Support for Cross-Tenant Customer-Managed Key (CMK) Integration Between Azure Key Vault and Azure Database for MySQL Flexible Server

Question

Service: Azure Database for MySQL Flexible Server

Issue Type: Customer-Managed Key (CMK) / Azure Key Vault Integration

Description

We are evaluating a multi-tenant architecture where the encryption keys are owned and managed by a customer in their Azure tenant, while the Azure Database for MySQL Flexible Server is hosted and managed in our vendor tenant.

Current Architecture

• Azure Database for MySQL Flexible Server: Vendor Tenant (Tenant A)
• User-Assigned Managed Identity: Vendor Tenant (Tenant A)
• Azure Key Vault containing Customer-Managed Key (CMK): Customer Tenant (Tenant B)

Business Requirement

We need to enable encryption of Azure Database for MySQL Flexible Server using a Customer-Managed Key stored in a customer's Azure Key Vault located in a different Microsoft Entra ID tenant.

This requirement is driven by:

• Customer ownership and control of encryption keys.
• Separation of vendor-managed infrastructure and customer-managed security assets.
• Compliance and regulatory requirements where customers must retain exclusive control over cryptographic keys.
• SaaS deployment model supporting multiple customer tenants.

Questions

1. Is cross-tenant CMK integration currently supported for Azure Database for MySQL Flexible Server?
2. If not currently supported, are there any:
   • Private Preview features
     • Public Preview features
       • Planned roadmap items
         • Alternative supported architectures that enable customer-owned keys in an external tenant?
         1. Can Azure Lighthouse, cross-tenant managed identities, workload identities, or federated credentials be used to facilitate this scenario?
         2. What is Microsoft's recommended architecture for SaaS providers who need customer-controlled encryption keys while hosting Azure Database for MySQL Flexible Server in a separate vendor tenant?
         3. Are there any documented patterns similar to cross-tenant CMK support available for other Azure services that can be applied to MySQL Flexible Server?

Expected Outcome

We would like guidance on implementing a supported architecture that allows:

• Vendor-hosted Azure Database for MySQL Flexible Server
• Customer-owned Azure Key Vault in a separate tenant
• Customer-managed encryption keys (CMK)
• Centralized customer control over key lifecycle, rotation, and revocation

Any documentation, architectural guidance, or roadmap information regarding this scenario would be greatly appreciated.

Thank you.Service: Azure Database for MySQL Flexible Server

Issue Type: Customer-Managed Key (CMK) / Azure Key Vault Integration

Description

We are evaluating a multi-tenant architecture where the encryption keys are owned and managed by a customer in their Azure tenant, while the Azure Database for MySQL Flexible Server is hosted and managed in our vendor tenant.

Current Architecture

• Azure Database for MySQL Flexible Server: Vendor Tenant (Tenant A)
• User-Assigned Managed Identity: Vendor Tenant (Tenant A)
• Azure Key Vault containing Customer-Managed Key (CMK): Customer Tenant (Tenant B)

Business Requirement

We need to enable encryption of Azure Database for MySQL Flexible Server using a Customer-Managed Key stored in a customer's Azure Key Vault located in a different Microsoft Entra ID tenant.

This requirement is driven by:

• Customer ownership and control of encryption keys.
• Separation of vendor-managed infrastructure and customer-managed security assets.
• Compliance and regulatory requirements where customers must retain exclusive control over cryptographic keys.
• SaaS deployment model supporting multiple customer tenants.

Questions

1. Is cross-tenant CMK integration currently supported for Azure Database for MySQL Flexible Server?
2. If not currently supported, are there any:

• Private Preview features
  • Public Preview features
    • Planned roadmap items
      • Alternative supported architectures
        that enable customer-owned keys in an external tenant?
      1. Can Azure Lighthouse, cross-tenant managed identities, workload identities, or federated credentials be used to facilitate this scenario?
      2. What is Microsoft's recommended architecture for SaaS providers who need customer-controlled encryption keys while hosting Azure Database for MySQL Flexible Server in a separate vendor tenant?
      3. Are there any documented patterns similar to cross-tenant CMK support available for other Azure services that can be applied to MySQL Flexible Server?

Expected Outcome

We would like guidance on implementing a supported architecture that allows:

• Vendor-hosted Azure Database for MySQL Flexible Server
• Customer-owned Azure Key Vault in a separate tenant
• Customer-managed encryption keys (CMK)
• Centralized customer control over key lifecycle, rotation, and revocation

Any documentation, architectural guidance, or roadmap information regarding this scenario would be greatly appreciated.

Thank you.

Answer 1

Hey @Atul Gupta

Thanks for the detailed scenario. Here’s what I found:

Cross-tenant CMK for Azure Database for MySQL Flexible Server isn’t supported today • The server’s user-assigned managed identity and the Key Vault must live in the same Microsoft Entra (Azure AD) tenant. • There’s no private or public preview for cross-tenant BYOK on MySQL Flexible Server yet, and Engineering has flagged it as a potential future enhancement.

No built-in workaround via Lighthouse, workload identities or federated credentials today • Azure Lighthouse lets you manage customer subscriptions, but it doesn’t change the fact that the Key Vault and UAMI must be in the same tenant. • Workload identity federation is used by Azure SQL TDE cross-tenant, but MySQL Flexible Server doesn’t yet integrate with that.

Recommended architecture for SaaS providers Option A: Deploy each customer’s Flexible Server in their own tenant – Customer owns the Key Vault and CMK in their tenant. – You manage their server subscription remotely via Azure Lighthouse. Option B: Host the Flexible Server in your tenant with service-managed keys – If you must centralize the infrastructure, you’ll need to use service-managed encryption at rest, or build your own application-level encryption layer that calls the customer’s key vault.

Similar patterns in other services • Azure SQL Database TDE supports cross-tenant CMK today by using workload identity federation. When MySQL Flexible Server supports that same federation feature, you’ll be able to point the server’s UAMI at a key in another tenant. For now, though, it’s on the roadmap.

Hope this helps outline your options! If cross-tenant CMK is a must-have, the “Flexible Server in customer tenant + Lighthouse” model is the only fully supported setup right now, and you can submit feedback on the MySQL Flexible Server forum to help us prioritize cross-tenant BYOK in the future.

References:
https://learn.microsoft.com/azure/mysql/flexible-server/concepts-customer-managed-key https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-cross-tenant?view=azuresql https://learn.microsoft.com/azure/lighthouse/overview

Please let us know if you have any questions.

Answer 2

Please check this

https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-cross-tenant-existing-account?tabs=azure-portal

Answer 3

1. Cross-tenant CMK integration for Azure Database for MySQL Flexible Server is not supported in the documented feature set. The requirements for configuring data encryption with a customer-managed key explicitly state that the Azure Key Vault and the Azure Database for MySQL flexible server instance must belong to the same Microsoft Entra tenant and must be in the same region. Cross-tenant Key Vault and flexible server interactions are called out as needing to be supported in the future, and reconfiguration is required if Key Vault resources are moved after configuration. Specifically, for MySQL Flexible Server CMK:
   • Key Vault and MySQL flexible server must be in the same Microsoft Entra tenant.
   • Key Vault and MySQL flexible server must be in the same region.
   • Only a user-assigned managed identity (UAMI) in that tenant is supported for accessing the Key Vault.
2. Regarding previews, roadmap, and alternatives:
   • No private or public preview or roadmap items for cross-tenant CMK with Azure Database for MySQL Flexible Server are documented in the provided material.
   • The documented model is strictly same-tenant: the UAMI is created in the same tenant as the MySQL flexible server and granted Get, List, Wrap Key, and Unwrap Key permissions (or equivalent RBAC roles) on a Key Vault in that same tenant.
3. Use of Azure Lighthouse, cross-tenant managed identities, workload identities, or federated credentials:
   • For MySQL Flexible Server CMK, the documented pattern is based on a user-assigned managed identity directly associated with the server and granted access to a Key Vault in the same tenant. There is no documented support for using cross-tenant workload identity federation, Azure Lighthouse, or federated credentials to bridge to a Key Vault in another tenant for MySQL Flexible Server.
4. Recommended architecture for SaaS providers (based on current documented capabilities):
   • For Azure Database for MySQL Flexible Server, the supported CMK architecture is:
     • MySQL Flexible Server and its UAMI in the same tenant as the Key Vault.
     • Customer-managed key stored in that tenant’s Key Vault, with required permissions or RBAC roles assigned to the UAMI.
   • To achieve customer-controlled keys in a multi-tenant SaaS model with strict tenant separation, other Azure services currently provide cross-tenant CMK patterns that may be more suitable:
     • Azure SQL Database supports cross-tenant CMK with TDE using workload identity federation, allowing the logical server to be in one tenant and the Key Vault or Managed HSM (and keys) in another tenant. This is explicitly documented as a cross-tenant CMK scenario for SaaS/ISV architectures.
     • At the database level, Azure SQL Database also supports CMK with federated client identity, including cross-tenant Key Vault/Managed HSM, again designed for scenarios where keys are in a different tenant.
     • Azure managed disks support encryption with cross-tenant customer-managed keys using a multitenant application and managed identity, again enabling a provider tenant to use keys in a customer tenant.
   These patterns show that cross-tenant CMK is available and recommended today for Azure SQL Database and managed disks, but not documented for Azure Database for MySQL Flexible Server. For SaaS providers that must keep databases in a vendor tenant while keys remain in customer tenants, Azure SQL Database with cross-tenant CMK and workload identity federation is the documented pattern.
5. Documented cross-tenant CMK patterns in other services that can inform architecture decisions:
   • Azure SQL Database:
     • Cross-tenant CMK with TDE using workload identity federation, allowing the logical server to be in a different tenant than the Key Vault/Managed HSM.
     • Database-level CMK using federated client identity, including cross-tenant Key Vault/Managed HSM, with requirements for Get, Wrap Key, and Unwrap Key permissions and appropriate roles (for example, Managed HSM Crypto Service Encryption User).
   • Azure managed disks:
     • Cross-tenant CMK using a multitenant application, a managed identity configured as the credential, and the key location in the customer’s Key Vault.

Given the current documentation, a fully supported architecture that meets all of the stated requirements (vendor-hosted MySQL Flexible Server in Tenant A with CMK in a customer Key Vault in Tenant B) is not available for Azure Database for MySQL Flexible Server. The supported CMK model for MySQL Flexible Server is same-tenant only. For strict customer-controlled keys in a different tenant, Azure SQL Database with cross-tenant CMK and workload identity federation is the documented and recommended pattern.

---

References:

• Data encryption with customer managed keys for Azure Database for MySQL
• Cross-tenant customer-managed keys with transparent data encryption
• Transparent data encryption (TDE) with customer-managed keys at the database level
• Encrypt managed disks with cross-tenant customer-managed keys