Forum Discussion
Can I create an Azure Key Vault from a Teams app in the customer’s tenant?
Hi everyone,
I’m building a Teams app and want to support this flow:
- A customer admin opens the app and sees a setup dialog.
- They enter subscription/resource group details.
- The app then creates a new Azure Key Vault in the customer’s tenant.
My questions:
- Is it feasible for a Teams app to create a Key Vault in the customer’s tenant?
- What is the recommended way to request the necessary permissions? (e.g., Azure AD OAuth2 consent for ARM API access?)
- Or is best practice for the customer to create the Key Vault themselves and just grant my app access?
Thanks!
1 Reply
Nivedipa-MSFTMicrosoft
@muradqr5h - Thanks for bringing this issue to our attention.
- No, installing a Teams app does not silently create an Azure Key Vault within a customer’s subscription. Creating a Key Vault is an Azure Resource Manager (ARM) operation that requires subscription-level permissions, which are not granted by simply installing a Teams app or providing Azure Active Directory (AAD) app consent.
- The recommended approach is for the customer administrator to carry out a guided and auditable provisioning step—such as using ARM/Bicep templates, the “Deploy to Azure” option, or Azure CLI/PowerShell—to create the Key Vault and assign your app’s service principal the minimum required RBAC role. For large-scale, automated deployments, consider Azure Managed Applications or Azure Lighthouse, both of which require explicit customer onboarding.
Why Direct Creation Isn’t Possible
- ARM operations, such as creating resources or assigning roles, require the caller to have the appropriate RBAC permissions at the subscription or resource group level (such as Owner, Contributor, or User Access Administrator). Giving AAD admin consent only creates a service principal in the tenant and does not grant ARM rights on subscriptions.
Recommended Implementation Patterns
- Guided One-Click Provisioning (Best User Experience and Auditability)
- Provide an ARM/Bicep template or an Azure Portal “Deploy to Azure” button for your customer admin to run.
- The template will create the Key Vault and assign your app/service principal the necessary Key Vault role (for example, Key Vault Secrets User).
- This approach ensures least-privilege access, is auditable and predictable, and minimizes support overhead.
- Reference documentation:
- Customer Runs a Script (Simple Approach)
- Provide a small Azure CLI or PowerShell script that:
- Creates the resource group and Key Vault
- Assigns your app/service principal the Key Vault RBAC role
- Example (Azure CLI):
- az group create -n MyRg -l eastus
- az keyvault create --name myCustomerVault --resource-group MyRg --location eastus --sku standard
- az role assignment create --assignee <APP_CLIENT_ID_OR_OBJECT_ID> --role "Key Vault Secrets User" --scope /subscriptions/<subId>/resourceGroups/MyRg/providers/Microsoft.KeyVault/vaults/myCustomerVault
- Documentation: role assignment and Key Vault RBAC: https://learn.microsoft.com/azure/key-vault/general/rbac-guide
- Automated Provisioning at Scale (For MSPs/ISVs)
- Leverage Azure Managed Applications or Azure Lighthouse:
- Managed Applications (available via the marketplace) can provision resources into customer subscriptions during deployment.
- Azure Lighthouse enables delegated resource management; after explicit onboarding, your tenant can provision resources programmatically in the customer’s subscription.
- This method allows for full automation post-onboarding, but comes with increased operational complexity and partner requirements.
- Further reading:
- Azure Managed Applications: Overview of Azure Managed Applications - Azure Managed Applications | Microsoft Learn
- Azure Lighthouse:What is Azure Lighthouse? - Azure Lighthouse | Microsoft Learn
Permissions and Consent Details
- To deploy a Key Vault, the caller must have Contributor or Owner rights on the subscription or resource group.
- Assigning your app a role requires Owner or User Access Administrator permissions.
- For your app to later access secrets, it must be granted the Key Vault RBAC role (such as Key Vault Secrets User) or be added to an access policy if using that model.
- AAD admin consent (app registration permissions) is a separate process and does not provide ARM or subscription rights.
Security and Operational Guidance
- Always use the least-privilege role required (prefer Key Vault Secrets User over Key Vault Contributor).
- Enable Key Vault security features such as soft-delete and purge protection, and set appropriate access policies.
- Ensure all provisioning and role assignment steps are audited and logged.
- Include a validation step in your Teams app UI to check the Key Vault URL and permissions (for example, by attempting to read a test secret), and clearly display remediation steps if needed.
Please let us know if you have any further query here.