https://freemwiki.com/index.php?action=history&feed=atom&title=Openai%2F693c317b-1938-8004-a51a-2783d95dfc11Openai/693c317b-1938-8004-a51a-2783d95dfc11 - Revision history2026-05-28T00:58:42ZRevision history for this page on the wikiMediaWiki 1.43.3https://freemwiki.com/index.php?title=Openai/693c317b-1938-8004-a51a-2783d95dfc11&diff=594381&oldid=prevLukegao: by freem.ai...2025-12-13T05:25:34Z<p>by freem.ai...</p>
<p><b>New page</b></p><div><br />
{{DISPLAYTITLE:Cross-tenant app access}}<br />
<br />
''This conversation was exported from ChatGPT''<ref>{{cite web|title=Cross-tenant app access|url=https://chatgpt.com/share/693c317b-1938-8004-a51a-2783d95dfc11|publisher=ChatGPT|access-date=2025-12-13}}</ref><br />
<br />
== gpt-5-1 ==<br />
=== User: Give an azure ad app registration from one directory key vault secrets officer access to a key vault on another directo… ===<br />
Give an azure ad app registration from one directory key vault secrets officer access to a key vault on another directory<br />
<br />
=== Assistant: To give an Azure AD App Registration from Tenant A Key Vault Secrets Officer access to a Key Vault in Tenant B, you mus… ===<br />
To give an Azure AD App Registration from Tenant A Key Vault Secrets Officer access to a Key Vault in Tenant B, you must do cross-tenant service principal assignment + Key Vault RBAC.<br />
Here is the exact process.<br />
<br />
=== ✅ Goal ===<br />
<br />
App in Tenant A → Access Key Vault in Tenant B → Role = Key Vault Secrets Officer<br />
<br />
=== 🟦 1. Ensure the App Exists in Tenant A ===<br />
<br />
You already have an App Registration in Tenant A with an application (client) ID:<br />
<br />
<syntaxhighlight>App (client) ID = <APP-ID-A><br />
Directory (tenant) ID = <TENANT-A-ID><br />
<br />
</syntaxhighlight><br />
<br />
=== 🟪 2. Create a Service Principal for That App in Tenant B ===<br />
<br />
Azure AD apps are not automatically known in other tenants.<br />
You must create a service principal for the foreign app in Tenant B.<br />
<br />
You run this in Tenant B:<br />
<br />
===== Option A – Azure Portal (simple) =====<br />
# Go to Azure Portal → Azure AD (Tenant B) → Enterprise Applications<br />
# Click + New application<br />
# Select “Create your own application”<br />
# Choose “Integrate any other application you don’t find in the gallery (non-gallery)”<br />
# Type the App ID from Tenant A<br />
# This creates a cross-tenant service principal.<br />
<br />
===== Option B – Azure CLI =====<br />
<br />
Log in to Tenant B, then run:<br />
<br />
<syntaxhighlight lang="bash">az ad sp create --id <APP-ID-A><br />
<br />
</syntaxhighlight><br />
<br />
If already created, it will tell you.<br />
<br />
=== 🟩 3. Assign RBAC Role on the Key Vault in Tenant B ===<br />
<br />
Use Azure RBAC, not Key Vault access policies (unless you are using legacy).<br />
<br />
===== Role to assign: =====<br />
<br />
<syntaxhighlight>Key Vault Secrets Officer<br />
<br />
</syntaxhighlight><br />
<br />
===== Using Azure CLI: =====<br />
<br />
<syntaxhighlight lang="bash">az role assignment create \<br />
--assignee <APP-ID-A> \<br />
--role "Key Vault Secrets Officer" \<br />
--scope /subscriptions/<SUB-ID>/resourceGroups/<RG-NAME>/providers/Microsoft.KeyVault/vaults/<KV-NAME><br />
<br />
</syntaxhighlight><br />
<br />
===== Using Azure Portal: =====<br />
# Go to Key Vault → Access Control (IAM)<br />
# Add role assignment<br />
# Role: Key Vault Secrets Officer<br />
# Assign access to: User, group, or service principal<br />
# Select the service principal for the app (should now appear since you created it in step 2)<br />
<br />
=== 🟨 4. Configure Authentication (Tenant B → Tenant A App) ===<br />
<br />
When your app authenticates, it uses its own tenant (Tenant A), not Tenant B.<br />
<br />
So your client code must authenticate using:<br />
* Authority = https://login.microsoftonline.com/<TENANT-A-ID>/<br />
* Client ID = <APP-ID-A><br />
* Client Secret / Certificate = created in Tenant A<br />
<br />
And resource scope for Key Vault in Tenant B:<br />
<br />
<syntaxhighlight>https://vault.azure.net/.default<br />
<br />
</syntaxhighlight><br />
<br />
Example using MSAL:<br />
<br />
<syntaxhighlight lang="python">app = ConfidentialClientApplication(<br />
client_id="<APP-ID-A>",<br />
client_credential="<CLIENT-SECRET>",<br />
authority="https://login.microsoftonline.com/<TENANT-A-ID>"<br />
)<br />
<br />
token = app.acquire_token_for_client(scopes=["https://vault.azure.net/.default"])<br />
<br />
</syntaxhighlight><br />
<br />
=== 🟧 5. Test Access ===<br />
<br />
Once the service principal exists in Tenant B and RBAC is assigned, the app from Tenant A can call the Key Vault in Tenant B normally.<br />
<br />
=== ✅ Summary ===<br />
<br />
| Step | Where | Action |<br />
| ---- | -------- | ----------------------------------------------------- |<br />
| 1 | Tenant A | Create the App (already done) |<br />
| 2 | Tenant B | Create a service principal for the foreign app |<br />
| 3 | Tenant B | Assign Key Vault Secrets Officer using IAM |<br />
| 4 | App code | Authenticate using Tenant A and access KV in Tenant B |<br />
| 5 | Tenant B | Test retrieval/setting of secrets |<br />
<br />
If you want, I can also provide:<br />
* a full Terraform example<br />
* ARM/Bicep template<br />
* Azure PowerShell version<br />
* How to restrict the cross-tenant service principal<br />
* How to do this with Managed Identity instead<br />
<br />
Just tell me!<br />
<br />
== References ==<br />
<references /><br />
<br />
<br />
[[Category:ChatGPT Shares]]<br />
[[Category:openai]]</div>Lukegao