You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
author: karavar
3
3
ms.author: vakarand
4
-
ms.date: 08/23/2022
4
+
ms.date: 09/01/2022
5
5
ms.service: active-directory
6
6
ms.subservice: managed-identity
7
7
ms.topic: include
@@ -35,7 +35,7 @@ To create a new registration:
35
35
1. Select **Register**.
36
36
1. Note the **ApplicationId/ClientId** of the application.
37
37
38
-
:::image type="content" source="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/register-application.png" alt-text="Screen shot showing how to create a new multi-tenant application registration." lightbox="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/register-application.png" border="true":::
38
+
:::image type="content" source="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/register-application.png" alt-text="Screen shot showing how to create a new multi-tenant application registration." lightbox="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/register-application.png" border="true":::
39
39
40
40
#### The service provider creates a user-assigned managed identity
41
41
@@ -49,7 +49,7 @@ Create a user-assigned managed identity to be used as a federated identity crede
:::image type="content" source="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/create-user-assigned-managed-identity.png" alt-text="Screen shot showing how to create a resource group and a user-assigned managed identity." lightbox="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/create-user-assigned-managed-identity.png" border="true":::
52
+
:::image type="content" source="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/create-user-assigned-managed-identity.png" alt-text="Screen shot showing how to create a resource group and a user-assigned managed identity." lightbox="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/create-user-assigned-managed-identity.png" border="true":::
53
53
54
54
#### The service provider configures the user-assigned managed identity as a federated credential on the application
55
55
@@ -232,7 +232,7 @@ To create the key vault, the user's account must be assigned the **Key Vault Con
232
232
1. On the **Access policy** tab, select **Azure role-based access control** for **Permission model**.
233
233
1. Select **Review + create** and then **Create**.
234
234
235
-
:::image type="content" source="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/create-key-vault.png" alt-text="Screen shot showing how to create a key vault." lightbox="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/create-key-vault.png" border="true":::
235
+
:::image type="content" source="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/create-key-vault.png" alt-text="Screen shot showing how to create a key vault." lightbox="media/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault/create-key-vault.png" border="true":::
236
236
237
237
Take note of the **Vault name** and **Vault URI**. Applications that access your key vault must use this URI.
Copy file name to clipboardExpand all lines: includes/active-directory-msi-cross-tenant-cmk-overview.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
author: karavar
3
3
ms.author: vakarand
4
-
ms.date: 08/11/2022
4
+
ms.date: 09/01/2022
5
5
ms.service: active-directory
6
6
ms.subservice: managed-identity
7
7
ms.topic: include
@@ -18,7 +18,7 @@ Azure platform services and resources that are owned by the service provider and
18
18
19
19
For the purposes of this how-to article, assume there are two Azure AD tenants: an independent service provider's tenant (*Tenant1*), and a customer's tenant (*Tenant2*). *Tenant1* hosts Azure platform services and *Tenant2* hosts the customer's key vault.
20
20
21
-
The service provider first creates a multi-tenant application registration in *Tenant1*. The service provider configures a [federated identity credential](/azure/active-directory/develop/workload-identity-federation-create-trust-managed-identity-as-credential) on this application using a user-assigned managed identity. The service provider then shares the name and application ID of the app with the customer.
21
+
The service provider first creates a multi-tenant application registration in *Tenant1*. The service provider configures a [federated identity credential](../articles/active-directory/develop/workload-identity-federation-create-trust.md) on this application using a user-assigned managed identity. The service provider then shares the name and application ID of the app with the customer.
22
22
23
23
A user with the appropriate permissions installs the service provider's application in the customer tenant, *Tenant2*. A user then grants the service principal associated with the installed application access to the customer's key vault. The customer also stores the encryption key, or customer-managed key, in the key vault. The customer shares the key location (the URL of the key) with the service provider.
24
24
@@ -68,6 +68,6 @@ Operations in Phase 1 would be a one-time setup for most service provider applic
68
68
- Access to Azure Key Vault can be authorized using Azure RBAC or access policies. When granting access to a key vault, make sure to use the active mechanism for your key vault.
69
69
- An Azure AD application registration has an application ID (client ID). When the application is installed in your tenant, a service principal is created. The service principal shares the same application ID as the app registration, but generates its own object ID. When you authorize the application to have access to resources, you may need to use the service principal `Name` or `ObjectID` property.
70
70
71
-
### Phase 3
71
+
### Phase 3 - The service provider encrypts data in an Azure resource using the customer-managed key
72
72
73
-
After phase 1 and 2 are complete, the service provider can configure encryption on the Azure resource to work across tenants. You can do this using an ARM template or REST API.
73
+
After phase 1 and 2 are complete, the service provider can configure encryption on the Azure resource with the key and key vault in the customer's tenant and the Azure resource in the ISV's tenant. The service provider can configure cross-tenant customer-managed keys with the Azure portal, PowerShell, or Azure CLI, with an ARM template, or with the REST API.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments