![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 46%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGD%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
Hi,
is not a role issue and not a private network issue. It is a tenant mismatch issue caused by the directory move. The banner clearly says that the currently selected directory differs from the Key Vault directory. That means the vault still belongs to the original tenant where it was created, while your subscription is now associated with a different tenant. Being Owner on the subscription does not give you data plane access if your identity is not in the tenant that the vault trusts.
Key Vault authorisation happens in two layers. Control plane access is based on subscription RBAC. Data plane access for secrets and certificates is validated against the tenant ID stored in the vault. After a directory migration those two can become misaligned.
To confirm, run az keyvault show --name <vault-name> --query properties.tenantId and compare that tenant ID with the tenant you are currently signed into. If they differ, the only ways forward are to sign into the original tenant and export the certificate from there, or to recreate the vault in the new tenant and restore from backup if you have one. There is no supported method to change the tenant ID of an existing Key Vault.
rgds,
Alex