KeyVaultAccessToken is ignored

[arthubms]

Description

Calling Set-AzureKeyVaultSecret after having connected with the -AccessToken, -GraphAccessToken, -KeyVaultAccessToken
fails. Fiddler traces (and debug option) shows that the token used for the KeyVault operations is the AccessToken. Call using the AccessToken (eg Get-AzResourceGroup) or the Graph token (eg Get-AzAdUser) suceed

Steps to reproduce

Obtain bearer tokens (from eg. ADAL), connect and try to update a KeyVault:

$mgmtToken #audience: https://management.core.windows.net/
$msToken #audience: https://graph.windows.net
$vaultToken #audience: https://vault.azure.net - Doublecheck that it is Correct Audience by pasting token into jwt.ms
 Add-AzAccount -AccountId $usrrName -AccessToken $mgmtToken -GraphAccessToken $msToken -KeyVaultAccessToken $vaultToken
 Set-AzKeyVaultSecret -VaultName "VaultName" -Name "SecretName" -SecretValue (ConvertTo-SecureString -Force -AsPlainText "SecretValue")

Environment data

Name                           Value                                                                                   
----                           -----                                                                                   
PSVersion                      5.1.19041.546                                                                           
PSEdition                      Desktop                                                                                 
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                 
BuildVersion                   10.0.19041.546                                                                          
CLRVersion                     4.0.30319.42000                                                                         
WSManStackVersion              3.0                                                                                     
PSRemotingProtocolVersion      2.3                                                                                     
SerializationVersion           1.1.0.1                                                                                 

Module versions

    Directory: C:\Users\arthub\Documents\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands                                             
---------- -------    ----                                ----------------                                             
Script     1.9.4      Az.Accounts                         {Disable-AzDataCollection, Disable-AzContextAutosave, Enab...
Script     1.1.1      Az.Advisor                          {Get-AzAdvisorRecommendation, Enable-AzAdvisorRecommendati...
Script     1.3.0      Az.Aks                              {Get-AzAksCluster, New-AzAksCluster, Remove-AzAksCluster, ...
Script     1.1.4      Az.AnalysisServices                 {Resume-AzAnalysisServicesServer, Suspend-AzAnalysisServic...
Script     2.1.0      Az.ApiManagement                    {Add-AzApiManagementApiToGateway, Add-AzApiManagementApiTo...
Script     1.1.0      Az.ApplicationInsights              {Get-AzApplicationInsights, New-AzApplicationInsights, Rem...
Script     1.4.0      Az.Automation                       {Get-AzAutomationHybridWorkerGroup, Remove-AzAutomationHyb...
Script     3.1.0      Az.Batch                            {Remove-AzBatchAccount, Get-AzBatchAccount, Get-AzBatchAcc...
Script     1.0.3      Az.Billing                          {Get-AzBillingInvoice, Get-AzBillingPeriod, Get-AzEnrollme...
Script     1.4.3      Az.Cdn                              {Get-AzCdnProfile, Get-AzCdnProfileSsoUrl, New-AzCdnProfil...
Script     1.6.0      Az.CognitiveServices                {Get-AzCognitiveServicesAccount, Get-AzCognitiveServicesAc...
Script     4.4.0      Az.Compute                          {Remove-AzAvailabilitySet, Get-AzAvailabilitySet, New-AzAv...
Script     1.0.3      Az.ContainerInstance                {New-AzContainerGroup, Get-AzContainerGroup, Remove-AzCont...
Script     1.1.1      Az.ContainerRegistry                {New-AzContainerRegistry, Get-AzContainerRegistry, Update-...
Script     1.1.0      Az.DataBoxEdge                      {Get-AzDataBoxEdgeJob, Get-AzDataBoxEdgeDevice, Invoke-AzD...
Script     1.10.1     Az.DataFactory                      {Set-AzDataFactoryV2, Update-AzDataFactoryV2, Get-AzDataFa...
Script     1.0.2      Az.DataLakeAnalytics                {Get-AzDataLakeAnalyticsDataSource, New-AzDataLakeAnalytic...
Script     1.2.8      Az.DataLakeStore                    {Get-AzDataLakeStoreTrustedIdProvider, Remove-AzDataLakeSt...
Script     1.0.0      Az.DataShare                        {New-AzDataShareAccount, Get-AzDataShareAccount, Remove-Az...
Script     1.1.0      Az.DeploymentManager                {Get-AzDeploymentManagerArtifactSource, New-AzDeploymentMa...
Script     1.0.0      Az.DesktopVirtualization            {Disconnect-AzWvdUserSession, Get-AzWvdApplication, Get-Az...
Script     1.0.2      Az.DevTestLabs                      {Get-AzDtlAllowedVMSizesPolicy, Get-AzDtlAutoShutdownPolic...
Script     1.1.2      Az.Dns                              {Get-AzDnsRecordSet, New-AzDnsRecordConfig, Remove-AzDnsRe...
Script     1.3.0      Az.EventGrid                        {New-AzEventGridTopic, Get-AzEventGridTopic, Set-AzEventGr...
Script     1.6.0      Az.EventHub                         {New-AzEventHubNamespace, Get-AzEventHubNamespace, Set-AzE...
Script     1.6.1      Az.FrontDoor                        {New-AzFrontDoor, Get-AzFrontDoor, Set-AzFrontDoor, Remove...
Script     1.0.2      Az.Functions                        {Get-AzFunctionApp, Get-AzFunctionAppAvailableLocation, Ge...
Script     3.6.0      Az.HDInsight                        {Get-AzHDInsightJob, New-AzHDInsightSqoopJobDefinition, Wa...
Script     1.1.0      Az.HealthcareApis                   {New-AzHealthcareApisService, Remove-AzHealthcareApisServi...
Script     2.5.0      Az.IotHub                           {Add-AzIotHubKey, Get-AzIotHubEventHubConsumerGroup, Get-A...
Script     2.2.0      Az.KeyVault                         {Add-AzKeyVaultCertificate, Update-AzKeyVaultCertificate, ...
Script     1.0.0      Az.Kusto                            {Add-AzKustoClusterLanguageExtension, Add-AzKustoDatabaseP...
Script     1.3.2      Az.LogicApp                         {Get-AzIntegrationAccountAgreement, Get-AzIntegrationAccou...
Script     1.1.3      Az.MachineLearning                  {Move-AzMlCommitmentAssociation, Get-AzMlCommitmentAssocia...
Script     1.1.0      Az.Maintenance                      {Get-AzApplyUpdate, Get-AzConfigurationAssignment, Get-AzM...
Script     1.1.0      Az.ManagedServices                  {Get-AzManagedServicesAssignment, New-AzManagedServicesAss...
Script     1.0.2      Az.MarketplaceOrdering              {Get-AzMarketplaceTerms, Set-AzMarketplaceTerms}             
Script     1.1.1      Az.Media                            {Sync-AzMediaServiceStorageKey, Set-AzMediaServiceKey, Get...
Script     2.1.0      Az.Monitor                          {Get-AzMetricDefinition, Get-AzMetric, Remove-AzLogProfile...
Script     3.4.0      Az.Network                          {Add-AzApplicationGatewayAuthenticationCertificate, Get-Az...
Script     1.1.1      Az.NotificationHubs                 {Get-AzNotificationHub, Get-AzNotificationHubAuthorization...
Script     2.3.0      Az.OperationalInsights              {New-AzOperationalInsightsAzureActivityLogDataSource, New-...
Script     1.3.1      Az.PolicyInsights                   {Get-AzPolicyEvent, Get-AzPolicyState, Get-AzPolicyStateSu...
Script     1.1.2      Az.PowerBIEmbedded                  {Remove-AzPowerBIWorkspaceCollection, Get-AzPowerBIWorkspa...
Script     1.0.3      Az.PrivateDns                       {Get-AzPrivateDnsZone, Remove-AzPrivateDnsZone, Set-AzPriv...
Script     2.12.1     Az.RecoveryServices                 {Get-AzRecoveryServicesBackupProperty, Get-AzRecoveryServi...
Script     1.2.1      Az.RedisCache                       {Remove-AzRedisCachePatchSchedule, New-AzRedisCacheSchedul...
Script     1.0.3      Az.Relay                            {New-AzRelayNamespace, Get-AzRelayNamespace, Set-AzRelayNa...
Script     2.5.1      Az.Resources                        {Get-AzProviderOperation, Remove-AzRoleAssignment, Get-AzR...
Script     1.4.1      Az.ServiceBus                       {New-AzServiceBusNamespace, Get-AzServiceBusNamespace, Set...
Script     2.2.0      Az.ServiceFabric                    {Add-AzServiceFabricClientCertificate, Add-AzServiceFabric...
Script     1.2.0      Az.SignalR                          {New-AzSignalR, Get-AzSignalR, Get-AzSignalRKey, New-AzSig...
Script     2.10.0     Az.Sql                              {Get-AzSqlDatabaseTransparentDataEncryption, Get-AzSqlData...
Script     1.1.0      Az.SqlVirtualMachine                {New-AzSqlVM, Get-AzSqlVM, Update-AzSqlVM, Remove-AzSqlVM...}
Script     2.6.0      Az.Storage                          {Get-AzStorageAccount, Get-AzStorageAccountKey, New-AzStor...
Script     1.3.0      Az.StorageSync                      {Invoke-AzStorageSyncCompatibilityCheck, New-AzStorageSync...
Script     1.0.1      Az.StreamAnalytics                  {Get-AzStreamAnalyticsFunction, Get-AzStreamAnalyticsDefau...
Script     1.0.0      Az.Support                          {Get-AzSupportService, Get-AzSupportProblemClassification,...
Script     1.0.4      Az.TrafficManager                   {Add-AzTrafficManagerCustomHeaderToEndpoint, Remove-AzTraf...
Script     1.11.0     Az.Websites                         {Get-AzAppServicePlan, Set-AzAppServicePlan, New-AzAppServ...
Binary     1.0.193... Microsoft.RDInfra.RDPowershell      {Get-RdsContext, Set-RdsContext, Add-RdsAccount, Get-RdsTe...
Binary     1.0.2      MicrosoftTeams                      {Add-TeamUser, Set-TeamArchivedState, Get-CsPolicyPackage,...
Script     1.4.7      PackageManagement                   {Find-Package, Get-Package, Get-PackageProvider, Get-Packa...
Script     2.0.4      PSReadLine                          {Get-PSReadLineKeyHandler, Set-PSReadLineKeyHandler, Remov...
Binary     3.16.19... SharePointPnPPowerShellOnline       {Add-PnPAlert, Add-PnPApp, Add-PnPClientSidePage, Add-PnPC...
Script     1.0        tmp_IPPSSession                     {Get-PSImplicitRemotingClientSideParameters, Write-PSImpli...


    Directory: C:\Program Files\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands                                             
---------- -------    ----                                ----------------                                             
Script     5.1.2      Azure                               {Get-AzureAutomationCertificate, Get-AzureAutomationConnec...
Script     0.5.4      Azure.AnalysisServices              {Add-AzureAnalysisServicesAccount, Restart-AzureAnalysisSe...
Manifest   0.5.0      Azure.AnalysisServices              {Add-AzureAnalysisServicesAccount, Restart-AzureAnalysisSe...
Script     4.6.1      Azure.Storage                       {Get-AzureStorageTable, New-AzureStorageTableSASToken, New...
Script     4.2.1      Azure.Storage                       {Get-AzureStorageTable, New-AzureStorageTableSASToken, New...
Script     1.3.71     AzureADAuthUtils                    {Get-MicrosoftGraphAPIAccessTokenFromAppKey, Get-Microsoft...
Script     1.3.67     AzureADAuthUtils                    {Get-MicrosoftGraphAPIAccessTokenFromAppKey, Get-Microsoft...
Script     1.3.66     AzureADAuthUtils                    {Get-MicrosoftGraphAPIAccessTokenFromAppKey, Get-Microsoft...
Script     1.2.45     AzureADAuthUtils                    {Get-MicrosoftGraphAPIAccessTokenFromAppKey, Get-Microsoft...
Binary     2.0.2.105  AzureADPreview                      {Add-AzureADApplicationOwner, Get-AzureADApplication, Get-...
Binary     2.0.2.27   AzureADPreview                      {Add-AzureADApplicationOwner, Get-AzureADApplication, Get-...
Script     0.4578.0   ExchangeOnlineManagement            {Get-EXOCasMailbox, Get-EXOMailbox, Get-EXOMailboxFolderPe...
Binary     16.0.19... Microsoft.Online.SharePoint.Powe... {Register-SPODataEncryptionPolicy, Update-SPODataEncryptio...
Script     1.0.1      Microsoft.PowerShell.Operation.V... {Get-OperationValidation, Invoke-OperationValidation}        
Manifest   1.1.183.57 MSOnline                            {Get-MsolDevice, Remove-MsolDevice, Enable-MsolDevice, Dis...
Manifest   1.1.183.17 MSOnline                            {Get-MsolDevice, Remove-MsolDevice, Enable-MsolDevice, Dis...
Script     1.3.3      NuGet                                                                                            
Binary     1.0.0.1    PackageManagement                   {Find-Package, Get-Package, Get-PackageProvider, Get-Packa...
Script     3.4.0      Pester                              {Describe, Context, It, Should...}                           
Script     1.0.0.1    PowerShellGet                       {Install-Module, Find-Module, Save-Module, Update-Module...} 
Script     2.0.0      PSReadline                          {Get-PSReadLineKeyHandler, Set-PSReadLineKeyHandler, Remov...
Script     1.0.0.0    PublishCloudPrinter                 Publish-CloudPrinter                                         


    Directory: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules


ModuleType Version    Name                                ExportedCommands                                             
---------- -------    ----                                ----------------                                             
Manifest   1.0.1.0    ActiveDirectory                     {Add-ADCentralAccessPolicyMember, Add-ADComputerServiceAcc...
Binary     5.0.0.0    AdmPwd.PS                           {Update-AdmPwdADSchema, Get-AdmPwdPassword, Reset-AdmPwdPa...
Manifest   1.0.0.0    AppBackgroundTask                   {Disable-AppBackgroundTaskDiagnosticLog, Enable-AppBackgro...
Manifest   2.0.0.0    AppLocker                           {Get-AppLockerFileInformation, Get-AppLockerPolicy, New-Ap...
Manifest   1.0.0.0    AppvClient                          {Add-AppvClientConnectionGroup, Add-AppvClientPackage, Add...
Manifest   2.0.1.0    Appx                                {Add-AppxPackage, Get-AppxPackage, Get-AppxPackageManifest...
Script     1.0.0.0    AssignedAccess                      {Clear-AssignedAccess, Get-AssignedAccess, Set-AssignedAcc...
Manifest   1.0        BestPractices                       {Get-BpaModel, Get-BpaResult, Invoke-BpaModel, Set-BpaResult}
Manifest   1.0.0.0    BitLocker                           {Unlock-BitLocker, Suspend-BitLocker, Resume-BitLocker, Re...
Manifest   2.0.0.0    BitsTransfer                        {Add-BitsFile, Complete-BitsTransfer, Get-BitsTransfer, Re...
Manifest   1.0.0.0    BranchCache                         {Add-BCDataCacheExtension, Clear-BCCache, Disable-BC, Disa...
Manifest   1.0.0.0    CimCmdlets                          {Get-CimAssociatedInstance, Get-CimClass, Get-CimInstance,...
Binary     2.0.0.0    ClusterAwareUpdating                {Get-CauPlugin, Register-CauPlugin, Unregister-CauPlugin, ...
Manifest   1.0        ConfigCI                            {Get-SystemDriver, New-CIPolicyRule, New-CIPolicy, Get-CIP...
Manifest   1.0        ConfigDefender                      {Get-MpPreference, Set-MpPreference, Add-MpPreference, Rem...
Manifest   1.0        Defender                            {Get-MpPreference, Set-MpPreference, Add-MpPreference, Rem...
Manifest   1.0.2.0    DeliveryOptimization                {Delete-DeliveryOptimizationCache, Set-DeliveryOptimizatio...
Manifest   1.0        DFSN                                {Get-DfsnRoot, Remove-DfsnRoot, Set-DfsnRoot, New-DfsnRoot...
Binary     2.0.0.0    DFSR                                {New-DfsReplicationGroup, Get-DfsReplicationGroup, Set-Dfs...
Manifest   2.0.0.0    DhcpServer                          {Add-DhcpServerInDC, Add-DhcpServerv4Class, Add-DhcpServer...
Manifest   1.0.0.0    DirectAccessClientComponents        {Disable-DAManualEntryPointSelection, Enable-DAManualEntry...
Script     3.0        Dism                                {Add-AppxProvisionedPackage, Add-WindowsDriver, Add-Window...
Manifest   1.0.0.0    DnsClient                           {Resolve-DnsName, Clear-DnsClientCache, Get-DnsClient, Get...
Manifest   2.0.0.0    DnsServer                           {Add-DnsServerConditionalForwarderZone, Add-DnsServerDirec...
Manifest   1.0.0.0    EventTracingManagement              {Start-EtwTraceSession, New-EtwTraceSession, Get-EtwTraceS...
Manifest   2.0.0.0    FailoverClusters                    {Add-ClusterCheckpoint, Add-ClusterDisk, Add-ClusterFileSe...
Manifest   1.0.0.0    GroupPolicy                         {Backup-GPO, Block-GPInheritance, Copy-GPO, Get-GPInherita...
Manifest   1.0.0.0    HgsClient                           {Get-HgsAttestationBaselinePolicy, Get-HgsClientConfigurat...
Manifest   1.0.0.0    HgsDiagnostics                      {New-HgsTraceTarget, Get-HgsTrace, Get-HgsTraceFileData, T...
Manifest   1.0.0.1    HostNetworkingService               {Remove-HnsNamespace, Remove-HnsEndpoint, Get-HnsEndpoint,...
Binary     2.0.0.0    Hyper-V                             {Add-VMAssignableDevice, Add-VMDvdDrive, Add-VMFibreChanne...
Binary     1.1        Hyper-V                             {Add-VMDvdDrive, Add-VMFibreChannelHba, Add-VMHardDiskDriv...
Manifest   2.0.0.0    International                       {Get-WinDefaultInputMethodOverride, Set-WinDefaultInputMet...
Manifest   2.0.0.0    IpamServer                          {Get-IpamDhcpConfigurationEvent, Remove-IpamDhcpConfigurat...
Manifest   1.0.0.0    iSCSI                               {Get-IscsiTargetPortal, New-IscsiTargetPortal, Remove-Iscs...
Manifest   2.0.0.0    IscsiTarget                         {Add-ClusteriSCSITargetServerRole, Add-IscsiVirtualDiskTar...
Script     1.0.0.0    ISE                                 {New-IseSnippet, Import-IseSnippet, Get-IseSnippet}          
Manifest   1.0.0.0    Kds                                 {Add-KdsRootKey, Get-KdsRootKey, Test-KdsRootKey, Set-KdsC...
Manifest   1.0.1.0    Microsoft.PowerShell.Archive        {Compress-Archive, Expand-Archive}                           
Manifest   3.0.0.0    Microsoft.PowerShell.Diagnostics    {Get-WinEvent, Get-Counter, Import-Counter, Export-Counter...
Manifest   3.0.0.0    Microsoft.PowerShell.Host           {Start-Transcript, Stop-Transcript}                          
Manifest   1.0.0.0    Microsoft.PowerShell.LocalAccounts  {Add-LocalGroupMember, Disable-LocalUser, Enable-LocalUser...
Manifest   3.1.0.0    Microsoft.PowerShell.Management     {Add-Content, Clear-Content, Clear-ItemProperty, Join-Path...
Script     1.0        Microsoft.PowerShell.ODataUtils     Export-ODataEndpointProxy                                    
Manifest   3.0.0.0    Microsoft.PowerShell.Security       {Get-Acl, Set-Acl, Get-PfxCertificate, Get-Credential...}    
Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Format-List, Format-Custom, Format-Table, Format-Wide...}   
Manifest   3.0.0.0    Microsoft.WSMan.Management          {Disable-WSManCredSSP, Enable-WSManCredSSP, Get-WSManCredS...
Manifest   1.0        MMAgent                             {Disable-MMAgent, Enable-MMAgent, Set-MMAgent, Get-MMAgent...
Manifest   1.0.0.0    MsDtc                               {New-DtcDiagnosticTransaction, Complete-DtcDiagnosticTrans...
Manifest   2.0.0.0    NetAdapter                          {Disable-NetAdapter, Disable-NetAdapterBinding, Disable-Ne...
Manifest   1.0.0.0    NetConnection                       {Get-NetConnectionProfile, Set-NetConnectionProfile}         
Manifest   1.0.0.0    NetEventPacketCapture               {New-NetEventSession, Remove-NetEventSession, Get-NetEvent...
Manifest   2.0.0.0    NetLbfo                             {Add-NetLbfoTeamMember, Add-NetLbfoTeamNic, Get-NetLbfoTea...
Manifest   1.0        NetLldpAgent                        {Enable-NetLldpAgent, Disable-NetLldpAgent, Get-NetLldpAgent}
Manifest   1.0.0.0    NetNat                              {Get-NetNat, Get-NetNatExternalAddress, Get-NetNatStaticMa...
Manifest   2.0.0.0    NetQos                              {Get-NetQosPolicy, Set-NetQosPolicy, Remove-NetQosPolicy, ...
Manifest   2.0.0.0    NetSecurity                         {Get-DAPolicyChange, New-NetIPsecAuthProposal, New-NetIPse...
Manifest   1.0.0.0    NetSwitchTeam                       {New-NetSwitchTeam, Remove-NetSwitchTeam, Get-NetSwitchTea...
Manifest   1.0.0.0    NetTCPIP                            {Get-NetIPAddress, Get-NetIPInterface, Get-NetIPv4Protocol...
Manifest   1.0.0.0    NetworkConnectivityStatus           {Get-DAConnectionStatus, Get-NCSIPolicyConfiguration, Rese...
Manifest   1.0.0.0    NetworkController                   {Add-NetworkControllerNode, Disable-NetworkControllerNode,...
Manifest   1.0.0.0    NetworkControllerDiagnostics        {Get-NetworkControllerDeploymentInfo, Get-NetworkControlle...
Manifest   2.0.0.0    NetworkLoadBalancingClusters        {Add-NlbClusterNode, Add-NlbClusterNodeDip, Add-NlbCluster...
Manifest   1.0.0.0    NetworkSwitchManager                {Disable-NetworkSwitchEthernetPort, Enable-NetworkSwitchEt...
Manifest   1.0.0.0    NetworkTransition                   {Add-NetIPHttpsCertBinding, Disable-NetDnsTransitionConfig...
Manifest   1.0        NFS                                 {Get-NfsMappedIdentity, Get-NfsNetgroup, Install-NfsMappin...
Manifest   1.0.0.0    PcsvDevice                          {Get-PcsvDevice, Start-PcsvDevice, Stop-PcsvDevice, Restar...
Binary     1.0.0.0    PersistentMemory                    {Get-PmemDisk, Get-PmemPhysicalDevice, Get-PmemUnusedRegio...
Manifest   1.0.0.0    PKI                                 {Add-CertificateEnrollmentPolicyServer, Export-Certificate...
Manifest   1.0.0.0    PlatformIdentifier                  Get-PlatformIdentifier                                       
Manifest   1.0.0.0    PnpDevice                           {Get-PnpDevice, Get-PnpDeviceProperty, Enable-PnpDevice, D...
Manifest   1.1        PrintManagement                     {Add-Printer, Add-PrinterDriver, Add-PrinterPort, Get-Prin...
Binary     1.0.11     ProcessMitigations                  {Get-ProcessMitigation, Set-ProcessMitigation, ConvertTo-P...
Script     3.0        Provisioning                        {Install-ProvisioningPackage, Export-ProvisioningPackage, ...
Manifest   1.1        PSDesiredStateConfiguration         {Set-DscLocalConfigurationManager, Start-DscConfiguration,...
Script     1.0.0.0    PSDiagnostics                       {Disable-PSTrace, Disable-PSWSManCombinedTrace, Disable-WS...
Binary     1.1.0.0    PSScheduledJob                      {New-JobTrigger, Add-JobTrigger, Remove-JobTrigger, Get-Jo...
Manifest   2.0.0.0    PSWorkflow                          {New-PSWorkflowExecutionOption, New-PSWorkflowSession, nwsn} 
Manifest   1.0.0.0    PSWorkflowUtility                   Invoke-AsWorkflow                                            
Manifest   3.0.0.0    RemoteAccess                        {Add-DAAppServer, Add-DAClient, Add-DAClientDnsConfigurati...
Manifest   2.0.0.0    RemoteDesktop                       {Get-RDCertificate, Set-RDCertificate, New-RDCertificate, ...
Manifest   1.0.0.0    ScheduledTasks                      {Get-ScheduledTask, Set-ScheduledTask, Register-ScheduledT...
Manifest   2.0.0.0    SecureBoot                          {Confirm-SecureBootUEFI, Set-SecureBootUEFI, Get-SecureBoo...
Script     2.0.0.0    ServerManager                       {Get-WindowsFeature, Install-WindowsFeature, Uninstall-Win...
Cim        1.0.0.0    ServerManagerTasks                  {Get-SMCounterSample, Get-SMPerformanceCollector, Start-SM...
Manifest   1.0.0.0    ShieldedVMDataFile                  {Import-ShieldingDataFile, New-ShieldingDataFile, New-Volu...
Script     1.0.0.0    ShieldedVMProvisioning              {New-ShieldedVMSpecializationDataFile, Test-ShieldingDataA...
Manifest   1.0.0.0    ShieldedVMTemplate                  {Protect-TemplateDisk, Initialize-VMShieldingHelperVHD}      
Manifest   2.0.0.0    SmbShare                            {Get-SmbShare, Remove-SmbShare, Set-SmbShare, Block-SmbSha...
Manifest   2.0.0.0    SmbWitness                          {Get-SmbWitnessClient, Move-SmbWitnessClient, gsmbw, msmbw...
Manifest   1.0.0.0    StartLayout                         {Export-StartLayout, Import-StartLayout, Export-StartLayou...
Manifest   2.0.0.0    Storage                             {Add-InitiatorIdToMaskingSet, Add-PartitionAccessPath, Add...
Manifest   1.0.0.0    StorageBusCache                     {Clear-StorageBusDisk, Disable-StorageBusCache, Disable-St...
Binary     1.0.0.0    StorageMigrationService             {Get-SmsInventory, New-SmsInventory, Remove-SmsInventory, ...
Manifest   1.0.0.0    StorageQoS                          {Get-StorageQoSPolicy, Get-StorageQoSPolicyStore, Set-Stor...
Manifest   1.0        StorageReplica                      {Test-SRTopology, New-SRGroup, Remove-SRGroup, Set-SRGroup...
Binary     1.0.0.0    SystemInsights                      {Add-InsightsCapability, Remove-InsightsCapability, Update...
Manifest   2.0.0.0    TLS                                 {New-TlsSessionTicketKey, Enable-TlsSessionTicketKey, Disa...
Manifest   1.0.0.0    TroubleshootingPack                 {Get-TroubleshootingPack, Invoke-TroubleshootingPack}        
Manifest   2.0.0.0    TrustedPlatformModule               {Get-Tpm, Initialize-Tpm, Clear-Tpm, Unblock-Tpm...}         
Binary     2.1.639.0  UEV                                 {Clear-UevConfiguration, Clear-UevAppxPackage, Restore-Uev...
Manifest   2.0.0.0    UpdateServices                      {Add-WsusComputer, Approve-WsusUpdate, Deny-WsusUpdate, Ge...
Manifest   2.0.0.0    VpnClient                           {Add-VpnConnection, Set-VpnConnection, Remove-VpnConnectio...
Manifest   1.0.0.0    Wdac                                {Get-OdbcDriver, Set-OdbcDriver, Get-OdbcDsn, Add-OdbcDsn...}
Manifest   2.0.0.0    Whea                                {Get-WheaMemoryPolicy, Set-WheaMemoryPolicy}                 
Manifest   1.0.0.0    WindowsDeveloperLicense             {Get-WindowsDeveloperLicense, Unregister-WindowsDeveloperL...
Script     1.0        WindowsErrorReporting               {Enable-WindowsErrorReporting, Disable-WindowsErrorReporti...
Manifest   1.0.0.0    WindowsSearch                       {Get-WindowsSearchSetting, Set-WindowsSearchSetting}         
Manifest   1.0.0.0    WindowsUpdate                       Get-WindowsUpdateLog                                         
Manifest   1.0.0.2    WindowsUpdateProvider               {Get-WUAVersion, Get-WULastInstallationDate, Get-WULastSca...


    Directory: C:\Program Files\Common Files\Skype for Business Online\Modules


ModuleType Version    Name                                ExportedCommands                                             
---------- -------    ----                                ----------------                                             
Manifest   7.0.0.0    LyncOnlineConnector                                                                              
Script     7.0.0.0    SkypeOnlineConnector                {Get-CsOnlinePowerShellEndpoint, Get-CsOnlinePowerShellAcc...

Debug output

DEBUG: 21:06:55 - SetAzureKeyVaultSecret begin processing with ParameterSet 'Default'.
DEBUG: 21:06:55 - using account id 'admin@M365x083195.onmicrosoft.com'...
WARNING: Upcoming breaking changes in the cmdlet 'Set-AzKeyVaultSecret' :
- The output type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultSecret' is changing
- The following properties in the output type are being deprecated : 'SecretValueText'
- The change is expected to take effect from the version : '3.0.0'
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other
information on breaking changes in Azure PowerShell.
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://pimfunckeyvault.vault.azure.net//secrets/DeleteIt?api-version=7.0

Headers:
x-ms-client-request-id        : 76a6b145-5bd7-4c80-9f41-95c6967ff8f7
accept-language               : en-US

Body:
{
  "value": "Password1",
  "attributes": {
    "enabled": true
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Unauthorized

Headers:
Pragma                        : no-cache
x-ms-keyvault-region          : westeurope
x-ms-request-id               : 28110d1e-b80d-45b4-aba1-4d66d9bb7c43
x-ms-keyvault-service-version : 1.2.27.0
x-ms-keyvault-network-info    : conn_type=Ipv4;addr=176.22.136.162;act_addr_fam=InterNetwork;
Strict-Transport-Security     : max-age=31536000;includeSubDomains
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Thu, 01 Oct 2020 19:06:53 GMT
WWW-Authenticate              : Bearer authorization="https://login.windows.net/1bacb652-4947-484c-bfe2-9b9a758e815d",
resource="https://vault.azure.net"
X-AspNet-Version              : 4.0.30319
X-Powered-By                  : ASP.NET

Body:
{
  "error": {
    "code": "Unauthorized",
    "message": "AKV10022: Invalid audience. Expected https://vault.azure.net, found:
https://management.core.windows.net/."
  }
}

Set-AzKeyVaultSecret : Operation returned an invalid status code 'Unauthorized'
At line:1 char:1
+ Set-AzKeyVaultSecret -VaultName "PIMFuncKeyVault" -Name "DeleteIt" -S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Set-AzKeyVaultSecret], KeyVaultErrorException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultSecret

DEBUG: AzureQoSEvent: CommandName - Set-AzKeyVaultSecret; IsSuccess - False; Duration - 00:00:00.5253508;; Exception -
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Unauthorized'
   at Microsoft.Azure.Commands.KeyVault.Models.KeyVaultDataServiceClient.SetSecret(String vaultName, String secretName,
 SecureString secretValue, PSKeyVaultSecretAttributes secretAttributes)
   at Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultSecret.ExecuteCmdlet()
   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
DEBUG: Finish sending metric.
DEBUG: 21:06:56 - SetAzureKeyVaultSecret end processing.

Error output

DEBUG: 21:08:28 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 21:08:28 - using account id 'admin@M365x083195.onmicrosoft.com'...
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.


   HistoryId: 26


Message        : Operation returned an invalid status code 'Unauthorized'
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.Models.KeyVaultDataServiceClient.SetSecret(String vaultName, String secretName, SecureString secretValue, PSKeyVaultSecretAttributes secretAttributes)
                    at Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultSecret.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : Microsoft.Azure.KeyVault.Models.KeyVaultErrorException
InvocationInfo : {Set-AzKeyVaultSecret}
Line           : Set-AzKeyVaultSecret -VaultName "PIMFuncKeyVault" -Name "DeleteIt" -SecretValue (ConvertTo-SecureString -Force -AsPlainText "Password1")
Position       : At line:1 char:1
                 + Set-AzKeyVaultSecret -VaultName "PIMFuncKeyVault" -Name "DeleteIt" -S ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 26



   HistoryId: 20


Message        : Operation returned an invalid status code 'Unauthorized'
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.Models.KeyVaultDataServiceClient.SetSecret(String vaultName, String secretName, SecureString secretValue, PSKeyVaultSecretAttributes secretAttributes)
                    at Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultSecret.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : Microsoft.Azure.KeyVault.Models.KeyVaultErrorException
InvocationInfo : {Set-AzKeyVaultSecret}
Line           : Set-AzKeyVaultSecret -VaultName "PIMFuncKeyVault" -Name "DeleteIt" -SecretValue (ConvertTo-SecureString -Force -AsPlainText "Password1") -Debug
Position       : At line:1 char:1
                 + Set-AzKeyVaultSecret -VaultName "PIMFuncKeyVault" -Name "DeleteIt" -S ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 20



   HistoryId: 16


Message        : Operation returned an invalid status code 'Unauthorized'
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.Models.KeyVaultDataServiceClient.SetSecret(String vaultName, String secretName, SecureString secretValue, PSKeyVaultSecretAttributes secretAttributes)
                    at Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultSecret.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : Microsoft.Azure.KeyVault.Models.KeyVaultErrorException
InvocationInfo : {Set-AzKeyVaultSecret}
Line           : Set-AzKeyVaultSecret -VaultName "PIMFuncKeyVault" -Name "DeleteIt" -SecretValue (ConvertTo-SecureString -Force -AsPlainText "Password1") -Debug
Position       : At line:1 char:1
                 + Set-AzKeyVaultSecret -VaultName "PIMFuncKeyVault" -Name "DeleteIt" -S ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 16



   HistoryId: 15


Message        : Operation returned an invalid status code 'Unauthorized'
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.Models.KeyVaultDataServiceClient.SetSecret(String vaultName, String secretName, SecureString secretValue, PSKeyVaultSecretAttributes secretAttributes)
                    at Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultSecret.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : Microsoft.Azure.KeyVault.Models.KeyVaultErrorException
InvocationInfo : {Set-AzKeyVaultSecret}
Line           : Set-AzKeyVaultSecret -VaultName "PIMFuncKeyVault" -Name "DeleteIt" -SecretValue (ConvertTo-SecureString -Force -AsPlainText "Password1")
Position       : At line:1 char:1
                 + Set-AzKeyVaultSecret -VaultName "PIMFuncKeyVault" -Name "DeleteIt" -S ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 15



   HistoryId: -1


Message        : Unable to find type [Microsoft.PowerShell.Commands.PowerShellGet.Telemetry].
StackTrace     :    at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
                    at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
                    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
                    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
Exception      : System.Management.Automation.RuntimeException
InvocationInfo : {}
Line           :     $telemetryMethods = ([Microsoft.PowerShell.Commands.PowerShellGet.Telemetry] | Get-Member -Static).Name

Position       : At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:715 char:26
                 + ... yMethods = ([Microsoft.PowerShell.Commands.PowerShellGet.Telemetry] | ...
                 +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : -1


The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.

DEBUG: AzureQoSEvent: CommandName - Resolve-AzError; IsSuccess - True; Duration - 00:00:00.0524345;
DEBUG: Finish sending metric.
DEBUG: 21:08:29 - ResolveError end processing.

[Pistle]

When the app fails to load configuration using the provider, an error message is written to the ASP.NET Core Logging infrastructure. The following conditions will prevent configuration from loading:

The app or certificate isn't configured correctly in Azure Active Directory.
The key vault doesn't exist in Azure Key Vault.
The app isn't authorized to access the key vault.
The access policy doesn't include Get and List permissions.
In the key vault, the configuration data (name-value pair) is incorrectly named, missing, disabled, or expired.
The app has the wrong key vault name (KeyVaultName), Azure AD Application Id (AzureADApplicationId), or Azure AD certificate thumbprint (AzureADCertThumbprint).
The configuration key (name) is incorrect in the app for the value you're trying to load.
When adding the access policy for the app to the key vault, the policy was created, but the Save button wasn't selected in the Access policies UI.

[arthubms]

Hi
We have validated that the supplied token is valid and has the correct audience.
If connecting with the standard Add-AzAccount we can write to the KeyVault, confirming that KeyVault names and secret names are correct.

The reference to the ASP.NET Core Logging Infrastructure is unclear. Where would we find that log?

[markcowl]

@arthubms Thanks for the bug report, will take a look

[isra-fel]

Looking at it. Will keep the thread updated

[cveld]

Is this Az PowerShell Module 4.7.0 related? We have issues when accessing a Key Vault when using an Azure Context that has been created with the -KeyVaultAccessToken parameter. We get a "forbidden" error. Seems the same as reported issue above.