Hi,
Have you tried creating a Custom Role and assign that to your Apps?
Below is sample JSON to get you started (substitute your subscription ID):
{
"properties": {
"roleName": "Key Vault Certificates User",
"description": "Read certificates. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"assignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111",
"/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/*"
],
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificates/read",
"Microsoft.KeyVault/vaults/certificatecas/read"
],
"notDataActions": []
}
]
}
}
It is likely that above permissions are insufficient so you should test, add more, test again, repeat until it is correct.
Create or update Azure custom roles using the Azure portal
https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal
Please click Accept Answer if above was useful.
Thanks.
-TP