Azure · evelyn-ys · May 27, 2021 · May 25, 2021 · May 25, 2021 · May 26, 2021
@@ -221,11 +221,13 @@ class CLISecurityDomainOperation(str, Enum):
         c.argument('hsm_name', deleted_hsm_name_type)
         c.argument('location', help='Location of the deleted Vault or HSM', required=False)
 
-    with self.argument_context('keyvault delete-policy') as c:
-        c.argument('object_id', validator=validate_principal)
+    for item in ['set-policy', 'delete-policy']:
+        with self.argument_context('keyvault {}'.format(item)) as c:
+            c.argument('object_id', validator=validate_principal)
+            c.argument('application_id', help='Application ID of the client making request on behalf of a principal. '
+                                              'Exposed for compound identity using on-behalf-of authentication flow.')
 
     with self.argument_context('keyvault set-policy', arg_group='Permission') as c:
-        c.argument('object_id', validator=validate_principal)
         c.argument('key_permissions', arg_type=get_enum_type(KeyPermissions), metavar='PERM', nargs='*',
                    help='Space-separated list of key permissions to assign.', validator=validate_policy_permissions)
         c.argument('secret_permissions', arg_type=get_enum_type(SecretPermissions), metavar='PERM', nargs='*',

@@ -885,7 +885,7 @@ def _permissions_distinct(permissions):
 
 
 def set_policy(cmd, client, resource_group_name, vault_name,
-               object_id=None, spn=None, upn=None, key_permissions=None, secret_permissions=None,
+               object_id=None, application_id=None, spn=None, upn=None, key_permissions=None, secret_permissions=None,
                certificate_permissions=None, storage_permissions=None, no_wait=False):
     """ Update security policy settings for a Key Vault. """
 
@@ -913,12 +913,14 @@ def set_policy(cmd, client, resource_group_name, vault_name,
     # Find the existing policy to set
     policy = next((p for p in vault.properties.access_policies
                    if object_id.lower() == p.object_id.lower() and
+                   _check_application_id_match(application_id, p.application_id) and
                    vault.properties.tenant_id.lower() == p.tenant_id.lower()), None)
     if not policy:
         # Add new policy as none found
         vault.properties.access_policies.append(AccessPolicyEntry(
             tenant_id=vault.properties.tenant_id,
             object_id=object_id,
+            application_id=application_id,
             permissions=Permissions(keys=key_permissions,
                                     secrets=secret_permissions,
                                     certificates=certificate_permissions,
@@ -1043,7 +1045,8 @@ def list_network_rules(cmd, client, resource_group_name, vault_name):  # pylint:
     return vault.properties.network_acls
 
 
-def delete_policy(cmd, client, resource_group_name, vault_name, object_id=None, spn=None, upn=None, no_wait=False):
+def delete_policy(cmd, client, resource_group_name, vault_name,
+                  object_id=None, application_id=None, spn=None, upn=None, no_wait=False):
     """ Delete security policy settings for a Key Vault. """
     VaultCreateOrUpdateParameters = cmd.get_models('VaultCreateOrUpdateParameters',
                                                    resource_type=ResourceType.MGMT_KEYVAULT)
@@ -1062,7 +1065,8 @@ def delete_policy(cmd, client, resource_group_name, vault_name, object_id=None,
     prev_policies_len = len(vault.properties.access_policies)
     vault.properties.access_policies = [p for p in vault.properties.access_policies if
                                         vault.properties.tenant_id.lower() != p.tenant_id.lower() or
-                                        object_id.lower() != p.object_id.lower()]
+                                        object_id.lower() != p.object_id.lower() or
+                                        not _check_application_id_match(application_id, p.application_id)]
     if len(vault.properties.access_policies) == prev_policies_len:
         raise CLIError('No matching policies found')
 
@@ -1076,6 +1080,16 @@ def delete_policy(cmd, client, resource_group_name, vault_name, object_id=None,
                                     tags=vault.tags,
                                     properties=vault.properties),
                                 no_wait=no_wait)
+
+
+def _check_application_id_match(application_id, existing_application_id):
+    if application_id and not existing_application_id:
+        return False
+    if not application_id and existing_application_id:
+        return False
+    if not application_id and not existing_application_id:
+        return True
+    return application_id.lower() == existing_application_id.lower()
 # endregion