Strategy One

Configure Cross-tenant Azure Key Vault Connections with Managed Identity Mode

The following functionality is only available for Managed Cloud Enterprise (MCE) environments.

Starting in Strategy One (May 2026), you can configure cross-tenant Azure Key Vault connections using a managed identity mode for a more secure workflow.

Prerequisites

  • The Strategy MCE tenant and remote tenant must be in the same region.

  • Strategy requires the remote Azure tenant ID for each Azure Key Vault connection with managed identity mode.

  • Strategy requires the Strategy cross-tenant application to be granted the Key Vault Secrets User role in a remote Azure tenant.

  • A secret that includes the username and password for your database must use the following JSON format: {"username": "my-username", "password": "my-password"}

Grant Permission to Strategy Cross-tenant Application with Managed Identity

  1. Contact the Strategy Support team for the Strategy Tenant ID and Strategy Cross-tenant Application ID (Client ID) used in your MCE environment. For example:

    Copy 
    Strategy Tenant ID: 901c038b-4638-4259-b115-c1753c7735aa
    Cross-tenant Application ID (Client ID): 66a3f541-3146-4db7-9271-64968dd58e60

  2. In your tenant, create a service principal for the Strategy cross-tenant application. In Azure Cloud Shell, enter the following, replacing the IDs with your own ID values:

    Copy 
    # Log into Owned Tenant
    az login --tenant <owned-tenant-id>

    # Create service principal using Strategy's app ID
    az ad sp create --id <strategy-app-client-id>

    # Get the service principal's object ID in Owned Tenant
    az ad sp show --id <strategy-app-client-id> --query id -o tsv

  3. Open your Azure tenant and click Access control (IAM) in the left navigation.

  4. Click Add and Add role assignment.

  5. Select the Key Vault Secrets User role.

  6. Click the Members tab and click Select members.

  7. Add the service principal you created above.

  8. Click Save.

  9. Click the Review + assign tab and click Review + assign.

Create an Azure Key Vault Connection with Managed Identity Mode

  1. Open the Workstation window.
  2. In the Navigation pane, click Data Sources.
  3. Click the Vault Connections tab.
  4. Click Add New Vault Connection.
  5. Enter values in the following fields:
    • Name: Type a name for your connection.
    • Type: Choose Azure Key Vault.
    • URL: Type your Azure environment URL.
    • Authentication Mode: Choose Managed Identity.

    • Tenant ID: Enter your Azure Directory (tenant) ID.

      For more information on your tenant Azure ID, see Get subscription and tenant IDs in the Azure portal.

    • Client ID: Type your Strategy cross-tenant application client ID.

  6. Click Save.

Validate the Vault Connection with Managed Identity Mode

  1. Open the Workstation window.
  2. In the Navigation pane, click Data Sources.
  3. Click the Database Logins tab.
  4. Click Add New Database Login.
  5. Toggle on Use Vault.
  6. Type a database login Name.
  7. Optionally type a Description.
  8. Expand the Type drop-down list and choose Azure Key Vault.
  9. Expand the Vault Connection drop-down list and choose your newly created vault connection.
  10. In Secret Name, type the secret name that was granted cross-tenant access.
  11. Click Save.