Openai/693c317b-1938-8004-a51a-2783d95dfc11

User: Give an azure ad app registration from one directory key vault secrets officer access to a key vault on another directo… edit

Give an azure ad app registration from one directory key vault secrets officer access to a key vault on another directory

Assistant: To give an Azure AD App Registration from Tenant A Key Vault Secrets Officer access to a Key Vault in Tenant B, you mus… edit

To give an Azure AD App Registration from Tenant A Key Vault Secrets Officer access to a Key Vault in Tenant B, you must do cross-tenant service principal assignment + Key Vault RBAC. Here is the exact process.

✅ Goal edit

App in Tenant A → Access Key Vault in Tenant B → Role = Key Vault Secrets Officer

🟦 1. Ensure the App Exists in Tenant A edit

You already have an App Registration in Tenant A with an application (client) ID:

App (client) ID = <APP-ID-A>
Directory (tenant) ID = <TENANT-A-ID>

🟪 2. Create a Service Principal for That App in Tenant B edit

Azure AD apps are not automatically known in other tenants. You must create a service principal for the foreign app in Tenant B.

You run this in Tenant B:

Option A – Azure Portal (simple) edit

1. Go to Azure Portal → Azure AD (Tenant B) → Enterprise Applications
2. Click + New application
3. Select “Create your own application”
4. Choose “Integrate any other application you don’t find in the gallery (non-gallery)”
5. Type the App ID from Tenant A
6. This creates a cross-tenant service principal.

Option B – Azure CLI edit

Log in to Tenant B, then run:

az ad sp create --id <APP-ID-A>

If already created, it will tell you.

🟩 3. Assign RBAC Role on the Key Vault in Tenant B edit

Use Azure RBAC, not Key Vault access policies (unless you are using legacy).

Role to assign: edit

Key Vault Secrets Officer

Using Azure CLI: edit

az role assignment create \
  --assignee <APP-ID-A> \
  --role "Key Vault Secrets Officer" \
  --scope /subscriptions/<SUB-ID>/resourceGroups/<RG-NAME>/providers/Microsoft.KeyVault/vaults/<KV-NAME>

Using Azure Portal: edit

1. Go to Key Vault → Access Control (IAM)
2. Add role assignment
3. Role: Key Vault Secrets Officer
4. Assign access to: User, group, or service principal
5. Select the service principal for the app (should now appear since you created it in step 2)

🟨 4. Configure Authentication (Tenant B → Tenant A App) edit

When your app authenticates, it uses its own tenant (Tenant A), not Tenant B.

So your client code must authenticate using:

• Authority = https://login.microsoftonline.com/<TENANT-A-ID>/
• Client ID = <APP-ID-A>
• Client Secret / Certificate = created in Tenant A

And resource scope for Key Vault in Tenant B:

https://vault.azure.net/.default

Example using MSAL:

app = ConfidentialClientApplication(
    client_id="<APP-ID-A>",
    client_credential="<CLIENT-SECRET>",
    authority="https://login.microsoftonline.com/<TENANT-A-ID>"
)

token = app.acquire_token_for_client(scopes=["https://vault.azure.net/.default"])

🟧 5. Test Access edit

Once the service principal exists in Tenant B and RBAC is assigned, the app from Tenant A can call the Key Vault in Tenant B normally.

✅ Summary edit

| Step | Where | Action | | ---- | -------- | ----------------------------------------------------- | | 1 | Tenant A | Create the App (already done) | | 2 | Tenant B | Create a service principal for the foreign app | | 3 | Tenant B | Assign Key Vault Secrets Officer using IAM | | 4 | App code | Authenticate using Tenant A and access KV in Tenant B | | 5 | Tenant B | Test retrieval/setting of secrets |

If you want, I can also provide:

• a full Terraform example
• ARM/Bicep template
• Azure PowerShell version
• How to restrict the cross-tenant service principal
• How to do this with Managed Identity instead

Just tell me!