Accessing Key Vault from a Different Azure tenant using PowerShell


You have two tenants. Tenant A and Tenant B.
Tenant A has an application and app registration.
Tenant B has a key vault.
you want the application in Tenant A to be able to use the key vault in Tenant B.

Create the Identities

Add the multi-tenanted app registration and service principal in Tenant A.

Then in Tenant B add a service principal for the multi-tenanted app registration

$TenantBServicePrincipal = New-AzureADServicePrincipal -AppId <app-id-in-tenant-a

add a key vault access policy allowing the objectId from the output of the above command to access the key vault

Sign in

Now we will use PowerShell to authenticate to azure using the service principal.

Connect-AzAccount -ServicePrincipal -Credential (Get-Credential -UserName 'application-(client)-Id') -Tenant tenant-b-where-the-key-vault-is

In the above command we set the username to be the AppId (it's the same in both tenants) and then it will ask you for the secret of the 'App Registration' in Tenant A. We will then set the 'Tenant' parameter to the ID of Tenant B.  So, we are authenticating using the App Registration in Tenant A, and setting the context of the tenant we want to access to Tenant B.

Now just use the *-AzKeyVault* cmdlets as you normally would.  They will be operating in Tenant B's context.