How do I allow a partner organization, outside our subscription, access to our keyvault so that they can host a webapp to our Domain

Adam Hinkle 1 Reputation point
2022-09-27T16:57:13.683+00:00

I'm still pretty new to cloud services so forgive me if I am missing some understanding, but here is my situation.

Our organization uses a custom domain name to provide multiple web apps. (ex https:\app1.our-domain.com)

We have our certificates which allows our webapps to host to this domain. But now, we are partnering with an outside organization, who is not part of our azure subscription, but will be deploying their app service on their own azure subscription.

Rather than sending them their own copy of our certificate (then needing to keep sending new ones in the future), We want to allow this partner organization to access our key-vault, so that their webapp can use our certificates and host to our domain name.

Here is what I have researched so far about possible solutions:

  1. User Managed Identities can be used to allow access into our key-vault from outside of our Azure subscription. Although this did work for me with some c# code, I was not able to bridge the gap toward being able to deploy the web app with it linked to our key-vault. Is this a viable option? If so, how can we use that managed identity's permissions to deploy their app to our domain?
  2. Inviting one of their users as an external guest into our subscription and then granting that account with a keyvault access. When attempting something like this on my non-work account, I noticed that I could access my work organization's keyvault through the CLI but in the azure portal I cannot find any references to it. Is it possible to deploy their app service with link to our keyvault if we external invite their devops enigneer's account and grant it access to our keyvault? If so, are there additional steps which need to be taken like
  3. Also found the Azure Private Links, using the azure virtual networks, which look like they may fit my needs https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal

Can anyone please provide some guidance to me, the best way to accomplish this goal.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,116 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
462 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Senior Freelance SWE, SWA, IAM 27,016 Reputation points
    2022-09-30T22:49:01.017+00:00

    Hello @Adam Hinkle and thanks for reaching out. In order to manage key vaults both at the control (management) plane you need to authorize the principal (user or application) trough Azure RBAC regardless of them being local or external users. You don't need the principal to be tied to the same Azure subscription. To provide data (secrets, key, certs, etc.) plane access to a web app deployed in Azure App Services you can use managed identity if the application is hosted/deployed in the same tenant or a standard service principal (application authentication) if the web app is deployed in another tenant and assign a key vault access policy.

    Private links provides an optimized and secured (private) connection to your key vaults but still you need to configure data plane access.

    For more information, please take a look to Key Vault authentication options and Access model overview.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    0 comments