Support multi-tenant authentication in Key Vault (Azure#24558)

* Support multi-tenant authentication in Key Vault

Resolves Azure#18359

* Resolve PR feedback

* Update to Azure.Identity 1.5.0

Author: heaths

eng/Packages.Data.props

@@ -85,7 +85,7 @@
     <PackageReference Update="Azure.Messaging.EventGrid" Version="4.7.0" />
     <PackageReference Update="Azure.Messaging.ServiceBus" Version="7.4.0" />
     <PackageReference Update="Azure.Messaging.WebPubSub" Version="1.0.0-beta.2" />
-    <PackageReference Update="Azure.Identity" Version="1.4.0" />
+    <PackageReference Update="Azure.Identity" Version="1.5.0" />
     <PackageReference Update="Azure.Security.KeyVault.Secrets" Version="4.2.0" />
     <PackageReference Update="Azure.Security.KeyVault.Keys" Version="4.2.0" />
     <PackageReference Update="Azure.Security.KeyVault.Certificates" Version="4.2.0" />

sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Support multi-tenant authentication against Managed HSM when using Azure.Identity 1.5.0 or newer. ([#18359](https://github.com/Azure/azure-sdk-for-net/issues/18359))
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md

@@ -5,6 +5,7 @@
 ### Features Added
 
 - Added `KeyVaultCertificateIdentifier.TryCreate` to parse certificate URIs without throwing an exception when invalid. ([#23146](https://github.com/Azure/azure-sdk-for-net/issues/23146))
+- Support multi-tenant authentication against Key Vault and Managed HSM when using Azure.Identity 1.5.0 or newer. ([#18359](https://github.com/Azure/azure-sdk-for-net/issues/18359))
 
 ### Breaking Changes
 

sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md

@@ -8,6 +8,7 @@
 - Added `KeyClient.GetCryptographyClient` to get a `CryptographyClient` that uses the same options, policies, and pipeline as the `KeyClient` that created it. ([#23786](https://github.com/Azure/azure-sdk-for-net/issues/23786))
 - Added `KeyRotationPolicy` class and new methods including `KeyClient.GetKeyRotationPolicy`, `KeyClient.RotateKey`, and `KeyClient.UpdateKeyRotationPolicy`.
 - Added `KeyVaultKeyIdentifier.TryCreate` to parse key URIs without throwing an exception when invalid. ([#23146](https://github.com/Azure/azure-sdk-for-net/issues/23146))
+- Support multi-tenant authentication against Key Vault and Managed HSM when using Azure.Identity 1.5.0 or newer. ([#18359](https://github.com/Azure/azure-sdk-for-net/issues/18359))
 
 ### Breaking Changes
 

sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md

@@ -5,6 +5,7 @@
 ### Features Added
 
 - Added `KeyVaultSecretIdentifier.TryCreate` to parse secret URIs without throwing an exception when invalid. ([#23146](https://github.com/Azure/azure-sdk-for-net/issues/23146))
+- Support multi-tenant authentication against Key Vault and Managed HSM when using Azure.Identity 1.5.0 or newer. ([#18359](https://github.com/Azure/azure-sdk-for-net/issues/18359))
 
 ### Breaking Changes
 

sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Azure.Security.KeyVault.Secrets.csproj

@@ -25,7 +25,7 @@
     <PackageReference Include="System.Text.Json" />
     <PackageReference Include="System.Threading.Tasks.Extensions" />
   </ItemGroup>
-
+  
   <ItemGroup>
     <Compile Include="$(AzureCoreSharedSources)AppContextSwitchHelper.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)AzureResourceProviderNamespaceAttribute.cs" LinkBase="Shared" />

sdk/keyvault/Azure.Security.KeyVault.Secrets/tests/Azure.Security.KeyVault.Secrets.Tests.csproj

@@ -18,4 +18,5 @@
     <ProjectReference Include="$(AzureCoreTestFramework)" />
     <ProjectReference Include="..\src\Azure.Security.KeyVault.Secrets.csproj" />
   </ItemGroup>
+
 </Project>

sdk/keyvault/Azure.Security.KeyVault.Secrets/tests/SecretClientLiveTests.cs

@@ -4,10 +4,11 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text;
 using System.Threading.Tasks;
 using NUnit.Framework;
+using Azure.Core;
 using Azure.Core.TestFramework;
-using System.Text;
 using NUnit.Framework.Constraints;
 
 namespace Azure.Security.KeyVault.Secrets.Tests
@@ -460,5 +461,19 @@ public async Task GetDeletedSecrets()
                 AssertSecretPropertiesEqual(deletedSecret.Properties, returnedSecret.Properties, compareId: false);
             }
         }
+
+        [Test]
+        public async Task AuthenticateCrossTenant()
+        {
+            TokenCredential credential = GetCredential(Recording.Random.NewGuid().ToString());
+            SecretClient client = GetClient(credential);
+
+            string secretName = Recording.GenerateId();
+
+            Response<KeyVaultSecret> response = await client.SetSecretAsync(secretName, "secret");
+            RegisterForCleanup(secretName);
+
+            Assert.AreEqual(200, response.GetRawResponse().Status);
+        }
     }
 }

sdk/keyvault/Azure.Security.KeyVault.Secrets/tests/SecretsTestBase.cs

@@ -5,7 +5,9 @@
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Threading.Tasks;
+using Azure.Core;
 using Azure.Core.TestFramework;
+using Azure.Identity;
 using Azure.Security.KeyVault.Tests;
 using NUnit.Framework;
 
@@ -41,12 +43,12 @@ protected SecretsTestBase(bool isAsync, SecretClientOptions.ServiceVersion servi
             _serviceVersion = serviceVersion;
         }
 
-        internal SecretClient GetClient()
+        internal SecretClient GetClient(TokenCredential credential = default)
         {
             return InstrumentClient
                 (new SecretClient(
                     new Uri(TestEnvironment.KeyVaultUrl),
-                    TestEnvironment.Credential,
+                    credential ?? TestEnvironment.Credential,
                     InstrumentClientOptions(
                         new SecretClientOptions(_serviceVersion)
                         {
@@ -256,5 +258,23 @@ protected Task WaitForSecret(string name)
                 return TestRetryHelper.RetryAsync(async () => await Client.GetSecretAsync(name).ConfigureAwait(false), delay: PollingInterval);
             }
         }
+
+        protected TokenCredential GetCredential(string tenantId)
+        {
+            if (Mode == RecordedTestMode.Playback)
+            {
+                return new MockCredential();
+            }
+
+            return new ClientSecretCredential(
+                tenantId ?? TestEnvironment.TenantId,
+                TestEnvironment.ClientId,
+                TestEnvironment.ClientSecret,
+                new ClientSecretCredentialOptions()
+                {
+                    AuthorityHost = new Uri(TestEnvironment.AuthorityHostUrl),
+                }
+            );
+        }
     }
 }