Using a certificate to grant an application access to Azure Key Vault

Question

I have a web API hosted on Windows server via IIS. I'm using Azure Key Vault to hide secrets. In order to give the application access to the vault, I am using a certificate installed on the server, which is also registered with the application in Azure. The certs thumbprint, the tenant ID, and the application ID are all exposed in the configuration file of the web API. The apps registration is granted access via policy in the key vault.

The issue is that the integration assistant in Azure is alerting me that I should not have a certificate set up inside the registration, but with no explanation as to why (the documentation is greyed out for alert).

Can this alert be safely ignored? Or is there a better way to grant my application vault access?

Edit - snip of integration assistant:

Answer 1

Can this alert be safely ignored?

In your particular scenario, I would say yes. You can safely ignore this message.

Essentially you need a user to access the key vault. Considering your application is running locally, you would use the Service Principal (created as part of the app registration) as a user to access the key vault.

Or is there a better way to grant my application vault access?

In your particular scenario (when your application is running locally), AFAIK no.

If your application were running in Azure, you could have used Managed Identity. It could be either System-assigned Managed Identity or User-assigned Managed Identity. With managed identity, you need not require a secret/certificate based authentication.

I am not sure if your API is protected by Azure AD (i.e. a user must be authenticated/authorized before using the API), but if it does then one alternative would be to grant users of your API access to Key Vault. Requests to Key Vault will then be sent in context of that user. This however will increase the management complexity considerably as you have to manage access control for all your API users.