Power Platform Community Forum Thread Details

Hi!

First time canvas-app wrapper here :)

I need to wrap my app and make it standalone for a number of reasons. Only need it wrapped for Android.

I dont have admin-access to Azure so i need to specify all steps for them to be performed.

As is now, i ran into this issue:

Checking key vault Configuration...Please fix errors in your key vault before proceeding

1000212: A Server error occurred. Please try again shortly.
1000131: No tags or missing access permissions for specified Azure Key Vault Resource.

Asked them to create a Service Principal using this(from the documentation).

"Connect-AzureAD -TenantId <your tenant ID>
New-AzureADServicePrincipal -AppId 4e1f8dc5-5a42-45ce-a096-700fa485ba20 -DisplayName "Wrap KeyVault Access App""

When I take a closer look at what they have created its not the same AppId or DisplayName as mentioned in the documentation. Does it need to be? If so, why?

Kind regards,

Anders

Categories:

General Questions

The errors indicate that the Power Apps wrapping service (which uses the Service Principal you created) cannot access or verify the necessary configuration on the Azure Key Vault.

The process of wrapping an app for Android requires signing certificates, which must be stored in an Azure Key Vault. The Service Principal is the identity that Power Apps uses to access those secrets.

1. The Service Principal ID Question

Does the AppId or DisplayName need to match the documentation?

DisplayName: No, it does not have to match. The display name is just a human-readable label. You can choose any name (like "Wrap KeyVault Access App" or your own specific name) as long as it's descriptive and unique in your Azure Active Directory.
AppId (Application ID): No, it will NOT match. The AppId is a unique GUID generated by Azure when you run the New-AzureADServicePrincipal command. You must use the AppId provided in the command from the documentation (4e1f8dc5-5a42-45ce-a096-700fa485ba20) as the value for the -AppId parameter when running the command. The output of the command will give your Service Principal a new, unique ObjectID and AppId (which is the one you are questioning).

Conclusion: The -AppId parameter used in the command New-AzureADServicePrincipal -AppId 4e1f8dc5-5a42-45ce-a096-700fa485ba20... MUST be that specific value because it's the Application ID for the Microsoft Service that handles the wrapping process. The Service Principal you are creating acts as an intermediary for this Microsoft Service. Your colleagues were correct to use the AppId from the documentation.

2. Resolving the Access/Permissions Error (1000131)

Since the Service Principal was created, the most likely cause of the error is missing or incorrect access policies on the Azure Key Vault itself.

You must grant the newly created Service Principal the correct permissions to access the secrets in your Key Vault.

Action Steps (You'll need a Key Vault Administrator to do this):

Get the Service Principal's Object ID: Retrieve the Object ID of the Service Principal created by your colleagues (e.g., "Wrap KeyVault Access App").
Navigate to Azure Key Vault: Go to the specific Azure Key Vault resource you are using for your wrapping certificate.
Configure Access Policy:
- Go to "Access policies."
- Click "+ Create" or "+ Add Access Policy."
- Under "Secret permissions," grant the following minimum permissions:
  - Get
  - List
- Under "Certificate permissions," grant the following minimum permissions:
  - Get
  - List
- Select the Service Principal (the new one created for wrapping) as the "Principal."
- Save/Add the new access policy, and then Save the Key Vault configuration.

After ensuring these Get and List permissions are set for both Secrets and Certificates for the new Service Principal, the Power Apps wrapping service should be able to check the Key Vault configuration, and the errors should be resolved.