Change the data type of ObjectId to string from Guid.

This is required for ADFS scenarios, where (unlike in AAD) object IDs are no
longer guaranteed to be Guids.

Note that this includes the AccessPolicyEntry change from the Azure SDK for .NET
NuGet package (Microsoft.Azure.Management.KeyVault.2.0.1-preview).

This change also transitions AKV to use platyPS help files.

Author: adarce

src/ResourceManager/KeyVault/Commands.KeyVault/Commands.KeyVault.csproj

@@ -168,7 +168,7 @@
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.2.0.0\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.KeyVault, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.KeyVault.2.0.0-preview\lib\net45\Microsoft.Azure.Management.KeyVault.dll</HintPath>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.KeyVault.2.0.1-preview\lib\net45\Microsoft.Azure.Management.KeyVault.dll</HintPath>
       <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.Azure.ResourceManager, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/ResourceManager/KeyVault/Commands.KeyVault/Commands/NewAzureKeyVault.cs

@@ -22,7 +22,7 @@
 namespace Microsoft.Azure.Commands.KeyVault
 {
     /// <summary>
-    /// Create a new key vault. 
+    /// Create a new key vault.
     /// </summary>
     [Cmdlet(VerbsCommon.New, "AzureRmKeyVault",
         SupportsShouldProcess = true,
@@ -81,9 +81,9 @@ public class NewAzureKeyVault : KeyVaultManagementCmdletBase
 
         [Parameter(Mandatory = false,
             ValueFromPipelineByPropertyName = true,
-            HelpMessage = "Specifies the SKU of the key vault instance. For information about which features are available for each SKU, see the Azure Key Vault Pricing website (http://go.microsoft.com/fwlink/?linkid=512521).")]        
+            HelpMessage = "Specifies the SKU of the key vault instance. For information about which features are available for each SKU, see the Azure Key Vault Pricing website (http://go.microsoft.com/fwlink/?linkid=512521).")]
         public SkuName Sku { get; set; }
-        
+
         [Parameter(Mandatory = false,
             ValueFromPipelineByPropertyName = true,
             HelpMessage = "A hash table which represents resource tags.")]
@@ -101,7 +101,7 @@ public override void ExecuteCmdlet()
                     throw new ArgumentException(PSKeyVaultProperties.Resources.VaultAlreadyExists);
                 }
 
-                var userObjectId = Guid.Empty;
+                var userObjectId = string.Empty;
                 AccessPolicyEntry accessPolicy = null;
 
                 try
@@ -114,7 +114,7 @@ public override void ExecuteCmdlet()
                     // This is to unblock Key Vault in Fairfax as Graph has issues in this environment.
                     WriteWarning(ex.Message);
                 }
-                if (userObjectId != Guid.Empty)
+                if (!string.IsNullOrWhiteSpace(userObjectId))
                 {
                     accessPolicy = new AccessPolicyEntry()
                     {

src/ResourceManager/KeyVault/Commands.KeyVault/Commands/RemoveAzureKeyVaultAccessPolicy.cs

@@ -87,7 +87,7 @@ public class RemoveAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
             ValueFromPipelineByPropertyName = true,
             HelpMessage = "Specifies the object ID of the user or service principal in Azure Active Directory for which to remove permissions.")]
         [ValidateNotNullOrEmpty()]
-        public Guid ObjectId { get; set; }
+        public string ObjectId { get; set; }
 
         /// <summary>
         /// Id of the application to which a user delegate to
@@ -117,7 +117,7 @@ public class RemoveAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         public SwitchParameter EnabledForDiskEncryption { get; set; }
 
         /// <summary>
-        /// 
+        ///
         /// </summary>
         [Parameter(Mandatory = false,
            HelpMessage = "This Cmdlet does not return an object by default. If this switch is specified, it returns the updated key vault object.")]
@@ -153,11 +153,16 @@ public override void ExecuteCmdlet()
                 if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
                     throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId);
 
+                if (!string.IsNullOrWhiteSpace(this.ObjectId) && !this.IsValidObjectIdSyntax(this.ObjectId))
+                {
+                    throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidObjectIdSyntax);
+                }
+
                 // Update vault policies
                 var updatedPolicies = existingVault.AccessPolicies;
-                if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != Guid.Empty))
+                if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || !string.IsNullOrWhiteSpace(this.ObjectId))
                 {
-                    if (ObjectId == Guid.Empty)
+                    if (string.IsNullOrWhiteSpace(this.ObjectId))
                     {
                         ObjectId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
                     }
@@ -175,12 +180,12 @@ public override void ExecuteCmdlet()
                     WriteObject(updatedVault);
             }
         }
-        private bool ShallBeRemoved(PSKeyVaultModels.PSVaultAccessPolicy ap, Guid objectId, Guid? applicationId)
+        private bool ShallBeRemoved(PSKeyVaultModels.PSVaultAccessPolicy ap, string objectId, Guid? applicationId)
         {
-            // If both object id and application id are specified, remove the compound identity policy only.                    
-            // If only object id is specified, remove all policies refer to the object id including the compound identity policies.                                
-            return applicationId.HasValue ? (ap.ApplicationId == applicationId && ap.ObjectId == objectId) :
-                (ap.ObjectId == objectId);
+            // If both object id and application id are specified, remove the compound identity policy only.
+            // If only object id is specified, remove all policies refer to the object id including the compound identity policies.
+            var sameObjectId = string.Equals(ap.ObjectId, objectId, StringComparison.OrdinalIgnoreCase);
+            return applicationId.HasValue ? (ap.ApplicationId == applicationId && sameObjectId) : sameObjectId;
         }
     }
 }

src/ResourceManager/KeyVault/Commands.KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs

@@ -87,7 +87,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
             ValueFromPipelineByPropertyName = true,
             HelpMessage = "Specifies the object ID of the user or service principal in Azure Active Directory for which to grant permissions.")]
         [ValidateNotNullOrEmpty()]
-        public Guid ObjectId { get; set; }
+        public string ObjectId { get; set; }
 
         /// <summary>
         /// Id of the application to which a user delegate to
@@ -208,11 +208,16 @@ public override void ExecuteCmdlet()
                     throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
                 }
 
+                if (!string.IsNullOrWhiteSpace(this.ObjectId) && !this.IsValidObjectIdSyntax(this.ObjectId))
+                {
+                    throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidObjectIdSyntax);
+                }
+
                 // Update vault policies
                 PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
-                if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != Guid.Empty))
+                if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || !string.IsNullOrWhiteSpace(this.ObjectId))
                 {
-                    Guid objId = this.ObjectId;
+                    var objId = this.ObjectId;
                     if (!this.BypassObjectIdValidation.IsPresent)
                     {
                         objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
@@ -226,7 +231,7 @@ public override void ExecuteCmdlet()
                         throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified);
                     else
                     {
-                        //Validate 
+                        //Validate
                         if (!IsMeaningfulPermissionSet(PermissionsToKeys))
                             throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys"));
                         if (!IsMeaningfulPermissionSet(PermissionsToSecrets))
@@ -237,7 +242,7 @@ public override void ExecuteCmdlet()
                         //Is there an existing policy for this policy identity?
                         var existingPolicy = vault.AccessPolicies.FirstOrDefault(ap => MatchVaultAccessPolicyIdentity(ap, objId, ApplicationId));
 
-                        //New policy will have permission arrays that are either from cmdlet input 
+                        //New policy will have permission arrays that are either from cmdlet input
                         //or if that's null, then from the old policy for this object ID if one existed
                         var keys = PermissionsToKeys ?? (existingPolicy != null && existingPolicy.PermissionsToKeys != null ?
                             existingPolicy.PermissionsToKeys.ToArray() : null);
@@ -271,9 +276,9 @@ public override void ExecuteCmdlet()
             }
         }
 
-        private bool MatchVaultAccessPolicyIdentity(PSKeyVaultModels.PSVaultAccessPolicy ap, Guid objectId, Guid? applicationId)
+        private bool MatchVaultAccessPolicyIdentity(PSKeyVaultModels.PSVaultAccessPolicy ap, string objectId, Guid? applicationId)
         {
-            return ap.ApplicationId == applicationId && ap.ObjectId == objectId;
+            return ap.ApplicationId == applicationId && string.Equals(ap.ObjectId, objectId, StringComparison.OrdinalIgnoreCase);
         }
 
         private bool IsMeaningfulPermissionSet(string[] perms)