVault using the PowerShell Secret Management it fails if the user doesn't have Read Role Assignment over the Azure Resource in addition to KeyVault Access Policy Secret permission. Creating the Secret using Az.KeyVault Set-AzKeyVaultSecret cmdlet works without needing this Read Role Assignment over the Azure Resource. Once Read Role Assignment has been provided, the user is able to create the secret using the Secret Management Extension, other actions such as Get-Secret work without this Role Assignment.

Issue script & Debug output

Set-Secret -Name Secret -Vault 'KVTest' -Secret @{
>> tenant = 'xxxxxx'
>> clientid = 'xxxxxxxxxxxxxx'
>> secret = 'xxxxxxxxxxxxxxxxxx'
>> tenantid = 'xxxxxxxxxxxxxxxxxx'
>> appatt = 'xxxxxxxxxxxxxxxxxxxxx'
>> username = 'testuser@xxxxxxx.onmicrosoft.com'
>> password = 'xxxxxxxx'
>> } -Debug

Set-Secret : Unable to add secret gac4 to vault KVTest
At line:1 char:1
+ Set-Secret -Name gac4 -Vault 'KVTest' -Secret @{
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power...sionVaultModule:ExtensionVaultModule) [Set-Secret],
    PSInvalidOperationException
    + FullyQualifiedErrorId : SetSecretInvalidOperation,Microsoft.PowerShell.SecretManagement.SetSecretCommand

Environment data

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.22000.282
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22000.282
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

Get-Module

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     2.7.4      Az.Accounts                         {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Conn...
Manifest   3.1.0.0    Microsoft.PowerShell.Management     {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Con...
Binary     1.1.2      Microsoft.PowerShell.SecretManag... {Get-Secret, Get-SecretInfo, Get-SecretVault, Register-Sec...
Manifest   3.0.0.0    Microsoft.PowerShell.Security       {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl...
Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Manifest   3.0.0.0    Microsoft.WSMan.Management          {Connect-WSMan, Disable-WSManCredSSP, Disconnect-WSMan, En...
Script     2.0.0      PSReadline

Error output

Resolve-AzError
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use
`Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other
information on breaking changes in Azure PowerShell.


   HistoryId: 1


Message        : Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more
                 information.
StackTrace     :    at System.Reflection.RuntimeModule.GetTypes(RuntimeModule module)
                    at System.Reflection.Assembly.GetTypes()
                    at Microsoft.PowerShell.Commands.AddTypeCommand.LoadAssemblyFromPathOrName(List`1 generatedTypes)
                    at Microsoft.PowerShell.Commands.AddTypeCommand.EndProcessing()
                    at System.Management.Automation.CommandProcessorBase.Complete()
Exception      : System.Reflection.ReflectionTypeLoadException
InvocationInfo : {Add-Type}
Line           :                     Add-Type -Path $_.FullName -ErrorAction Ignore | Out-Null

Position       : At C:\Program Files\WindowsPowerShell\Modules\Az.Accounts\2.7.4\Az.Accounts.psm1:39 char:21
                 + ...                Add-Type -Path $_.FullName -ErrorAction Ignore | Out-N ...
                 +                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 1

[kevinblumenfeld]

I am also having this issue.

[kevinblumenfeld]

Perhaps @SteveL-MSFT can provide some insight?

[BethanyZhou]

Hi @bebravosch ,

Seems like this is an issue from PowerShell Secret Management.
https://github.com/PowerShell/SecretManagement/blob/c8364615c60d2f8366ea13307961a09c69177af3/src/code/SecretManagement.cs#L1590-L1591

It should be

if (NoClobber.IsPresent &&
                SecretExistsInVault(....

Otherwise, this command always checks secret whether exists before write secret.

Could you provide HTTP payload by setting $DebugPreference = "Continue" and re-running your command in PowerShell console to confirm my guess?

[bebravosch]

@BethanyZhou running @DebugPreference = "Continue" before executing the commands returns nothing.

Here is the output for when I attempted to run it. At the bottom is the command to create the Secret.

PS C:\WINDOWS\system32> $DebugPreference = "Continue"
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Get-SecretVault

Name ModuleName IsDefaultVault

---

MyKVTest Az.KeyVault False
ZeusKVTest Az.KeyVault True

PS C:\WINDOWS\system32> Connect-AzAccount
DEBUG: 9:20:28 AM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 9:20:28 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 9:20:28 AM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 9:20:28 AM - Using Autosave scope 'CurrentUser'
DEBUG: 9:20:28 AM - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with
TenantId:'', Scopes:'https://management.core.windows.net//.default',
AuthorityHost:'https://login.microsoftonline.com/', RedirectUri:'http://localhost:8400/'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.core.windows.net//.default ]
ParentRequestId:
DEBUG: Executing interactive authentication workflow inline.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:28 - ] MSAL MSAL.Desktop with
assembly version '4.30.1.0'. CorrelationId(cc72dd63-f3bf-45d1-89fd-8510d8720497)
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:28 - ] === InteractiveParameters Data

LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:28 - ]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - cc72dd63-f3bf-45d1-89fd-8510d8720497
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:28 - ] === Token Acquisition
(InteractiveRequest) started:

Authority Host: login.microsoftonline.com
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:28 - ] Azure region was not
configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:28 - ] Using legacy embedded browser.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:28 - ] Resolving authority
endpoints... Already resolved? - TRUE
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Redirect Uri was reached.
Stopping webview navigation...
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] An authorization code was
retrieved from the /authorize endpoint.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Exchanging the auth code for
tokens.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] === InteractiveParameters Data

LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Resolving authority
endpoints... Already resolved? - TRUE
DEBUG: Request [610e242e-c9a9-4473-8fe2-26f6f1015188] POST
https://login.microsoftonline.com/organizations/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:REDACTED
x-ms-return-client-request-id:REDACTED
User-Agent:REDACTED
Content-Type:REDACTED
client assembly: Azure.Identity
DEBUG: Response [610e242e-c9a9-4473-8fe2-26f6f1015188] 200 OK (00.8s)
Pragma:REDACTED
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
client-request-id:REDACTED
x-ms-request-id:REDACTED
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Cache-Control:REDACTED
P3P:REDACTED
Set-Cookie:REDACTED
Date:REDACTED
Content-Length:REDACTED
Content-Type:REDACTED
Expires:REDACTED
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Checking client info returned
from the server..
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Saving Token Response to
cache..
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Subject not present in Id
token
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Azure region was not
configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Saving AT in cache and
removing overlapping ATs...
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Looking for scopes for the
authority in the cache which intersect with https://management.core.windows.net//.default
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Intersecting scope entries
count - 2
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Matching entries after
filtering by user - 1
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Saving Id Token and Account in
cache ...
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Saving RT in cache...
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34] Not writing FRT in ADAL legacy
cache.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Fetched access token from host
login.microsoftonline.com.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] === Token Acquisition finished
successfully. An access token was returned with Expiration Time: 04/08/2022 16:41:01 +00:00 and Scopes
https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default
DEBUG: InteractiveBrowserCredential.Authenticate succeeded. Scopes: [ https://management.core.windows.net//.default ]
ParentRequestId: ExpiresOn: 2022-04-08T16:41:01.0000000+00:00
DEBUG: 9:20:34 AM - [MsalAccessToken] Calling InteractiveBrowserCredential.GetTokenAsync -
Scopes:'https://management.core.windows.net//.default'
DEBUG: InteractiveBrowserCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ]
ParentRequestId:
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] MSAL MSAL.Desktop with
assembly version '4.30.1.0'. CorrelationId(6e7f39b6-0cef-4072-88b4-f230de6731f8)
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] === AcquireTokenSilent
Parameters ===
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] LoginHint provided: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Account provided: True
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] ForceRefresh: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 6e7f39b6-0cef-4072-88b4-f230de6731f8
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] === Token Acquisition
(SilentRequest) started:

Authority Host: login.microsoftonline.com
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Azure region was not
configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Access token is not expired.
Returning the found cache entry. [Current time (04/08/2022 15:20:34) - Expiration Time (04/08/2022 16:41:01 +00:00) -
Extended Expiration Time (04/08/2022 16:41:01 +00:00)]
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Returning access token found
in cache. RefreshOn exists ? False
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] Fetched access token from host
login.microsoftonline.com.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:34 - ] === Token Acquisition finished
successfully. An access token was returned with Expiration Time: 04/08/2022 16:41:01 +00:00 and Scopes
https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default
DEBUG: InteractiveBrowserCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ]
ParentRequestId: ExpiresOn: 2022-04-08T16:41:01.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/tenants?api-version=2021-01-01

Headers:
x-ms-client-request-id : 7a1b9d2a-3001-474a-8af0-e76274397d36
accept-language : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-tenant-reads: 11999
x-ms-request-id : 6c6ab70d-13e6-42f8-b544-2f0fd051a2f0
x-ms-correlation-request-id : 6c6ab70d-13e6-42f8-b544-2f0fd051a2f0
x-ms-routing-request-id : CANADACENTRAL:20220408T152035Z:6c6ab70d-13e6-42f8-b544-2f0fd051a2f0
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Cache-Control : no-cache
Date : Fri, 08 Apr 2022 15:20:34 GMT

Body:
{
"value": [
{
"id": "/tenants/7eb88218-fdb7-4e87-a08d-8f5dd7155760",
"tenantId": "7eb88218-fdb7-4e87-a08d-8f5dd7155760",
"countryCode": "CR",
"displayName": "TJL",
"domains": [
"batcave4u.onmicrosoft.com",
"batcave4u.mail.onmicrosoft.com"
],
"tenantCategory": "Home",
"defaultDomain": "batcave4u.onmicrosoft.com",
"tenantType": "AAD"
}
]
}

DEBUG: 9:20:35 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync -
TenantId:'7eb88218-fdb7-4e87-a08d-8f5dd7155760', Scopes:'https://management.core.windows.net//.default',
AuthorityHost:'https://login.microsoftonline.com/', UserId:'testuser@batcave4u.onmicrosoft.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ]
ParentRequestId:
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] Azure region was not
configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35] Found 3 cache accounts and 0
broker accounts
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35] Returning 3 accounts
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] MSAL MSAL.Desktop with
assembly version '4.30.1.0'. CorrelationId(f6a5b5ff-578f-43fc-bf8e-eb1433f4f2a7)
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] === AcquireTokenSilent
Parameters ===
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] LoginHint provided: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] Account provided: True
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] ForceRefresh: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - f6a5b5ff-578f-43fc-bf8e-eb1433f4f2a7
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] === Token Acquisition
(SilentRequest) started:

Authority Host: login.microsoftonline.com
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] Azure region was not
configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] Access token is not expired.
Returning the found cache entry. [Current time (04/08/2022 15:20:35) - Expiration Time (04/08/2022 16:41:01 +00:00) -
Extended Expiration Time (04/08/2022 16:41:01 +00:00)]
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] Returning access token found
in cache. RefreshOn exists ? False
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] Fetched access token from host
login.microsoftonline.com.
DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Enterprise [04/08/2022 15:20:35 - ] === Token Acquisition finished
successfully. An access token was returned with Expiration Time: 04/08/2022 16:41:01 +00:00 and Scopes
https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ]
ParentRequestId: ExpiresOn: 2022-04-08T16:41:01.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions?api-version=2021-01-01

Headers:
x-ms-client-request-id : 7a1b9d2a-3001-474a-8af0-e76274397d36
accept-language : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-tenant-reads: 11999
x-ms-request-id : 723afa16-2565-4b14-a108-1016e576a1c4
x-ms-correlation-request-id : 723afa16-2565-4b14-a108-1016e576a1c4
x-ms-routing-request-id : CANADACENTRAL:20220408T152035Z:723afa16-2565-4b14-a108-1016e576a1c4
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Cache-Control : no-cache
Date : Fri, 08 Apr 2022 15:20:35 GMT

Body:
{
"value": [],
"count": {
"type": "Total",
"value": 0
}
}

DEBUG: AzureQoSEvent: Module: Az.Accounts:2.7.4; CommandName: Connect-AzAccount; PSVersion: 5.1.22000.282; IsSuccess:
True; Duration: 00:00:07.2828885
DEBUG: Finish sending metric.
DEBUG: 9:20:37 AM - ConnectAzureRmAccountCommand end processing.
Account SubscriptionName TenantId Environment

---

testuser@batcave4u.onmicrosoft.com 7eb88218-fdb7-4e87-a08d-8f5dd7155760 AzureCloud

PS C:\WINDOWS\system32> Set-Secret -Name gac5 -Vault 'ZeusKVTest' -Secret @{

tenant = 'batcave4u'
clientid = '8d17d327-7eb0-4bf7-8618-10b938dca0c0'
secret = 'abasaafjvoradhfaoedsafdgsdgadFjS'
tenantid = '7eb88218-fdb7-4e87-a08d-8f5dd7155760'
appatt = '9165016077844be19c8ee5563401ff8a'
username = 'testuser@batcave4u.onmicrosoft.com'
password = 'abcabc'
}
Set-Secret : Unable to add secret gac5 to vault ZeusKVTest
At line:1 char:1

• Set-Secret -Name gac5 -Vault 'ZeusKVTest' -Secret @{

•   + CategoryInfo          : InvalidOperation: (Microsoft.Power...sionVaultModule:ExtensionVaultModule) [Set-Secret],
    PSInvalidOperationException
    + FullyQualifiedErrorId : SetSecretInvalidOperation,Microsoft.PowerShell.SecretManagement.SetSecretCommand
  
  

PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>

[BethanyZhou]

Hi @bebravosch , thanks for your quick response. What's the http request and response of running? Its important information for us.

Set-Secret -Name gac5 -Vault 'ZeusKVTest' -Secret @{

tenant = 'batcave4u'
clientid = '8d17d327-7eb0-4bf7-8618-10b938dca0c0'
secret = 'abasaafjvoradhfaoedsafdgsdgadFjS'
tenantid = '7eb88218-fdb7-4e87-a08d-8f5dd7155760'
appatt = '9165016077844be19c8ee5563401ff8a'
username = '[testuser@batcave4u.onmicrosoft.com](mailto:testuser@batcave4u.onmicrosoft.com)'
password = 'abcabc'
}

[dingmeng-xue]

It will be available on April 26. Close it now.