Service principal access Key vault and app user

Adam Cheng 21 Reputation points

I am using a service principal to allow an app to access a key vault. I have grant the app access to the key vault. Question is: Does it also automatically give User in the app access to the key vault? Or only through the service principal?


Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
709 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,561 questions
No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 27,751 Reputation points Microsoft Employee

    @Adam Cheng
    Thank you for your post!

    As mentioned by AlanKinane, specific user accounts will not have permission to access the Key Vault if they aren't added to the Access Policies. In your specific scenario, your app's Service Principal will only be able to access the Key Vault.

    Example: The Key Vault request operation flow with authentication

    Additional Links:
    Key Vault authentication options
    Access model overview

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

1 additional answer

Sort by: Most helpful
  1. Alan Kinane 16,541 Reputation points MVP

    Hi, only accounts with assigned RBAC access or access policies will have access to the Key Vault. So you would need to make sure that your application is configured to use the service principal for accessing the Key Vault other identities such as user accounts will not have permission to access the Key Vault.

    Here are a few docs that may help you further:

    1 person found this answer helpful.
    No comments