Add new parameter BypassObjectIdValidation for Set-AzureRmKeyVaultAccessPolicy to support CSP

Author: jasonxdhu

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1

@@ -278,14 +278,22 @@ function Test-SetRemoveAccessPolicyBySPN
 
 function Test-SetRemoveAccessPolicyByObjectId
 {
-    Param($existingVaultName, $rgName, $objId)
+    Param($existingVaultName, $rgName, $objId, [switch]$bypassObjectIdValidation)
 
     $PermToKeys = @("encrypt", "decrypt")
     $PermToSecrets = @()
-    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PassThru
+
+    $vault;
+	if ($bypassObjectIdValidation.IsPresent)
+	{
+        $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -BypassObjectIdValidation -PassThru
+	}
+	else
+	{
+        $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PassThru
+	}
 
     CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
-    
     Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
 
     $vault = Remove-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PassThru

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/RunKeyVaultTests.ps1

@@ -129,6 +129,7 @@ function Run-AllControlPlaneTests
         Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByUPN } "Test_SetRemoveAccessPolicyByUPN" } "Test_SetRemoveAccessPolicyByUPN"
         Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyBySPN } "Test_SetRemoveAccessPolicyBySPN" } "Test_SetRemoveAccessPolicyBySPN"
         Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByObjectId } "Test_SetRemoveAccessPolicyByObjectId" } "Test_SetRemoveAccessPolicyByObjectId"
+		Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByBypassObjectIdValidation } "Test_SetRemoveAccessPolicyByBypassObjectIdValidation" } "Test_SetRemoveAccessPolicyByBypassObjectIdValidation"
         Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByCompoundId } "Test_SetRemoveAccessPolicyByCompoundId" } "Test_SetRemoveAccessPolicyByCompoundId"
         Run-TestProtected { Run-VaultTest { Test_RemoveAccessPolicyWithCompoundIdPolicies } "Test_RemoveAccessPolicyWithCompoundIdPolicies" } "Test_RemoveAccessPolicyWithCompoundIdPolicies"
         Run-TestProtected { Run-VaultTest { Test_SetCompoundIdAccessPolicy } "Test_SetCompoundIdAccessPolicy" } "Test_SetCompoundIdAccessPolicy"

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultManagementTests.ps1

@@ -135,6 +135,12 @@ function Test_SetRemoveAccessPolicyByObjectId
     Test-SetRemoveAccessPolicyByObjectId $global:precreatedVaultName $global:resourceGroupName $global:objectId
 }
 
+function Test_SetRemoveAccessPolicyByBypassObjectIdValidation
+{
+    $securityGroupObjIdFromOtherTenant = [System.Guid]::NewGuid().toString()
+    Reset-PreCreatedVault
+    Test-SetRemoveAccessPolicyByObjectId $global:precreatedVaultName $global:resourceGroupName $securityGroupObjIdFromOtherTenant -bypassObjectIdValidation
+}
 
 function Test_SetRemoveAccessPolicyByCompoundId
 {

src/ResourceManager/KeyVault/Commands.KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs

@@ -150,6 +150,15 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
             HelpMessage = "If specified, enables secrets to be retrieved from this key vault by Azure Disk Encryption.")]
         public SwitchParameter EnabledForDiskEncryption { get; set; }
 
+        /// <summary>
+        /// Flag for bypassing object ID validation or not
+        /// </summary>
+        [Parameter(Mandatory = false,
+            ParameterSetName = ByObjectId,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Specifies whether the object ID needs to be validated or not.")]
+        public SwitchParameter BypassObjectIdValidation { get; set; }
+
         [Parameter(Mandatory = false,
            HelpMessage = "This Cmdlet does not return an object by default. If this switch is specified, it returns the updated key vault object.")]
         public SwitchParameter PassThru { get; set; }
@@ -181,7 +190,11 @@ public override void ExecuteCmdlet()
             PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
             if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != Guid.Empty))
             {
-                Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
+                Guid objId = this.ObjectId;
+                if (!this.BypassObjectIdValidation.IsPresent)
+                {
+                    objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
+                }
 
                 if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
                     throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId);