Keyvault create cmd fails in ADFS env

[viananth]

Description

Outline the issue here:
az keyvault create --name keyvaultName --resource-group UtilitiesRG --location Redmond --sku standard --enabled-for-deployment true --enabled-for-template-deployment true

fails in Azure Stack ADFS environment with the following error message:
"The access token has been obtained from wrong audience or resource 'https://graph.redmond.ext-n25r0405.masd.stbtest.microsoft.com/'. It should exactly match (including forward slash) with one of the allowed audiences 'https://management.adfs.n25r0405.masd.stbtest.microsoft.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx."

---

Environment summary

Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)
Answer here:
pip install

CLI Version: What version of the CLI and modules are installed? (Use az --version)
Answer here:
azure-cli (2.0.13+1.dev20170813)

OS Version: What OS and version are you using?
Answer here:
Windows Server 2016 datacenter

Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Answer here:
cmd.exe

[tjprescott]

The keyvault-create command makes Graph API calls using the active_directory_graph_resource_id property of the cloud. Does the Stack environment's cloud configuration have this endpoint set? Do the RBAC commands work?

[yugangw-msft]

I can take a first look to understand why a graph token was used for keyvault operation

[tjprescott]

It is used to assign access permissions for the KeyVault to the active user.

[viananth]

Yes, active_directory_graph_resource_id is set. And the authentication fails because keyvault create makes Graph api calls instead of active-directory call.

[viananth]

Closed via AzureAD/azure-activedirectory-library-for-python#105