KeyVault Secrets read acces for guest users access packages

Kai Vermeegen 1 Reputation point
2020-10-30T16:38:39.89+00:00

Hey,

we're trying to set up a key vault in a way, that specific guest users in our Azure Active Directory can read the secrets in it. For that we set up a access package, which allows guest from a specific connected organization to be added to a group, which has the required rights to the key vault. This works fine for members of our company in our AAD. As soon as a member of our company becomes a member of the group, the required access rights are granted. However this does not work for guest users. Guest users can correctly join the group via the access package, but they can not access the secrets in the key vault. Is there any way to grant read access to the key vaults secrets for the guest users?

Any help would be highly appreciated. Thanks!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,124 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,652 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,563 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,376 Reputation points Microsoft Employee
    2020-10-30T23:26:25.867+00:00

    @Kai Vermeegen
    Thank you for your question! I wasn't able to replicate your issue, since both my AzureAD and Guest user were able to see my Key Vault's secrets. However, are you able to provide the RBAC roles that you're assigning to the group and at what scope those RBAC roles apply to? i.e. resource group, key vault, etc. Any screenshots would be helpful as well so I can gain a better understanding of your issue.

    Findings:
    Trying to replicate your issue, I created a group called "KeyVaultAccess" and added a member and guest user to this group.
    36408-image.png

    I assigned reader rights to my Key Vault's resource group for the entire group.
    36386-image.png

    Finally I added an access policy to only allow for the group to have Secret Management rights.
    36387-image.png

    Note: Both users can see all my key vaults in the resource group because of the Reader RBAC assignment. However, since access to a key vault is controlled through two interfaces: the management plane (RBAC) and the data plane (access policies), both of my users can only execute secret operations because of the Secret Management permissions I assigned.
    36378-image.png

    I also found that you can use Azure Cloud Shell/CLI so that the Guest user can list secrets (without the Reader assignment). 

    Connect-AzAccount -Tenant "AzureAD Tenant ID"  
az keyvault secret list --vault-name "KVname"

    I hope this helps, if you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

  2. JamesTran-MSFT 36,376 Reputation points Microsoft Employee
    2020-11-04T00:24:37.4+00:00

    @Kai Vermeegen
    Thank for your time and patience throughout this issue. I was able to sync with our Key Vault SME this afternoon and will post our findings below.

    Findings:
    Based off your screenshots we can see that you're using a direct policy for your Guest users group, which could be the reason why your guests are seeing a 403 error when they access the Key Vault through your app but everything works correctly when accessing from the Portal.

    37244-image.png
    "Compound Identity" is used to differentiate a "direct access policy" over a "On behalf of" (OBO) access policy.

    Next Steps:
    Can you try creating an OBO access policy for your Group and selecting your .net application.
    37282-image.png

    If this doesn't resolve your issue, can you please email me with the info below so I can enable your subscription for a one-time free technical support request. This way our Key Vault team can take a closer look into your environment and answer any other questions you may have.

    Email: AzCommunity@microsoft.com
    Subject: ATTN - James Tran
    Body:
    Azure Subscription ID
    Link to this issue

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    For more information on different app permissions.