Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
freem
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Openai/693c317b-1938-8004-a51a-2783d95dfc11
Add languages
Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{DISPLAYTITLE:Cross-tenant app access}} ''This conversation was exported from ChatGPT''<ref>{{cite web|title=Cross-tenant app access|url=https://chatgpt.com/share/693c317b-1938-8004-a51a-2783d95dfc11|publisher=ChatGPT|access-date=2025-12-13}}</ref> == gpt-5-1 == === User: Give an azure ad app registration from one directory key vault secrets officer access to a key vault on another directo… === Give an azure ad app registration from one directory key vault secrets officer access to a key vault on another directory === Assistant: To give an Azure AD App Registration from Tenant A Key Vault Secrets Officer access to a Key Vault in Tenant B, you mus… === To give an Azure AD App Registration from Tenant A Key Vault Secrets Officer access to a Key Vault in Tenant B, you must do cross-tenant service principal assignment + Key Vault RBAC. Here is the exact process. === ✅ Goal === App in Tenant A → Access Key Vault in Tenant B → Role = Key Vault Secrets Officer === 🟦 1. Ensure the App Exists in Tenant A === You already have an App Registration in Tenant A with an application (client) ID: <syntaxhighlight>App (client) ID = <APP-ID-A> Directory (tenant) ID = <TENANT-A-ID> </syntaxhighlight> === 🟪 2. Create a Service Principal for That App in Tenant B === Azure AD apps are not automatically known in other tenants. You must create a service principal for the foreign app in Tenant B. You run this in Tenant B: ===== Option A – Azure Portal (simple) ===== # Go to Azure Portal → Azure AD (Tenant B) → Enterprise Applications # Click + New application # Select “Create your own application” # Choose “Integrate any other application you don’t find in the gallery (non-gallery)” # Type the App ID from Tenant A # This creates a cross-tenant service principal. ===== Option B – Azure CLI ===== Log in to Tenant B, then run: <syntaxhighlight lang="bash">az ad sp create --id <APP-ID-A> </syntaxhighlight> If already created, it will tell you. === 🟩 3. Assign RBAC Role on the Key Vault in Tenant B === Use Azure RBAC, not Key Vault access policies (unless you are using legacy). ===== Role to assign: ===== <syntaxhighlight>Key Vault Secrets Officer </syntaxhighlight> ===== Using Azure CLI: ===== <syntaxhighlight lang="bash">az role assignment create \ --assignee <APP-ID-A> \ --role "Key Vault Secrets Officer" \ --scope /subscriptions/<SUB-ID>/resourceGroups/<RG-NAME>/providers/Microsoft.KeyVault/vaults/<KV-NAME> </syntaxhighlight> ===== Using Azure Portal: ===== # Go to Key Vault → Access Control (IAM) # Add role assignment # Role: Key Vault Secrets Officer # Assign access to: User, group, or service principal # Select the service principal for the app (should now appear since you created it in step 2) === 🟨 4. Configure Authentication (Tenant B → Tenant A App) === When your app authenticates, it uses its own tenant (Tenant A), not Tenant B. So your client code must authenticate using: * Authority = https://login.microsoftonline.com/<TENANT-A-ID>/ * Client ID = <APP-ID-A> * Client Secret / Certificate = created in Tenant A And resource scope for Key Vault in Tenant B: <syntaxhighlight>https://vault.azure.net/.default </syntaxhighlight> Example using MSAL: <syntaxhighlight lang="python">app = ConfidentialClientApplication( client_id="<APP-ID-A>", client_credential="<CLIENT-SECRET>", authority="https://login.microsoftonline.com/<TENANT-A-ID>" ) token = app.acquire_token_for_client(scopes=["https://vault.azure.net/.default"]) </syntaxhighlight> === 🟧 5. Test Access === Once the service principal exists in Tenant B and RBAC is assigned, the app from Tenant A can call the Key Vault in Tenant B normally. === ✅ Summary === | Step | Where | Action | | ---- | -------- | ----------------------------------------------------- | | 1 | Tenant A | Create the App (already done) | | 2 | Tenant B | Create a service principal for the foreign app | | 3 | Tenant B | Assign Key Vault Secrets Officer using IAM | | 4 | App code | Authenticate using Tenant A and access KV in Tenant B | | 5 | Tenant B | Test retrieval/setting of secrets | If you want, I can also provide: * a full Terraform example * ARM/Bicep template * Azure PowerShell version * How to restrict the cross-tenant service principal * How to do this with Managed Identity instead Just tell me! == References == <references /> [[Category:ChatGPT Shares]] [[Category:openai]]
Summary:
Please note that all contributions to freem are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 (see
Freem:Copyrights
for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource.
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Templates used on this page:
Template:Cite web
(
edit
)
Module:Citation/CS1
(
edit
)
Module:Citation/CS1/COinS
(
edit
)
Module:Citation/CS1/Configuration
(
edit
)
Module:Citation/CS1/Date validation
(
edit
)
Module:Citation/CS1/Identifiers
(
edit
)
Module:Citation/CS1/Utilities
(
edit
)
Module:Citation/CS1/Whitelist
(
edit
)
Module:Citation/CS1/styles.css
(
edit
)
