@SteinRustad-0675, Thank you for reaching out. Ideally there is no way that you can add a service principal from one AAD tenant to another AAD tenant, instead, let me share something that you can try is:
- In AAD_App tenant, if the app registration for the web app is not multitenant then change the app registration to a multitenant app from single tenant app.
- Once done, you can access this app from the other tenant and once an user from the other tenant accesses it, this multitenant app's service principal gets registered in the other tenant i.e in AAD_Sub.
- Once you have the service principal of your web app available in AAD_Sub tenant, then you can add that service principal to the Key Vault's Data Plane under the Access policies.
I can only think of this as a viable solution other than this ideally a Key Vault only accepts identities from its home tenant.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.