Service principal access Key vault and app user

Adam Cheng 21 Reputation points
2021-11-22T12:43:59.297+00:00

I am using a service principal to allow an app to access a key vault. I have grant the app access to the key vault. Question is: Does it also automatically give User in the app access to the key vault? Or only through the service principal?

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
712 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,685 questions
No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 28,021 Reputation points Microsoft Employee
    2021-11-22T22:10:06.683+00:00

    @Adam Cheng
    Thank you for your post!

    As mentioned by AlanKinane, specific user accounts will not have permission to access the Key Vault if they aren't added to the Access Policies. In your specific scenario, your app's Service Principal will only be able to access the Key Vault.

    Example: The Key Vault request operation flow with authentication
    151524-image.png

    Additional Links:
    Key Vault authentication options
    Access model overview

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

1 additional answer

Sort by: Newest
  1. Alan Kinane 16,541 Reputation points MVP
    2021-11-22T16:11:54.623+00:00

    Hi, only accounts with assigned RBAC access or access policies will have access to the Key Vault. So you would need to make sure that your application is configured to use the service principal for accessing the Key Vault other identities such as user accounts will not have permission to access the Key Vault.

    Here are a few docs that may help you further:
    https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

    https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

    1 person found this answer helpful.
    No comments