| title | Azure Key Vault Errors in Wrap For Power Apps |
|---|---|
| description | Provides solutions for the Azure key vault errors that occur when using the wrap feature in Power Apps. |
| ms.reviewer | sitaramp, koagarwa |
| ms.author | arijitba |
| author | arijitba |
| ms.date | 08/04/2025 |
| ms.custom | no-azure-ad-ps-ref, azure-ad-ref-level-one-done, sap:App Management\Wrap an app |
This article provides step-by-step solutions for Azure Key Vault errors you might encounter when using the wrap wizard to build your mobile app.
| Error code | Error message |
|---|---|
| 1000118 | Default subscription not found or missing access permissions. |
| 1000119 | Key vault doesn't exist or is missing access privileges. |
| 1000120 | No organization ID tags found on key vault. Ensure that the tag {Bundle ID}.{organization-id} is present and uses the correct case sensitivity. |
| 1000121 | Android keystore isn't valid. Ensure that the tag {Bundle ID}.{keystore} is present and uses the correct case sensitivity. |
| 1000122 | iOS certificate isn't valid. Missing Tag and/or Secret. Ensure that the tag {Bundle ID}.{cert} is present and uses the correct case sensitivity. |
| 1000123 | iOS profile isn't valid. Ensure that the tag {Bundle ID}.{profile} is present and uses the correct case sensitivity. |
| 1000128 | Missing access key required to access the Azure Blob Storage location. Ensure that the tag {Bundle ID}.{accessKey} is present and uses the correct case sensitivity. |
| 1000130 | Missing default value: The required environment variable for setting up Azure Key Vault in the wrap wizard isn't set. |
| 1000131 | No tags or missing access permission for the specified Azure Key Vault. |
| 1000132 | Missing environment variable 'PA_Wrap_KV_ResourceID' for the targeted environment. |
Error message: Default subscription not found, or missing access permissions.
-
Ensure your Azure key vault is in the tenant's Default subscription.
-
As a Microsoft Entra ID (formerly Azure AD) admin, add the service principal for the AppID "4e1f8dc5-5a42-45ce-a096-700fa485ba20" by running the following commands in PowerShell:
Connect-Entra -TenantId <your tenant ID> New-EntraServicePrincipal -AppId 4e1f8dc5-5a42-45ce-a096-700fa485ba20 -DisplayName "Wrap KeyVault Access App"
-
In the Azure portal, under Access Control (IAM), assign the Reader role to your service principal:
-
Go to Access control (IAM), and then select Add role assignment.
:::image type="content" source="media/azure-key-vault-errors/add-role-assignment.png" alt-text="Screenshot that shows the Add role assignment option in the Access control (IAM) tab." lightbox="media/azure-key-vault-errors/add-role-assignment.png":::
-
Choose Reader under Job function roles and go to the Members tab.
:::image type="content" source="media/azure-key-vault-errors/add-members.png" alt-text="Screenshot that shows the Members tab on the top menu." lightbox="media/azure-key-vault-errors/add-members.png":::
-
Search for your app name.
:::image type="content" source="media/azure-key-vault-errors/select-members-to-add-role.png" alt-text="Screenshot that shows how to search for your app." lightbox="media/azure-key-vault-errors/select-members-to-add-role.png":::
-
Assign the Reader role.
:::image type="content" source="media/azure-key-vault-errors/assign-reader-role-to-wrap-keyvault-access-app.png" alt-text="Screenshot that shows how to assign a Reader role to your app." lightbox="media/azure-key-vault-errors/assign-reader-role-to-wrap-keyvault-access-app.png":::
-
Error message: Key vault doesn't exist or is missing access privileges.
-
Confirm your Azure key vault is in the tenant's Default subscription.
-
While creating the key vault, select Vault access policy.
:::image type="content" source="media/azure-key-vault-errors/vault-acces-policy.png" alt-text="Select the Vault Access policy option under the Access configuration tab.":::
-
As a Microsoft Entra ID (formerly Azure AD) admin, add the service principal for the AppID "4e1f8dc5-5a42-45ce-a096-700fa485ba20" by running the following commands in PowerShell:
Connect-Entra -TenantId <your tenant ID> New-EntraServicePrincipal -AppId 4e1f8dc5-5a42-45ce-a096-700fa485ba20 -DisplayName "Wrap KeyVault Access App"
-
In the Azure portal, assign the Reader role as shown in the previous error code section.
-
Add access policies to the key vault:
:::image type="content" source="media/azure-key-vault-errors/create-vault-access-policy.png" alt-text="Screenshot that shows how to add access policies for your Azure key vault.":::
:::image type="content" source="media/azure-key-vault-errors/review-and-create-vault-policy.png" alt-text="Screenshot that shows how to review and create the vault access policy.":::
Error message: No organization ID tags found on key vault. Ensure that the tag {Bundle ID}.{organization-id} is present and uses the correct case sensitivity.
-
In the Power Platform admin center, select your environment.
:::image type="content" source="media/azure-key-vault-errors/environment-tab.png" alt-text="Screenshot that shows the Environment tab in Power Platform admin center." lightbox="media/azure-key-vault-errors/environment-tab.png":::
-
Copy the Organization ID.
:::image type="content" source="media/azure-key-vault-errors/organization-id.png" alt-text="Screenshot that shows the organization ID you can find in your environment in Power Platform admin center.":::
-
In your key vault, go to Tags and create a tag named organization-id with your organization ID as the value.
:::image type="content" source="media/azure-key-vault-errors/add-tag.png" alt-text="Screenshot that shows how to add an organization ID to a tag in Azure portal." lightbox="media/azure-key-vault-errors/add-tag.png":::
Error message: Android keystore isn't valid. Ensure that the tag {Bundle ID}.{keystore} is present and uses the correct case sensitivity.
-
Import your Android Certificate.
:::image type="content" source="media/azure-key-vault-errors/import-certificate.png" alt-text="Screenshot that shows how to import an Android certificate." lightbox="media/azure-key-vault-errors/import-certificate.png":::
:::image type="content" source="media/azure-key-vault-errors/certificate-name.png" alt-text="Screenshot that shows how to create an Android certificate." lightbox="media/azure-key-vault-errors/certificate-name.png":::
-
Add a Tag for your certificate:
- Tag name: Use the same Bundle ID as your wrap project (for example,
com.testApp.wrap). - Tag value: Use the certificate name you assigned when uploading (for example,
AndroidCertificate).
:::image type="content" source="media/azure-key-vault-errors/create-certificate-tag.png" alt-text="Screenshot that shows how to create a certificate tag." lightbox="media/azure-key-vault-errors/create-certificate-tag.png":::
- Tag name: Use the same Bundle ID as your wrap project (for example,
Error message: iOS certificate isn't valid. Missing Tag and/or Secret. Ensure that the tag {Bundle ID}.{cert} is present and uses the correct case sensitivity.
-
Import your iOS Certificate.
:::image type="content" source="media/azure-key-vault-errors/import-certificate.png" alt-text="Screenshot that shows how to import an iOS certificate." lightbox="media/azure-key-vault-errors/import-certificate.png":::
:::image type="content" source="media/azure-key-vault-errors/certificate-name-ios.png" alt-text="Screenshot that shows how to create an iOS certificate." lightbox="media/azure-key-vault-errors/certificate-name-ios.png":::
-
Add a Tag for your certificate:
- Tag name: Use the Bundle ID from your wrap project.
- Tag value: Use the certificate name you assigned when uploading (for example,
iOSCertificate).
:::image type="content" source="media/azure-key-vault-errors/certificate-tag-ios.png" alt-text="Screenshot that shows how to create a certificate tag for iOS." lightbox="media/azure-key-vault-errors/certificate-tag-ios.png":::
Error message: iOS profile isn't valid. Ensure that the tag {Bundle ID}.{profile} is present and uses the correct case sensitivity.
-
Import your Provisioning Profile as a Secret.
-
Add a Tag for your provisioning profile:
- Tag name: Use the Bundle ID from your wrap project.
- Tag value: Use the name you gave the secret when uploading (for example,
iOSProvisioningProfile).
:::image type="content" source="media/azure-key-vault-errors/provisioning-profile-secret-tag.png" alt-text="Screenshot that shows how to create a tag for iOS Provisioning Profile Secret." lightbox="media/azure-key-vault-errors/provisioning-profile-secret-tag.png":::
Error message: Missing access key required to access the Azure Blob Storage location. Ensure that the tag {Bundle ID}.{accessKey} is present and uses the correct case sensitivity.
Add your access key from the Azure Blob storage account to the Azure key vault.
For more information, see Step 3: Choose target platform.
Error message: Missing default value: The required environment variable for setting up Azure Key Vault in the wrap wizard isn't set.
-
Assign the resource ID of the Azure key vault you intend to use with your wrap application to the variable.
-
Confirm that the specified resource ID includes all required tags associated with the Bundle ID defined in the wrap wizard.
For more information, see Step 3: Choose target platform.
Error message: No tags or missing access permission for the specified Azure Key Vault.
-
Assign the resource ID of the Azure key vault you intend to use with your wrap application to the variable.
-
Confirm that the specified resource ID includes all required tags associated with the Bundle ID defined in the wrap wizard.
-
Ensure you have permission to access your key vault:
-
As a Microsoft Entra ID (formerly Azure AD) admin, add the service principal for the AppID "4e1f8dc5-5a42-45ce-a096-700fa485ba20" by running the following commands in PowerShell:
Connect-Entra -TenantId <your tenant ID> New-EntraServicePrincipal -AppId 4e1f8dc5-5a42-45ce-a096-700fa485ba20 -DisplayName "Wrap KeyVault Access App"
-
In the Azure portal, under Access Control (IAM), assign the Reader role to your service principal:
-
Go to Access control (IAM), and then select Add role assignment.
:::image type="content" source="media/azure-key-vault-errors/add-role-assignment.png" alt-text="Screenshot that shows the Add role assignment option in the Access control (IAM) tab." lightbox="media/azure-key-vault-errors/add-role-assignment.png":::
-
Choose Reader under Job function roles and go to the Members tab.
:::image type="content" source="media/azure-key-vault-errors/add-members.png" alt-text="Screenshot that shows the Members tab on the top menu." lightbox="media/azure-key-vault-errors/add-members.png":::
-
Search for your app name.
:::image type="content" source="media/azure-key-vault-errors/select-members-to-add-role.png" alt-text="Screenshot that shows how to search for your app." lightbox="media/azure-key-vault-errors/select-members-to-add-role.png":::
-
Assign the Reader role.
:::image type="content" source="media/azure-key-vault-errors/assign-reader-role-to-wrap-keyvault-access-app.png" alt-text="Screenshot that shows how to assign a Reader role to your app." lightbox="media/azure-key-vault-errors/assign-reader-role-to-wrap-keyvault-access-app.png":::
-
-
For more information, see Step 2: Target platform.
Error message: Missing environment variable 'PA_Wrap_KV_ResourceID' for the targeted environment.
-
Check whether the environment variable
PA_Wrap_KV_ResourceIDexists in the target environment. If it doesn't, create it. -
Ensure the name follows the correct naming convention without typos or formatting errors.
For more information, see Step 3: Choose target platform.
If your issue isn't covered here, or if the preceding steps don't resolve your problem, search for more support resources or contact Microsoft support and provide detailed steps to reproduce the problem.