Service principal access Key vault and app user

AdamCheng-8231 21 Reputation points
2021-11-22T12:43:59.297+00:00

I am using a service principal to allow an app to access a key vault. I have grant the app access to the key vault. Question is: Does it also automatically give User in the app access to the key vault? Or only through the service principal?

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,051 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,692 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,051 Reputation points Microsoft Employee
    2021-11-22T22:10:06.683+00:00

    @AdamCheng-8231
    Thank you for your post!

    As mentioned by AlanKinane, specific user accounts will not have permission to access the Key Vault if they aren't added to the Access Policies. In your specific scenario, your app's Service Principal will only be able to access the Key Vault.

    Example: The Key Vault request operation flow with authentication
    151524-image.png

    Additional Links:
    Key Vault authentication options
    Access model overview

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Alan Kinane 16,756 Reputation points MVP
    2021-11-22T16:11:54.623+00:00

    Hi, only accounts with assigned RBAC access or access policies will have access to the Key Vault. So you would need to make sure that your application is configured to use the service principal for accessing the Key Vault other identities such as user accounts will not have permission to access the Key Vault.

    Here are a few docs that may help you further:
    https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

    https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

    1 person found this answer helpful.
    0 comments No comments