Azure: How to fix "The policy requires the caller '...' to use on-behalf-of (OBO) flow" when accessing Key Vault from App Service?

Question

I have an ASP.net Core 3.1 application running in an Azure App Service. Having started using Azure Key Vault to store connection strings and other secrets for the app, the app is now crashing with an "HTTP Error 500.30 ANCM In-Process Start Failure" error page.

I've searched the Azure Portal up and down and finally managed to find something meaningful in the App Service's list of .NET Core Startup Failures (hidden under App Service > Diagnose and Solve Problems > Web App Down > View .NET Startup Failures):

Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: The policy requires the caller 
'appid=<redacted>;oid=<redacted>;iss=https://sts.windows.net/<readacted>/' to use on-behalf-of (OBO) 
flow. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

I have no need for the on-behalf-of flow. I did originally define the Key Vault access policy to include both the app's oid and its appid by mistake. I have since remedied by removing the access policy and recreating it without the appid.

My question is - Why am I still getting this error and how can I fix it?

Update: Below is the code that seems to be triggering this. Having disabled it, the app goes back to normal (albeit without Key Vault integration).

    var builtConfig = config.Build();
    var vaultUrl = $"https://{builtConfig["KeyVaultName"]}.vault.azure.net/";
    var azureServiceTokenProvider = new AzureServiceTokenProvider();
    var keyVaultClient = new KeyVaultClient(
        new KeyVaultClient.AuthenticationCallback(
            azureServiceTokenProvider.KeyVaultTokenCallback));
    config.AddAzureKeyVault(
        vaultUrl,
        keyVaultClient,
            new DefaultKeyVaultSecretManager());

Answer 1

When you add access policy, it could only select service principal with object id.

As you descripted, you remove appid and ensure that you have click save button to save your operation.

You can grant data plane access by setting Key Vault access policies for a key vault. To set these access policies, a user, group, or application must have Contributor permissions for the management plane for that key vault.

For more details, you could refer to this article.