question

SteinRustad-0675 avatar image
0 Votes"
SteinRustad-0675 asked JoonHo-3359 commented

Create KeyVault access policy for application in another Azure Active Directory

Scenario:
I have a single Azure Subscription, linked to a instance of Azure Active Directory, AAD_Sub.
In that subscription I have a single KeyVault.
In another Azure Active Directory, AAD_App, I have an application registration for a web app, this application registration has client credentials associated with it (certificate).

What I want:
I want the application in AAD_App to be given access to the KeyVault in AAD_Sub in the data plane.

What I have tried:
In the Azure Portal, I can only assign access to service principals that already exist in AAD_Sub.
In ARM, it seems like I can specify tenantId and objectId, but I am not getting this to work.

My theory is that I can create a service principal in AAD_Sub linked to the application registration in AAD_App, and give that access, but I do not know how.
And I do not know if this type of scenario is even supported, all examples I have seen assume that KeyVault and app are in the same AAD.

Any guidance much appreciated

azure-active-directoryazure-key-vault
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered JoonHo-3359 commented

@SteinRustad-0675, Thank you for reaching out. Ideally there is no way that you can add a service principal from one AAD tenant to another AAD tenant, instead, let me share something that you can try is:


In AAD_App tenant, if the app registration for the web app is not multitenant then change the app registration to a multitenant app from single tenant app.


Once done, you can access this app from the other tenant and once an user from the other tenant accesses it, this multitenant app's service principal gets registered in the other tenant i.e in AAD_Sub.


Once you have the service principal of your web app available in AAD_Sub tenant, then you can add that service principal to the Key Vault's Data Plane under the Access policies.


I can only think of this as a viable solution other than this ideally a Key Vault only accepts identities from its home tenant.


Hope this helps.


Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image soumi-MSFT ·

@SteinRustad-0675, I wanted to followup and wanted to understand if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·
JoonHo-3359 avatar image JoonHo-3359 soumi-MSFT ·

@soumi-MSFT Hi, I have the exact same scenario. Where I have a service principal in one tenant that requires keyvault data access that lives in a different tenant.

I tried to enable multi-tenant as described above, but still cannot see the service principal when trying to create the keyvault access policy.

Is there something else I might be missing?

0 Votes 0 ·
SteinRustad-0675 avatar image
0 Votes"
SteinRustad-0675 answered

Hi, and thank you for your answer.

Changing to multi-tenant does fix the issue, however, for other reasons, I cannot do that.

So the solution for now is to create a new application registration in AAD_Sub, and use that to authenticate with key vault.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.