How to setup Service Endpoint for Azure Key Vault across Entra Tenants?

Gerald Prendi 0 Reputation points
2024-08-26T12:28:39.15+00:00

In the Virtual Networks FAQ it is stated that the Service Endpoint for Azure Storage and Azure KeyVault can be setup cross-tenant:

Can I turn on virtual network service endpoints and set up virtual network ACLs if the virtual network and the Azure service resources belong to different Microsoft Entra tenants?

Yes, it's possible when you're using service endpoints for Azure Storage and Azure Key Vault. For other services, virtual network service endpoints and virtual network ACLs are not supported across Microsoft Entra tenants.

Besides this piece of information, I couldn't find any other guide that could help me setup the key vault and use a service endpoint from another tenant. Is this still supported or was it replaced by Private Link Service? Could you share the right documenation if otherwise.

Thank you in advance!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,254 questions
Microsoft Entra
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 9,571 Reputation points
    2024-08-26T14:26:36.26+00:00

    Hello Gerald Prendi,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you need more clarity and guides on how to setup cross-tenant configuration for Azure Storage Service Endpoint for Azure Key Vault across Entra Tenants.

    Yes, it is possible to set up virtual network service endpoints and virtual network ACLs across different Microsoft Azure tenants specifically for Azure Storage and Azure Key Vault, but for other services, that are not mentioned in the FAQ, cross-tenant virtual network service endpoints and ACLs are not supported. https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account

    Secondly, the Private Link Service concepts is different from cross-tenant configuration. it allows you to access services privately over a private IP address within a virtual network and enhances security by keeping traffic within a virtual network, but it doesn't necessarily involve multiple tenants, not directly address cross-tenant scenarios. https://docs.microsoft.com/en-us/azure/private-link/private-link-overview and https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview

    Lastly, about more documentations and guides, kindly use the links below:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.