Share via

Create KeyVault access policy for application in another Azure Active Directory

Kanduri hemanth 1 Reputation point
2022-11-28T09:48:58.63+00:00

Scenario:
I have a single Azure Subscription, linked to an instance of Azure Active Directory, AAD_Sub.
In that subscription, I have a single KeyVault.
In another Azure Active Directory, AAD_App, I have an application registration for a web app, this application registration has client credentials associated with it (certificate).

What I want:
I want the application in AAD_App to be given access to the KeyVault in AAD_Sub in the data plane.

What I have tried:

I have created a multitenancy app registration and tried to provide access to the web app id on the key vault access policies. But still, the key vault cant recognize the object ID of the web app which is in a different tenant.

Azure Key Vault
Azure Key Vault

An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sam Cogan 10,867 Reputation points Microsoft Employee
    2022-11-28T10:09:03.877+00:00

    Access to Key Vault can only be granted to identities that are in the same AAD tenant as the Key Vault, so you will not be able to do what you want.
    An alternative is to create a service principal in the Key Vault tenant and provide the credentials of this to the web app, for it to then use these to login to Key Vault.

    Was this answer helpful?

    2 people found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.