How to share a key from one azure tenant(account) keyvault under one subscription to another azure tenant(account) keyvault in another subscription

Question

2 different tenants (Subscription A in tenant A and Subscription B in tenant B)

We have one subscription in Azure cloud and we have setup Azure Keyvault. We can create keys there and use one of the key to encrypt disks of a virtual machine running in our subscription.

Our customer has their own Azure cloud subscription and for security and compliance purposes their requirement is that they must hold control of the key being used to encrypt disks of virtual machine in our subscription. For this we both have Azure keyvault with Premium tier and I was wondering if there is any guide which points out how to use Azure KeyVault HSM from Customer's subscription to create keys in to our subscription.

https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/hsm-protected-keys-byok

The above guide points out some of the vendors and how to use BYOK tool to transfer keys from HSM into Azure Keyvault.

We are looking for a way to use Azure KeyVault HSM from Customer's subscription to create keys in to our Azure Keyvault and which we can use to encrypt disks in our subscription.

Many thanks,

Answer 1

Answering for my own question as I have received an official response from Microsoft.

It looks like this is currently not supported. Please find below the link for more details on this.

https://learn.microsoft.com/en-us/answers/questions/743730/how-to-share-a-key-from-one-azure-keyvault-under-a.html?childToView=751516#answer-751516

Answer 2

If you have the permissions to access the two subscriptions, you can create an Azure Management Group to manager the access of the subscriptions into this Management Group.

For more details, you can see the document about "Management Groups".