Azure Key Vault - Known Portal Issues: "The directory currently selected differs from this key vault's directory"

There are occasions when the Incubation team gets support cases for problems that occur in the Azure portal. It's greatly preferable to document these for public consumption rather than have you open a support case to figure out what to do. This problem sees quite a few support cases:

"The directory currently selected differs from this key vault's directory"


Although it's technically correct, it does not explain what happened and why you're seeing the problem.  It occurs when the internal "Tenant Id" value of the Key Vault does not match the Tenant Id of the subscription that currently owns the Key Vault.  It's probable that one of these things happened:

  1. The Key Vault was deployed to a subscription using an ARM Template that contains a different Tenant Id
  2. The subscription that owns the Key Vault was moved to a different Tenant (much more likely).

When the subscription is moved to a new tenant, the Key Vault's internal "Tenant Id" is not changed, and that's so the existing access policies (which point to Service Principals in the in old tenant) do not automatically fail.  When the Tenant Id of the Key Vault is changed to the new value, access policies for Service Principals in the old Tenant Id will no longer work.

It is possible to update the Tenant Id and get rid of this message by following these instructions:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-subscription-move-fix

U
pdate on 8/15/2019
The Key Vault product team has made a change to the DNS validation process.  If a DNS name is in an orphaned state, on the first attempt at claiming it, it will still fail.  However, after 20 minutes, a second attempt will allow you to reuse the name if it's in the same region as the original vault.

Please follow us on Twitter and retweet!
@WinDevMatt @AzIdentity

Add comment