订阅移动后更改密钥保管库租户 IDChange a key vault tenant ID after a subscription move

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

在订阅中创建新的密钥保管库时,该密钥保管库自动绑定到该订阅的默认 Azure Active Directory 租户 ID。When you create a new key vault in a subscription, it is automatically tied to the default Azure Active Directory tenant ID for that subscription. 所有访问策略条目也都绑定到此租户 ID。All access policy entries are also tied to this tenant ID.

如果将 Azure 订阅从租户 A 移到租户 B,租户 B 中的主体(用户和应用程序)无法访问现有的密钥保管库。要解决此问题,需要执行以下操作:If you move your Azure subscription from tenant A to tenant B, your existing key vaults are inaccessible by the principals (users and applications) in tenant B. To fix this issue, you need to:

  • 将与订阅中所有现有密钥保管库关联的租户 ID 更改到租户 B。Change the tenant ID associated with all existing key vaults in the subscription to tenant B.
  • 删除所有现有的访问策略条目。Remove all existing access policy entries.
  • 添加与租户 B 关联的新访问策略条目。Add new access policy entries associated with tenant B.

例如,如果你在已从租户 A 移到租户 B 的订阅中有密钥保管库“myvault”,则可以使用 Azure PowerShell 更改租户 ID 并删除旧的访问策略。For example, if you have key vault 'myvault' in a subscription that has been moved from tenant A to tenant B, you can use Azure PowerShell to to change the tenant ID and remove old access policies.

Select-AzSubscription -SubscriptionId <your-subscriptionId>                # Select your Azure Subscription
$vaultResourceId = (Get-AzKeyVault -VaultName myvault).ResourceId          # Get your key vault's Resource ID 
$vault = Get-AzResource –ResourceId $vaultResourceId -ExpandProperties     # Get the properties for your key vault
$vault.Properties.TenantId = (Get-AzContext).Tenant.TenantId               # Change the Tenant that your key vault resides in
$vault.Properties.AccessPolicies = @()                                     # Access policies can be updated with real
                                                                           # applications/users/rights so that it does not need to be                             # done after this whole activity. Here we are not setting 
                                                                           # any access policies. 
Set-AzResource -ResourceId $vaultResourceId -Properties $vault.Properties  # Modifies the key vault's properties.

也可以使用 Azure CLI。Or you can use the Azure CLI.

az account set <your-subscriptionId>                                       # Select your Azure Subscription
tenantId=$(az account show --query tenantId)                               # Get your tenantId
az keyvault update -n myvault --remove Properties.accessPolicies           # Remove the access policies
az keyvault update -n myvault --set Properties.tenantId=$tenantId          # Update the key vault tenantId

既然保管库已与正确的租户 ID 关联,并且旧的访问策略条目已删除,请使用 Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet 或 Azure CLI az keyvault set-policy 命令设置新的访问策略条目。Now that your vault is associated with the correct tenant ID and old access policy entries are removed, set new access policy entries with the Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet or the Azure CLI az keyvault set-policy command.

如果使用 Azure 资源的托管标识,则还需要将其更新为新的 Azure AD 租户。If you are using a managed identity for Azure resources, you will need to update it to the new Azure AD tenant as well. 有关托管标识的详细信息,请参阅使用托管标识提供 Key Vault 身份验证For more information on managed identities, see Provide Key Vault authentication with a managed identity.

如果使用的是 MSI,则还必须更新 MSI 标识,因为旧标识将不再位于相应的 AAD 租户中。If you are using MSI, you'll also have to update the MSI identity since the old identity will no longer be in the correct AAD tenant.

后续步骤Next steps

如果在 Azure Key Vault 方面有任何问题,请访问 Azure Key Vault 论坛If you have questions about Azure Key Vault, visit the Azure Key Vault Forums.