Service principal access Key vault and app user

asked 2021-11-22T12:43:59.297+00:00
Adam Cheng 21 Reputation points

I am using a service principal to allow an app to access a key vault. I have grant the app access to the key vault. Question is: Does it also automatically give User in the app access to the key vault? Or only through the service principal?

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
653 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,540 questions
No comments
{count} votes

Accepted answer
  1. answered 2021-11-22T22:10:06.683+00:00
    JamesTran-MSFT 26,556 Reputation points Microsoft Employee

    @Adam Cheng
    Thank you for your post!

    As mentioned by AlanKinane, specific user accounts will not have permission to access the Key Vault if they aren't added to the Access Policies. In your specific scenario, your app's Service Principal will only be able to access the Key Vault.

    Example: The Key Vault request operation flow with authentication
    151524-image.png

    Additional Links:
    Key Vault authentication options
    Access model overview

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    No comments

1 additional answer

Sort by: Most helpful
  1. answered 2021-11-22T16:11:54.623+00:00
    Alan Kinane 16,501 Reputation points Microsoft MVP

    Hi, only accounts with assigned RBAC access or access policies will have access to the Key Vault. So you would need to make sure that your application is configured to use the service principal for accessing the Key Vault other identities such as user accounts will not have permission to access the Key Vault.

    Here are a few docs that may help you further:
    https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

    https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

    No comments