Create KeyVault access policy for application in another Azure Active Directory

Kanduri hemanth 1 Reputation point
2022-11-28T09:48:58.63+00:00

Scenario:
I have a single Azure Subscription, linked to an instance of Azure Active Directory, AAD_Sub.
In that subscription, I have a single KeyVault.
In another Azure Active Directory, AAD_App, I have an application registration for a web app, this application registration has client credentials associated with it (certificate).

What I want:
I want the application in AAD_App to be given access to the KeyVault in AAD_Sub in the data plane.

What I have tried:

I have created a multitenancy app registration and tried to provide access to the web app id on the key vault access policies. But still, the key vault cant recognize the object ID of the web app which is in a different tenant.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,184 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sam Cogan 10,342 Reputation points MVP
    2022-11-28T10:09:03.877+00:00

    Access to Key Vault can only be granted to identities that are in the same AAD tenant as the Key Vault, so you will not be able to do what you want.
    An alternative is to create a service principal in the Key Vault tenant and provide the credentials of this to the web app, for it to then use these to login to Key Vault.

    2 people found this answer helpful.