0
votes

I have Azure service fabric cluster in tenantA which needs to connect to Azure key vault in tenantB to load up some of the connection strings required for its applications hosted on it

Thought of trying out the below set-up:

  1. to establish the handshake between the service fabric cluster in tenantA and Azure key vault in tenantB is by using Azure AD Application belongs to tenantB.

  2. configure Azure AD Application ID which belongs to tenantB to Azure service fabric application config in tenantA

  3. add Azure AD Application ID to the access policy of Azure key vault in tenantB

With this setup, will handshake between Azure service fabric cluster and Azure key vault happen?

(or)

Azure service fabric cluster, Azure key vault & Azure AD application have to be in same tenant?

2

2 Answers

0
votes

As long as the Application Id used to access the Key Vault is in the same tenant as the Key Vault, the application can run from anywhere. The application (with application id) will acquire an access token from its own tenant and then use that to access the Key Vault. The environment executing the code can have identities from multiple tenants when using an application id and secret.

0
votes

With this setup, will handshake between Azure service fabric cluster and Azure key vault happen?

It will not work, when you add the tenantB AD App Application ID to the access policy of Azure key vault in tenantB, essentially you add the service principal corresponded to the AD App to the keyvault. A service principal is a specific instance for an AD App in one tenant, it just works for the tenant which it located.

Even you consent the tenantB AD App to tenantA via the admin consent URL, it just generates a new service principal(enterprise application) in tenantA, which is not the same object as that you added in keyvault, an AD App has a 1:many relationship with its corresponding service principal.

Azure service fabric cluster, Azure key vault & Azure AD application have to be in same tenant?

Not exactly, but at least the service fabric cluster and key vault need to be in the same tenant, the AD App can be in another tenant, but it should be a multi-tenant app, then you need to consent it to the tenant of keyvault and service fabric cluster as mentioned above, then add the new generated service principal to the access policy before using it in service fabric cluster. If you not very familiar with Azure AD, it will be a little complex, so I recommend you to use them in the same tenant.

For more details about the relationship between AD Application and service principal, see this link.