Create KeyVault access policy for application in another Azure Active Directory

Stein Rustad 21 Reputation points
2020-06-16T10:01:21.113+00:00

Scenario:
I have a single Azure Subscription, linked to a instance of Azure Active Directory, AAD_Sub.
In that subscription I have a single KeyVault.
In another Azure Active Directory, AAD_App, I have an application registration for a web app, this application registration has client credentials associated with it (certificate).

What I want:
I want the application in AAD_App to be given access to the KeyVault in AAD_Sub in the data plane.

What I have tried:
In the Azure Portal, I can only assign access to service principals that already exist in AAD_Sub.
In ARM, it seems like I can specify tenantId and objectId, but I am not getting this to work.

My theory is that I can create a service principal in AAD_Sub linked to the application registration in AAD_App, and give that access, but I do not know how.
And I do not know if this type of scenario is even supported, all examples I have seen assume that KeyVault and app are in the same AAD.

Any guidance much appreciated

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,126 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,569 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-06-16T12:51:21.973+00:00

    @SteinRustad-0675, Thank you for reaching out. Ideally there is no way that you can add a service principal from one AAD tenant to another AAD tenant, instead, let me share something that you can try is:

    1. In AAD_App tenant, if the app registration for the web app is not multitenant then change the app registration to a multitenant app from single tenant app.
    2. Once done, you can access this app from the other tenant and once an user from the other tenant accesses it, this multitenant app's service principal gets registered in the other tenant i.e in AAD_Sub.
    3. Once you have the service principal of your web app available in AAD_Sub tenant, then you can add that service principal to the Key Vault's Data Plane under the Access policies.

    I can only think of this as a viable solution other than this ideally a Key Vault only accepts identities from its home tenant.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stein Rustad 21 Reputation points
    2020-06-18T12:08:32.16+00:00

    Hi, and thank you for your answer.

    Changing to multi-tenant does fix the issue, however, for other reasons, I cannot do that.

    So the solution for now is to create a new application registration in AAD_Sub, and use that to authenticate with key vault.

    0 comments
  2. Kanduri hemanth 1 Reputation point
    2022-11-28T08:52:57.07+00:00

    @soumi-MSFT Currently even I have the same scenario where I need to connect an Azure web app in TenantA with key vault in TenantB, as you suggested above I have created a multitenancy app registration and tried to provide access to the web app id on the key vault access policies. But still, the key vault cant recognize the object ID of the web app which is in a different tenant. Could you please help.

    0 comments