AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service

Question

An API is deployed as an App Service on Azure. It connects to a Key Vault that is on the same subscription. An access policy was created for the App Service in the Key Vault. The App Service is configured with a system assigned identity. When the API attempts to access the key vault, the following error occurs:

AKV10032: Invalid issuer. Expected one of https://sts.windows.net/b68456ea-cf3c-4835-9d30-a4b164f33190/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, found https://sts.windows.net/98de912a-48b9-4d1d-b5cd-21fd3f4f449d/.\

Edit: I've removed a lot of content from this question as there was an error in it and I've been on the wrong track. Both the Key Vault and the App service do use the same tenant (contrary to my original post). The tenant Id is 98de912a-48b9-4d1d-b5cd-21fd3f4f449d, which is the one that is found in the error message above.

Answer 1

You cannot change the Key Vault's AAD tenant.

If you use system-assigned managed identity on the App Service, it'll create a service principal in the same AAD tenant where the App Service is. If the Key Vault and App Service are in the same subscription, they are under the same AAD tenant as well then. You should be able to add that service principal to Key Vault access policies then and use it to access Key Vault.

If you have an app registration/service principal in another AAD tenant however, it cannot access the Key Vault.