4

Is there a way to connect an Azure Active Directory application to a key vault to access a certificate rather than uploading the certificate file in the Certificate & Secrets section in the Azure portal?

tumblewood
  • 73
  • 9
  • what are you trying to do ? could explain a little more ? you re trying to connect to kv to get a cert ? what are you gonna use this cert for ? – Thomas Jan 22 '20 at 10:49
  • I created cert in the key vault and i am importing it in app service through the key vault. But in AAD app registration we have to manually upload the cert file. So i wanted to know if it is possible to connect to the key vault cert in the app registration as well. We are using the key vault cert for auto renewal of the cert – tumblewood Jan 23 '20 at 12:14
  • so next question is what are you doing with this app registration ? you could use managed identity rather app registration if applicable ? https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity?tabs=core2x – Thomas Jan 23 '20 at 12:26

3 Answers3

2

No. A certificate credential in AAD always has the public key in the Application/Service principal object. There is no way to refer to a certificate in Key Vault.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • 2
    I generated a certificate in key vault and I have set it to auto renew. Is there a way that the certificate get auto updated in the App registration as well, so that I need not manually update the certificate in app registration ? – tumblewood Jan 22 '20 at 10:30
  • 2
    Nope. You'll have to do that yourself. Key Vault offers Event Grid integration, so you could build an Azure Function that does this. – juunas Jan 22 '20 at 10:30
0

NO: it is not possible to ingegrate App Registration with KeyVault natively.

Adding this response as other answers are distracting and are general "free advice"

user587585
  • 21
  • 3
0

Not an actual answer, but I thought I could add this to the discussion: If you are using terraform to manage your infrastructure, you could use azurerm_key_vault_certificate.certificate_data_base64 resource attribute to update azuread_application_certificate.value. As @user587585, this is just "free advice".

Rafael Guimaraes Siqueira
  • 170
  • 1
  • 7