Title: Openai/693c317b-1938-8004-a51a-2783d95dfc11 - freem URL Source: https://freemwiki.com/index.php?mobileaction=toggle_view_mobile&title=Openai%2F693c317b-1938-8004-a51a-2783d95dfc11 Markdown Content: ### User: Give an azure ad app registration from one directory key vault secrets officer access to a key vault on another directo…[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=2 "Edit section: User: Give an azure ad app registration from one directory key vault secrets officer access to a key vault on another directo…") Give an azure ad app registration from one directory key vault secrets officer access to a key vault on another directory ### Assistant: To give an Azure AD App Registration from Tenant A Key Vault Secrets Officer access to a Key Vault in Tenant B, you mus…[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=3 "Edit section: Assistant: To give an Azure AD App Registration from Tenant A Key Vault Secrets Officer access to a Key Vault in Tenant B, you mus…") To give an Azure AD App Registration from Tenant A Key Vault Secrets Officer access to a Key Vault in Tenant B, you must do cross-tenant service principal assignment + Key Vault RBAC. Here is the exact process. ### ✅ Goal[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=4 "Edit section: ✅ Goal") App in Tenant A → Access Key Vault in Tenant B → Role = Key Vault Secrets Officer ### 🟦 1. Ensure the App Exists in Tenant A[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=5 "Edit section: 🟦 1. Ensure the App Exists in Tenant A") You already have an App Registration in Tenant A with an application (client) ID: App (client) ID = Directory (tenant) ID = ### 🟪 2. Create a Service Principal for That App in Tenant B[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=6 "Edit section: 🟪 2. Create a Service Principal for That App in Tenant B") Azure AD apps are not automatically known in other tenants. You must create a service principal for the foreign app in Tenant B. You run this in Tenant B: ##### Option A – Azure Portal (simple)[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=7 "Edit section: Option A – Azure Portal (simple)") 1. Go to Azure Portal → Azure AD (Tenant B) → Enterprise Applications 2. Click + New application 3. Select “Create your own application” 4. Choose “Integrate any other application you don’t find in the gallery (non-gallery)” 5. Type the App ID from Tenant A 6. This creates a cross-tenant service principal. ##### Option B – Azure CLI[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=8 "Edit section: Option B – Azure CLI") Log in to Tenant B, then run: az ad sp create --id If already created, it will tell you. ### 🟩 3. Assign RBAC Role on the Key Vault in Tenant B[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=9 "Edit section: 🟩 3. Assign RBAC Role on the Key Vault in Tenant B") Use Azure RBAC, not Key Vault access policies (unless you are using legacy). ##### Role to assign:[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=10 "Edit section: Role to assign:") Key Vault Secrets Officer ##### Using Azure CLI:[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=11 "Edit section: Using Azure CLI:") az role assignment create \ --assignee \ --role "Key Vault Secrets Officer" \ --scope /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/ ##### Using Azure Portal:[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=12 "Edit section: Using Azure Portal:") 1. Go to Key Vault → Access Control (IAM) 2. Add role assignment 3. Role: Key Vault Secrets Officer 4. Assign access to: User, group, or service principal 5. Select the service principal for the app (should now appear since you created it in step 2) ### 🟨 4. Configure Authentication (Tenant B → Tenant A App)[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=13 "Edit section: 🟨 4. Configure Authentication (Tenant B → Tenant A App)") When your app authenticates, it uses its own tenant (Tenant A), not Tenant B. So your client code must authenticate using: * Authority = [https://login.microsoftonline.com/](https://login.microsoftonline.com/)/ * Client ID = * Client Secret / Certificate = created in Tenant A And resource scope for Key Vault in Tenant B: https://vault.azure.net/.default Example using MSAL: app = ConfidentialClientApplication( client_id="", client_credential="", authority="https://login.microsoftonline.com/" ) token = app.acquire_token_for_client(scopes=["https://vault.azure.net/.default"]) ### 🟧 5. Test Access[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=14 "Edit section: 🟧 5. Test Access") Once the service principal exists in Tenant B and RBAC is assigned, the app from Tenant A can call the Key Vault in Tenant B normally. ### ✅ Summary[edit](https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&action=edit§ion=15 "Edit section: ✅ Summary") | Step | Where | Action | | ---- | -------- | ----------------------------------------------------- | | 1 | Tenant A | Create the App (already done) | | 2 | Tenant B | Create a service principal for the foreign app | | 3 | Tenant B | Assign Key Vault Secrets Officer using IAM | | 4 | App code | Authenticate using Tenant A and access KV in Tenant B | | 5 | Tenant B | Test retrieval/setting of secrets | If you want, I can also provide: * a full Terraform example * ARM/Bicep template * Azure PowerShell version * How to restrict the cross-tenant service principal * How to do this with Managed Identity instead Just tell me!